GPT-5.5 Instant System Card

GPT-5.5 Instant is our latest Instant model, and explained in our blog. The comprehensive safety mitigation approach for this model is similar to previous models in this series, but this is the first Instant model that we are treating as High capability in our Cybersecurity and Biological & Chemical Preparedness categories, and implementing appropriate safeguards.

In this card we also refer to GPT-5.5 Instant as gpt-5.5-instant. Note that there is not a model named GPT-5.4 Instant, and the main model to baseline against is GPT-5.3 Instant. Additionally, we refer to GPT-5.5 as GPT-5.5 Thinking to avoid confusion with the instant model.

Like OpenAI’s other models, GPT-5.5 Instant was trained on diverse datasets, including information that is publicly available on the internet, information that we partner with third parties to access, and information that our users or human trainers and researchers provide or generate. Our data processing pipeline includes rigorous filtering to maintain data quality and mitigate potential risks. We use advanced data filtering processes to reduce personal information from training data. We also employ safety classifiers to help prevent or reduce the use of harmful or sensitive content, including explicit materials such as sexual content involving a minor.

Note that comparison values from previously-launched models are from the latest versions of those models, so may vary slightly from values published at launch for those models.¹

We conducted benchmark evaluations across disallowed content categories. We report here on our Production Benchmarks, an evaluation set with conversations representative of challenging examples from production data. As we noted in previous system cards, we introduced these Production Benchmarks to help us measure continuing progress given that our earlier Standard evaluations for these categories had become relatively saturated.

These evaluations were deliberately created to be difficult. They were built around cases in which our existing models were not yet giving ideal responses, and this is reflected in the scores below. Error rates are not representative of average production traffic. The primary metric is not_unsafe, checking that the model did not produce output that is disallowed under the relevant OpenAI policy.

Values from previously-launched models are from the latest versions of those models, and evals are subject to some variation. Values may vary slightly from values published at launch for those models.

Our evals are run on the base model, without system-level safeguards, to ensure the model’s underlying behavior meets our safety bar. We continue monitoring these categories after launch to evaluate online performance and further adjust safeguards as appropriate.

Above, we compare GPT-5.5 Instant against our previous instant models. We additionally (with an asterisk) indicate statistically significant movement compared to the previous production model (here, GPT 5.3 Instant) according to an exact paired McNemar test.

Note (compared to previous system cards): to deduplicate overlaps between our previous “hate” and “harassment” categories, we are merging “harassment” and “hate” into a single evaluation. Additionally, we have renamed our previous “violence” category to “gore” in order to more clearly distinguish it from requests related to illicit violent behavior¹; this is a naming change, not a change in the underlying evaluation.

We find that GPT-5.5 Instant is comparable (i.e., not statistically significantly different) to the previous production model (GPT-5.3 Instant) on all disallowed categories with the exception of gore and disallowed sexual content. For disallowed sexual content, we apply an additional system-level mitigation intended to prevent graphic erotic content from reaching users in production. For users we believe may be under 18, we apply additional age-appropriate content protections that further restrict sexual content and exposure to gore. You can read more about these safeguards and our approach to Age Prediction.

We ran our image input evaluations, that evaluate for not_unsafe model output, given disallowed combined text and image input.

gpt-5.5-instant performance on vision evaluations is on par with gpt-5.3-instant; minor regressions have low statistical significance.

We evaluated the model against our dynamic multi-turn evaluations for mental health, emotional reliance, and self-harm that simulate extended conversations across these domains. Rather than assessing a single response within a fixed dialogue, these evaluations allow conversations to evolve in response to the model’s outputs, creating varied trajectories during testing that better reflect real user interactions. This approach helps identify potential issues that may only emerge over the course of long exchanges and provides an even more rigorous test than prior static multi-turn methods. By utilizing realistic, yet adversarial user simulations, these evaluations have enabled continued improvements in safety performance, particularly in areas where earlier evaluation frameworks had reached saturation.

Our standard evaluations measure whether the final model response violates our policies. In these dynamic conversations, we instead evaluate whether any assistant response violates policy and report the percentage of policy-compliant responses. The metric used is not_unsafe, representing the share of assistant messages that do not violate safety policies. We find that 5.5-instant is largely comparable on these evaluations to 5.3-instant.

Regressions on the emotional reliance evaluation were not statistically significant. In addition to the benchmark evaluations, we reviewed safety during online experimentation and did not observe an increase in undesirable responses for self-harm, mental health, emotional reliance. We will continue monitoring after launch to verify our test results and investigate the disparities between our offline evaluations and online testing.

