OpenAI grants European Commission access to GPT‑5.5‑Cyber for cybersecurity testing

Cybersecurity models are becoming a weird new diplomatic object. They are useful enough that governments want access, but risky enough that labs do not want to hand them around casually. That tension is what changed on Monday, May 11: OpenAI said it would let the European Commission get access to GPT‑5.5‑Cyber, while Anthropic still has not offered Brussels comparable access to Mythos. ### What is GPT‑5.5‑Cyber? It is OpenAI’s more permissive cyber model — basically a version of GPT‑5.5 tuned for legitimate security work that normal consumer models often refuse to help with. OpenAI says approved users can use it for vulnerability identification, malware analysis, reverse engineering, detection engineering, and patch validation, while the system is still supposed to block clearly malicious requests like credential theft, stealth, persistence, and third-party exploitation. (money.usnews.com) ### Who is actually getting access? Not the whole EU, and not the public. OpenAI said access in Europe would go to vetted partners including businesses, governments, cyber authorities, and EU institutions such as the EU AI Office. The Commission’s interest is narrower still — it wants enough access to watch deployment closely and probe security concerns itself instead of relying only on what the company says about the model. (openai.com) ### Why does Brussels care so much? Because “trust us” is not much of a regulatory strategy when the model in question can help find serious software flaws. The Commission has been trying to move from paper oversight to something more hands-on. Thomas Regnier, speaking for the Commission, said OpenAI had proactively offered access, and he framed that as a real difference from Anthropic, where talks are still happening but have not yet produced a similar opening. (cnbc.com) ### Why is Anthropic the comparison point? Because Anthropic’s Mythos set off this exact debate first. Mythos was released about a month earlier and drew attention because of how capable it looked on advanced cyber tasks, but access stayed tightly controlled. Europe ended up in the awkward position of trying to regulate frontier AI while still depending on the companies themselves to decide who gets in the room. (money.usnews.com) ### How capable are these models now? Capable enough that the argument is no longer theoretical. The UK AI Security Institute said GPT‑5.5 was the second model it had tested that could complete one of its end-to-end cyber attack simulations, and on its expert task suite GPT‑5.5 scored 71.4% versus 68.6% for Mythos Preview. That does not mean either model is an autonomous superhacker. But it does mean frontier labs are now shipping systems that can materially help with high-end security work. (cnbc.com) ### So is OpenAI just being transparent? Yes — but also strategic. OpenAI rolled GPT‑5.5‑Cyber out through its Trusted Access for Cyber program, which already uses identity checks and tighter account-security rules. Giving Brussels a lane into that system costs the company some secrecy, but it also buys goodwill with regulators at a moment when Europe is sharpening scrutiny of powerful AI services, including ChatGPT under the Digital Services Act. (aisi.gov.uk) ### What is the catch? The catch is that this is still voluntary. The EU is discovering that practical oversight of frontier models may depend less on formal legal power than on whether a company decides cooperation is in its interest. OpenAI is saying yes, at least here. Anthropic is not saying yes yet. That gap matters because it hints at a club model of AI governance — the labs that open the door get treated as workable partners, and the ones that do not face more pressure. (openai.com) ### Bottom line? This is not just a product-access story. It is a test of whether regulators can inspect dangerous-capability models directly before those models become too important to govern from the outside. On May 11, OpenAI moved one step closer to that world in Europe. Anthropic did not. (money.usnews.com)