OpenAI expands Trusted Access

OpenAI is widening a gated program for cybersecurity users and reserving its new GPT-5.4-Cyber model for the most vetted defenders. (openai.com) OpenAI said on April 14 that Trusted Access for Cyber will expand to thousands of verified individual defenders and hundreds of teams that protect critical software. The company said GPT-5.4-Cyber is a fine-tuned version of GPT-5.4 built for defensive security work. (openai.com) The new model is available only through the highest tier of Trusted Access for Cyber, which OpenAI says requires identity checks and stronger trust signals. OpenAI said the model is “cyber-permissive,” meaning it lowers refusal barriers for legitimate security tasks and adds capabilities such as binary reverse engineering, or analyzing compiled software without source code. (openai.com; 9to5mac.com) Cybersecurity tools are dual-use: the same model that helps a defender find and patch a flaw can also help an attacker probe for one. OpenAI said its answer is to widen access for verified defenders while keeping automated monitoring, identity verification, and temporary restrictions for suspicious activity. (openai.com; developers.openai.com) That marks a shift from February 5, when OpenAI introduced Trusted Access for Cyber as a pilot tied to GPT-5.3-Codex and paired it with $10 million in application programming interface credits for defensive work. The company now says it is preparing for more capable models “over the next few months” and is scaling the access program ahead of that. (openai.com; openai.com) OpenAI has been tightening cyber safeguards across its model lineup as capabilities rise. In a March 5 system card, the company said GPT-5.4 Thinking was its first general-purpose model with mitigations for what it classifies as “High” cybersecurity capability. (openai.com) The access rules are also getting more formal. OpenAI’s application form for enterprise Trusted Access for Cyber asks applicants to describe planned uses such as penetration testing, red teaming, vulnerability assessment, malware reverse engineering, and cryptographic research, and to list certifications including CREST, International Organization for Standardization 27001, System and Organization Controls 2, Payment Card Industry Data Security Standard, and Federal Risk and Authorization Management Program. (openai.com) The rollout lands as artificial intelligence companies race to offer security-specific models without broadly opening offensive capability. CyberScoop reported that OpenAI’s move follows Anthropic’s Project Glasswing launch by about a week, putting the companies into more direct competition over who gets access to frontier cyber systems. (cyberscoop.com) OpenAI is framing the program around verification rather than industry-by-industry approval. The company said it does not want to “centrally decide who gets to defend themselves,” and is betting that broader vetting can scale faster than case-by-case gatekeeping. (openai.com; cyberscoop.com)