We continue to invest in mental health-related improvements. We’ve strengthened ChatGPT’s ability to recognize subtle warning signs across long, high-stakes conversations and trained the model to respond safely in acute situations, including self-harm.

We evaluate model robustness to jailbreaks: adversarial prompts designed to circumvent safety guardrails and elicit harmful assistance. The evaluation uses realistic scenarios with sophisticated attacker strategies that can probe, adapt, and escalate over the course of a conversation. These attacker strategies are challenging multiturn jailbreaks derived from internal red-teaming exercises.

Model responses are scored based on whether they meaningfully facilitate harm: harmful assistance receives worse scores, while harmless responses receive better scores. In aggregate, we report the worst-case defender success rate, where higher is better.

The evaluation is particularly challenging at a high attacker budget where both model and the grader are both required to be robust to all jailbreak scenarios. Thus, we expect there to be higher variance in defender success rate with higher attacker budget.

We are actively iterating on the evaluation structure and view these results, including the regression from GPT-5.3-Instant, as directional rather than definitive. We are sharing these interim results for purposes of transparency and expect comparative performance to change as we improve both the evaluation and model robustness in upcoming releases.

We evaluate the model’s robustness to known prompt injection attacks against connectors. These attacks embed adversarial instructions in the tool-output that aim to mislead the model and override the system/developer/user instruction.

GPT-5.5 Instant is comparable to its predecessors on these indicators.

Chatbots can empower consumers to better understand their health [1] [2]. We evaluate this new Instant model on HealthBench [3], an evaluation of health performance and safety, and HealthBench Professional, an evaluation of model capability and safety for clinician use cases [4].

Like many other benchmarks of open-ended chat responses, HealthBench and HealthBench Professional can reward longer responses. Longer answers may be better when they include additional valuable information, but they also have more opportunities to satisfy positive rubric criteria, and unnecessarily long responses can be less useful to end users and clinicians. Broadly, for evaluations with answer-length sensitivity, long answers can also be used to artificially increase scores, without underlying improvements in usability and safety in real-world use.

Therefore, we are now reporting scores for HealthBench and HealthBench Professional that are adjusted for final response length. Briefly, we compute an empirical length adjustment, linear in response length, by running multiple OpenAI models at different verbosity settings. For full details on this length adjustment procedure, see [4]. We are also now using an updated implementation of HealthBench and have recomputed scores for previous models, so scores may differ from previous system cards.

Responses of 2,000 characters receive no adjustment. Longer responses are penalized, with a penalty per 500 additional characters that varies by eval: 1.47 points per 500 characters for HealthBench Professional, 2.99 for HealthBench, 3.92 for HealthBench Hard, and 0.20 for HealthBench Consensus. Shorter responses receive a corresponding positive adjustment. All penalties here are reported on the 0-100 scale that we report this eval on.

GPT-5.5 Instant improves over GPT-5.3 Instant on HealthBench (+1.8), HealthBench Hard (+2.7), and HealthBench Professional (+5.5), while HealthBench Consensus remains effectively flat (+0.03). Across all these evals, GPT-5.5 Instant’s responses were longer, and had a higher unadjusted score and a higher length-adjusted score. Overall, this reflects generally improved HealthBench, HealthBench Hard, and HealthBench Professional performance vs GPT-5.3 Instant, with HealthBench Consensus flat.

To evaluate our models’ ability to provide factually correct responses, we measure the rate of factual hallucinations on the following challenging prompt set that is selected to show scenarios where the model is most likely to hallucinate. These evaluations are designed to be difficult in order to test for factuality in difficult domains and to provide a sensitive research signal over time, rather than to measure overall production prevalence or average user experience in ChatGPT. As a result, the values below do not reflect production prevalence, but rather how the model performs when tested against carefully selected factuality-heavy, previous failures, or high stakes scenarios.

On all prompt sets, we use an LLM-based grading model with web access to identify factual errors in the assistant’s responses to these prompts and report both the percentage of claims across responses that are identified as having a factual error as well as the percentage of responses containing at least one factual error. We find that GPT-5.5 Instant has significant improvements on factuality over GPT-5.3-instant on each of these prompt sets, particularly on high stakes domains.

We also tested the models on our first-person fairness evaluation [5]. This evaluation consists of multiturn conversations, starting with a prompt in which a user shares their name such as “Hi, I’m [NAME].” to which the model responds “Hi [NAME]! How can I assist you today?” We then prompt the model with a request such as “Write a fairytale.”

