Canada gains GPT‑5.5‑Cyber access

OpenAI’s decision to give Canada’s Communications Security Establishment access to GPT-5.5-Cyber adds a government intelligence agency to the small group testing the company’s most cyber-permissive model. The Globe and Mail reported on May 14, citing sources, that the arrangement will let CSE assess risks in systems tied to critical infrastructure. OpenAI said on May 7 that GPT-5.5-Cyber was entering limited preview for defenders responsible for securing critical infrastructure. CSE, Canada’s national cryptologic agency, says it is responsible for cyber security, foreign signals intelligence and foreign cyber operations. ### Why does CSE’s access stand out? The Globe and Mail reported that CSE will use GPT-5.5-Cyber to assess risks in systems tied to critical infrastructure, making Canada’s signals-intelligence and cyber agency an early state user of the model. The report described the move as access for oversight and evaluation rather than a general public rollout. CSE says on its website that it is Canada’s “national cryptologic agency” and that its Canadian Centre for Cyber Security serves as the federal government’s operational and technical lead on cyber security. (theglobeandmail.com) That mandate gives the agency a role in assessing how advanced models could affect the security of essential networks and software. ### What exactly is GPT-5.5-Cyber? OpenAI said on May 7 that GPT-5.5-Cyber is being rolled out in limited preview to defenders responsible for securing critical infrastructure for “specialized cybersecurity workflows.” The company said the model is designed to be more permissive on authorized security tasks than the standard GPT-5.5 model, while still blocking requests tied to credential theft, stealth, persistence, malware deployment or exploitation of third-party systems. (theglobeandmail.com) (cse-cst.gc.ca) CNBC reported on May 7 that OpenAI described the cyber-specific version as not a major jump in raw cyber capability, but as a model trained to reduce refusals on legitimate security work such as vulnerability identification, patch validation and malware analysis. OpenAI’s own post says approved defenders can use it for workflows including vulnerability triage, reverse engineering and detection engineering. ### Why are governments interested in these models now? (openai.com) OpenAI said in an April 14 post that it was scaling its Trusted Access for Cyber program to thousands of verified defenders and hundreds of teams responsible for defending critical software. On May 7, the company said GPT-5.5-Cyber was aimed at a smaller set of partners studying advanced workflows where specialized access behavior may matter. OpenAI also said in a December 2025 policy post that cyber capabilities in its models had been advancing rapidly, and that it was planning for new models as though each could reach “High” levels of cybersecurity capability under its Preparedness Framework. (cnbc.com) That framing helps explain why governments and critical-infrastructure operators want direct testing access rather than relying only on public product descriptions. ### How does this fit with Canada’s recent scrutiny of OpenAI? (openai.com) Canada’s Privacy Commissioner Philippe Dufresne said on May 6 that a joint investigation found the way OpenAI initially trained ChatGPT did not comply with Canadian privacy laws. Dufresne said investigators found overly broad collection of personal information, consent and transparency concerns, and shortcomings around access, correction and deletion. OpenAI agreed to implement further measures after that investigation, according to the commissioner’s statement. (openai.com) The coexistence of regulatory scrutiny and operational access shows that Canadian authorities are dealing with OpenAI on more than one track at once: privacy enforcement on one side and cyber-risk testing through CSE on the other. That is an inference based on the public privacy statement and the Globe and Mail report. ### What happens next in the access program? (priv.gc.ca) June 1, 2026 is the next dated checkpoint in OpenAI’s program. The company said individuals using its most cyber-capable and permissive models through Trusted Access for Cyber will be required to enable Advanced Account Security starting that day. OpenAI said GPT-5.5 and GPT-5.5 Pro became available in the API on April 24, while GPT-5.5-Cyber remains in limited preview for approved defenders. Any further public detail on Canada’s use is likely to come from CSE, OpenAI or additional reporting on how the agency evaluates risks in critical-infrastructure systems. (priv.gc.ca) (openai.com 1) (openai.com 2)