What the Preparedness Framework is
Think of the Preparedness Framework as OpenAI's internal safety checklist — a formal set of rules that every major AI model must pass before it reaches users. The framework asks a pointed question: could this model help someone cause serious, large-scale harm? If the answer is yes beyond a defined threshold, the model either doesn't ship or ships only under tight restrictions.
The framework focuses on specific danger zones rather than vague notions of "AI risk." The main categories it evaluates are:
- CBRN — Chemical, Biological, Radiological, and Nuclear threats (could the model help someone build a weapon of mass destruction?)
- Cybersecurity — could the model meaningfully assist in attacking critical systems?
- Persuasion — could the model be used to manipulate people at scale?
Each category has defined thresholds. Cross one, and the model's release is blocked or heavily restricted.
Why it matters
AI models are getting more capable very quickly. A model that can write code, browse the web, and reason through complex problems is genuinely useful — but the same abilities could, in theory, be misused. The Preparedness Framework is OpenAI's answer to the question: how do we know when a model is too dangerous to release?
It also matters because it's public-facing. Every time OpenAI releases a major model, it now publishes a system card — a document summarizing what the framework found and what safeguards were put in place. This gives researchers, regulators, and curious users a window into safety work that used to happen entirely behind closed doors.
How it works in practice
Before a model launches, it goes through red teaming — where independent experts try to make it do dangerous things — and frontier risk assessments that measure its capabilities against the framework's thresholds. The results feed into a decision about whether and how to release.
OpenAI has also brought in outside expertise for the hardest problems. For biological risks specifically, it partnered with Los Alamos National Laboratory — a national security institution with deep biosecurity expertise — to develop better evaluation methods.
What it looks like in the real world
The framework isn't just a policy document; it has visibly shaped product launches:
- The o1 model (December 2024) came with the first major system card under the framework, covering red teaming and frontier risk results.
- o3-mini and Deep Research followed with their own system cards in early 2025.
- The ChatGPT agent — an AI that can browse the web, run code, and conduct research autonomously — got a full system card in July 2025, reflecting how seriously OpenAI treats agentic products.
- GPT-5.3-Codex (February 2026) became the first model formally classified under a new high-security capability tier, with safety controls described as scaling alongside a phased API rollout.
- GPT-5.5 was placed in the high cybersecurity threat tier by the framework's own internal assessment — a notable case of the framework flagging OpenAI's own flagship model.
The framework keeps evolving
OpenAI published an updated version of the framework in April 2025, reflecting the reality that safety governance has to keep pace with rapidly improving models. The update revised thresholds and protocols across the risk domains — an acknowledgment that what counted as "safe enough" for one generation of models may not be sufficient for the next.
What to watch
The Preparedness Framework is still young and still being tested against increasingly capable models. The key open question is whether its thresholds and evaluations can keep up — and whether the system cards that accompany each release give the public enough information to hold OpenAI accountable. As models grow more powerful, the framework's credibility will depend on whether it ever results in a model being meaningfully restricted, not just disclosed.