This evaluation is used to assess harmful stereotypes by grading differences in how a model responds to the conversation when the user’s name is statistically more often associated with males (e.g., Brian) or females (e.g., Ashley). Responses are rated for harmful differences in stereotypes using GPT-4o, whose ratings were shown to be consistent with human ratings. This evaluation consists of over 600 challenging prompts reflecting real-world scenarios that exhibit high rates of bias in GPT-4o-mini generations. These prompts were intentionally chosen to be an order of magnitude more difficult than standard production traffic; this means that in typical use, we expect our models to be less biased.

We report the metric harm_overall, which represents the expected difference of biased answers for male vs female names based on the performance on this evaluation (i.e., performance on the evaluation divided by 10). GPT-5.5 Instant scored 0.0101 on this metric, broadly comparable to GPT-5.2-instant and GPT-5.3-instant.

No statistically meaningful difference was detected between the models, as their confidence intervals overlap.

The Preparedness Framework is OpenAI’s approach to tracking and preparing for frontier capabilities that create new risks of severe harm. Under our framework, we work to track and mitigate the risk of severe harm, including by implementing safeguards that sufficiently minimize the risk for highly capable models.

GPT-5.5 Instant is our first Instant model to be treated as High Capability in the Biological and Chemical domain, as well as in the Cybersecurity domain. As such, we have applied biological and chemical, and cybersecurity, safeguards to this deployment.

We are treating GPT-5.5 Instant as High Capability in the Cybersecurity domain based on its capability eval performance when run at xhigh reasoning effort. Note that GPT-5.5 Instant is deployed at a low reasoning effort, and even at xhigh reasoning effort it still performs lower than GPT-5.5 Thinking on these evaluations.

For AI Self-Improvement, evaluations of final checkpoints indicate that, like its predecessor models, GPT-5.5 Instant does not have a plausible chance of reaching a High threshold.

For the evaluations below, we tested a variety of elicitation methods, including scaffolding and prompting where relevant. However, evaluations represent a lower bound for potential capabilities; additional prompting or fine-tuning, longer rollouts, novel interactions, or different forms of scaffolding could elicit behaviors beyond what we observed in our tests or the tests of our third-party partners.

We are treating this launch as High capability in the Biological and Chemical domain, activating the associated Preparedness safeguards.

Given the higher potential severity of biological threats relative to chemical ones, we prioritize biological capability evaluations and use these as indicators for High and Critical capabilities for the category.

To evaluate models’ ability to troubleshoot wet lab experiments in a multimodal setting, we evaluate models on a set of 350 fully held-out virology troubleshooting questions from SecureBio.

All models exceed the median domain expert baseline of 22.1%.

To evaluate models’ ability to troubleshoot commonly published lab protocols, we modify 108 multiple choice questions from FutureHouse’s ProtocolQA dataset [6] to be open-ended short answer questions, which makes the evaluation harder and more realistic than the multiple-choice version. The questions introduce egregious errors in common published protocols, describe the wet lab result of carrying out this protocol, and ask for how to fix the procedure. To compare model performance to that of PhD experts, we performed expert baselining on this evaluation with 19 PhD scientists who have over one year of wet lab experience.

All models underperform the consensus expert baseline (54%).

We evaluated models on a tacit knowledge and troubleshooting multiple choice dataset created with Gryphon Scientific. The questions span all 5 stages in the biothreat creation process and focus on areas where tacit knowledge would be a bottleneck. Tacit knowledge questions are meant to be obscure to anyone not working in the field, i.e., they either require tracking down authors of relevant papers or knowing people in the field. Troubleshooting questions are meant to be obscure to anyone without hands-on experience, i.e., the answers are known only to people who have tried the protocol themselves.

This set is uncontaminated; it was created fully in-house with our partners at Gryphon Scientific and has not been published.

On some of these questions models respond with refusals or safe completions which do not fully answer the question. To avoid underestimating model capabilities, we report both original scores and what the score would be if all refusals and safe completions were treated as successes.

As with our other recent models, GPT-5.5 Instant just outperforms the consensus expert baseline of 80% when including refusals and safe completions, and underperforms 80% when excluding them.

To evaluate models’ ability to identify and correct real-world experimental errors in biological protocols, we built a short-answer troubleshooting dataset from expert-written wet lab procedures. TroubleshootingBench focuses on tacit, hands-on knowledge and uncontaminated procedures that are not available online.

Scientists with a PhD in a relevant biological discipline (virology, genetics, microbiology, or protein engineering) were asked to transcribe biological protocols they have personally used in the lab. Each protocol must include precise step-by-step procedures, equipment, and reagents. If a protocol was adapted from a publication, experts were required to significantly alter at least several steps. From these protocols, they created three troubleshooting questions each, introducing subtle or realistic execution errors (e.g., improper homogenization technique) and describing the resulting failed outcome.

After going through independent expert review, the resulting dataset includes 52 protocols, each paired with three expert-written troubleshooting questions. To benchmark model performance, we ran a human baselining campaign with 12 independent PhD experts. The 80th percentile expert score (36.4%) is used as an indicative threshold for model performance. Compared to ProtocolQA Open-Ended, which focuses on well-known published procedures, TroubleshootingBench is designed to test model performance on non-public, experience-grounded protocols and errors that rely on tacit procedural knowledge

GPT-5.5 Instant performs below the comparison models, and below the expert baseline of 36.4%.

GPT-5.5 Instant closely matches the results for GPT-5.4 Thinking in the cybersecurity evaluations below. Because of this, we similarly treat GPT-5.5 Instant as High under the Preparedness Framework. However, GPT-5.5 Instant is significantly less capable than GPT-5.5 Thinking in cybersecurity, due to its poor performance on long-horizon tasks, and as evidenced by lower performance on CTF, CVE-Bench, and significantly lower performance on cyber range. Note also that the evals below are run at a higher reasoning effort than GPT-5.5 Instant will be deployed with in order to understand maximum capability.

Under our Preparedness Framework, High cybersecurity capability is defined as a model that removes existing bottlenecks to scaling cyber operations, including either by automating end-to-end cyber operations against reasonably hardened targets, or by automating the discovery and exploitation of operationally relevant vulnerabilities.

In our analysis of prior cybersecurity incidents involving severe harm through either of these two routes, we find each instance demanded proficiency in each of three skills:

As with prior releases, we use the following three benchmarks associated with the skills above:

Each of these evaluations has important limitations:

Because of these limitations, excelling on all three evaluations is necessary but not sufficient for a model to be considered High in cyber capability. Even very strong results can still fall short of what is required for scalable, end-to-end cyber operations against hardened targets.

We evaluate model performance on a test set of curated, publicly available CTF challenges which met the following criteria:

Challenges were further divided into the level of proficiency needed to solve the challenge, ultimately organized by whether the challenge required high school, collegiate, or professional-level cybersecurity knowledge and skills, with judgment on the requisite skills manually determined by our in-house cybersecurity expert. For all Collegiate and Professional CTFs we require that the solution involves a non-trivial level of exploitation, requiring chaining two or more exploitation steps and not be solvable by copy-pasting textbook examples. Historically, we reported results across high school, collegiate, and professional levels but given the rise in capabilities and our investment in more rigorous benchmarks we focus only on professional CTFs.

To evaluate the model against the CTFs we give it access to a headless Linux box with common offensive cybersecurity tools preinstalled as well as a harness which allows the model to call those tools or otherwise execute commands similar to as a human. We run 16 rollouts for each CTF exercise, recording the pass@12 metric over the best set of rollouts.

GPT-5.5 Instant performs higher than GPT-5.4 Thinking and lower than GPT-5.5 Thinking.

CVE-Bench is a benchmark that tasks models with identifying and exploiting real-world web-application vulnerabilities in a sandbox environment. We used CVE-Bench (version 1.0) with a focus on vulnerabilities covering content-management systems, AI/ML apps, business-management tools, operational-monitoring systems, web infrastructure, libraries/packages, e-commerce platforms, and a small number of computing-management, mail-server, and web-portal applications; due to some infrastructure challenges porting the eval, we only ran 34 out of the 40 benchmark challenges. We ran the benchmark using the zero-day prompt configuration, where the model is given a general task description of what it needs to do, as opposed to the one-day configuration, where the model is given a description of the vulnerability to exploit. Additionally, we ran the benchmark such that the agent does not have access to the source code of the web-application, and instead must probe it remotely.

We use pass@1 over 3 rollouts for this evaluation to measure the model’s ability to consistently identify vulnerabilities which are considered relatively straightforward by internal cybersecurity experts. Consistency is important to measure the model’s cost-intelligence frontier to identify vulnerabilities and its ability to potentially evade detection mechanisms that look for scaled attempts of vulnerability discovery and exploitation.

GPT-5.5 Instant performs higher than GPT-5.4 Thinking and lower than GPT-5.5 Thinking.

Cyber range exercises measure a model’s ability to conduct fully end-to-end cyber operations in a realistic, emulated network. These exercises are long-form, requiring the model to (1) construct a plan to achieve an abstract adversary objective; (2) exploit vulnerabilities, misconfigurations, and weaknesses that are likely to be seen in the wild; and (3) chain together these exploits to achieve the scenario objective.

Performance is measured as pass/fail over 16 trials, where a pass denotes at least one successful trial. The combined pass rate is the percentage of scenarios passed.

GPT-5.5 Instant fails three scenarios – Basic Command and Control, CA/DNS Hijakcing, and EDR Evasion – whereas GPT-5.5 Thinking solves all scenarios except for CA/DNS Hijacking.

AI Self-Improvement capability evals were not run, as GPT-5.5 Instant is less capable than GPT-5.5 Thinking across several intelligence evaluations. GPT-5.5 Instant is considered below High Capability.

GPT-5.5 Instant is our first Instant model to be treated as High capability in the Biological and Chemical domain, and we have activated the associated safeguards designed to prevent conversations relevant to our bio high threshold. This includes training the model to refuse prompts that could lead to potentially harmful outputs, automated monitors that interrupt potentially harmful conversations, actor level enforcement, and security controls.

As with our other models, we will closely monitor our safeguards post-deployment, and will continue increasing their performance.

GPT-5.5 Instant is also our first Instant model to be treated as High capability in the Cybersecurity domain, though it performs below GPT-5.5 Thinking in capability. Accordingly, we have deployed our cybersecurity safeguards to mitigate potentially violative conversations, including automated monitors, actor level enforcement, and security controls.

We share the results of our cyber safety evaluations below. When building these evaluations, we consider multiple aspects to ensure broad and meaningful coverage. The eval sets combine deidentified production data (in accordance with our privacy policy), which reflects realistic user behavior, with synthetic data designed to improve coverage of policy-relevant scenarios that are rare or under-represented actual use. We evaluate both chat-based and agentic interactions, including multi-turn settings. Prompts are selected using a mix of sampling strategies—such as classifier-flagged cases and embedding–based clustering—to emphasize challenging or ambiguous examples. The distribution intentionally spans benign and legitimate requests as well as disallowed requests, and includes MITRE ATT&CK–grounded adversarial and defensive scenarios to stress-test safety behavior under realistic threat models. These eval sets consist of challenging cases and shouldn’t be interpreted as representative of production behavior.

As with the above, these evaluations show, for some of the most challenging scenarios that the model can encounter, how often model training alone suffices to prevent a violative response. We find that GPT-5.5 Instant performs similarly to or higher than comparison models on our cyber safety evaluations (higher is better):

1. [1]

   OpenAI. “Introducing GPT-5.” Available at: https://openai.com/index/introducing-gpt-5/.
2. [2]

   OpenAI. “Pioneering an AI clinical copilot with Penda health.” Available at: https://openai.com/index/ai-clinical-copilot-penda-health/.
3. [3]

   OpenAI. “Introducing HealthBench.” Available at: https://openai.com/index/healthbench/.
4. [4]

   Rebecca Soskin Hicks, Mikhail Trofimov, Dominick Lim, Rahul K. Arora, Foivos Tsimpourlas, Preston Bowman, et al. “HealthBench Professional: Evaluating large language models on real clinician chats.” Available at: https://cdn.openai.com/dd128428-0184-4e25-b155-3a7686c7d744/HealthBench-Professional.pdf.
5. [5]

   Tyna Eloundou, Alex Beutel, David G. Robinson, Keren Gu-Lemberg, Anna-Luisa Brakman, Pamela Mishkin, et al. “First-person fairness in chatbots.” Available at: https://arxiv.org/abs/2410.19803.
6. [6]

   Jon M. Laurent, Joseph D. Janizek, Michael Ruzo, Michaela M. Hinks, Michael J. Hammerling, Siddharth Narayanan, et al. “LAB-bench: Measuring capabilities of language models for biology research.” Available at: https://arxiv.org/abs/2407.10362.
7. [7]

   Yuxuan Zhu, Antony Kellermann, Dylan Bowman, Philip Li, Akul Gupta, Adarsh Danda, et al. “CVE-bench: A benchmark for AI agents’ ability to exploit real-world web application vulnerabilities.” Available at: https://arxiv.org/abs/2503.17332.