Skip to content
AI Security Wire

Published

- 6 min read

By

UK AISI Finds Universal Jailbreaks in GPT-5.6 Within Hours

img of UK AISI Finds Universal Jailbreaks in GPT-5.6 Within Hours

The finding that didn’t trigger export controls

When Anthropic’s Fable 5 model was flagged in June for a jailbreak enabling meaningful cyberattack uplift, the US government moved quickly. Export controls were applied within days. The incident was treated as a threshold event.

GPT-5.6 Sol got different treatment.

According to OpenAI’s own System Card, published alongside Sol’s July deployment, UK AISI red teamers found universal jailbreaks enabling agentic vulnerability discovery and exploit development. “In all rounds thus far, UK AISI identified universal jailbreaks in the cyber domain,” the card states in section 9.4.6, “including jailbreaks that allowed for long-form agentic task completion in domains like vulnerability discovery and exploit development. These jailbreaks were often developed within hours.”

That word, universal, carries specific weight in safety evaluation. It distinguishes attacks that work across a broad class of harmful requests from narrow jailbreaks that only unlock one specific output type. Finding a universal cyber-domain jailbreak within hours is not a minor footnote.

No export controls followed.

What AISI actually tested

AISI’s evaluation framework for frontier cyber capabilities uses a set of benchmarks that have become standard across UK pre-deployment evaluations. For GPT-5.6, two are particularly significant.

The first is a CTF expert benchmark, measuring whether the model can complete capture-the-flag challenges at the level of a human cybersecurity professional. GPT-5.6 Sol scored 95.0% (plus or minus 9.8%). GPT-5.5 scored 85.0% (plus or minus 11.6%). That’s a ten-point jump between consecutive model generations.

The second is more alarming: “The Last Ones,” a 32-step corporate network attack simulation that requires planning, tool use, and sequential reasoning across an extended agentic session. GPT-5.5 completed 2 out of 10 attempts when jailbroken. GPT-5.6 Sol completed 7 out of 10.

Moving from 2/10 to 7/10 on a full-chain intrusion simulation is not incremental. It’s a qualitative shift in what the model can do when its safety controls are bypassed.

Grey-box conditions matter

AISI red teamers operated under grey-box access during the evaluation. They had visibility into the chain-of-thought output of GPT-5.6’s safety reasoning monitor, the exact wording of the safety policies the model was trained to enforce, and real-time classifier feedback indicating whether a given prompt would be blocked before submission.

This is the right way to test a model under contract. External attackers don’t get this access.

But it also means the jailbreaks found during AISI evaluation may require more effort to reproduce outside the pre-deployment window. When Xander Davies, AISI’s red team lead, posted on X on July 9 confirming the findings, he was explicit about this: the grey-box conditions enabled faster jailbreak development than would be typical in the wild.

For the April 2026 AISI evaluation of GPT-5.5, the shortest time to find a universal jailbreak was six hours of expert red-teaming. Sol, with its stronger capabilities, apparently narrowed that window further, not widened it.

The comparison with Fable 5

The regulatory asymmetry is hard to ignore.

On June 12, 2026, US export controls were applied to Anthropic’s Fable 5 following AISI evaluation of a jailbreak enabling meaningful cyberattack uplift. The controls were lifted three weeks later, on July 1, after Anthropic addressed the specific findings. But the precedent was clear: a jailbreak in AISI evaluation translates to regulatory action.

GPT-5.6 Sol’s AISI evaluation showed universal jailbreaks, a characterisation that is by definition broader than what triggered action against Fable 5. A Fortune investigation on July 10 flagged the apparent double standard directly, noting that neither the UK government nor CISA had commented on why the same evaluation framework produced different regulatory outcomes.

One plausible explanation: the Fable 5 jailbreak was rated as providing meaningful uplift to attackers who lack existing expertise. The Sol jailbreaks may have been characterised differently on the uplift dimension, even if the universality finding sounds more severe. AISI’s uplift taxonomy distinguishes between jailbreaks that make capable attackers more efficient and jailbreaks that enable attackers who couldn’t otherwise succeed. The latter threshold drives the stronger response.

OpenAI’s System Card does not clarify which category AISI assigned the Sol jailbreaks to. AISI has not published a standalone evaluation report for GPT-5.6 comparable to its GPT-5.5 blog post from April 30.

OpenAI’s internal red-teaming context

The System Card provides context on what OpenAI found before AISI got access. OpenAI ran more than 700,000 A100e GPU hours of automated red-teaming on GPT-5.6 before deployment. The best internal automated jailbreak achieved an 83% success rate on a cyber-harm test suite before mitigations were applied. After mitigations, that rate dropped substantially.

AISI’s human red team then found universal jailbreaks anyway.

This is not unusual. Automated red-teaming and human creative adversarial testing are finding different things. The automated approaches are good at systematically probing known attack patterns at scale. Expert human red teamers with grey-box access find things automated systems miss, particularly jailbreaks that require reasoning about the model’s own safety reasoning process.

The gap between internal automated red team results and external human findings is itself a signal: the mitigations that look robust in automated evaluation don’t hold against targeted expert attack.

What this means for pre-deployment evaluation

The AISI framework is doing something genuinely valuable. Having an independent third party with grey-box access find jailbreaks before deployment is better than finding them after. The findings are disclosed to the developer in time to affect the deployment decision.

Two structural problems remain.

First: the timeline pressure. Models are evaluated in compressed windows because the commercial incentive to deploy is immediate. Finding a universal jailbreak “within hours” is significant partly because it happened despite the clock pressure. Under a more adversarial deployment posture, with longer access and more red teamers, what else would surface?

Second: the public record. AISI’s GPT-5.5 evaluation produced a published blog post with findings. GPT-5.6 appears in OpenAI’s System Card but not in a standalone AISI evaluation document. The information is available, but the accountability mechanism (an independent public evaluation from the safety institute, not a vendor-authored card) is absent. Regulatory action based on these findings is harder to evaluate without that independent record.

The underlying capability trajectory is clear from the numbers. Expert-level CTF performance jumping from 85% to 95%. Full-chain attack simulation completion jumping from 2/10 to 7/10. Universal jailbreaks found within hours of evaluation access.

Whether the governance framework is moving at matching speed is a different question.

References

Frequently Asked Questions

What is a universal jailbreak in the context of AI cyber capabilities?
A universal jailbreak bypasses a model's safety training across a broad range of harmful request types, rather than working on a narrow category. In the AISI evaluations of GPT-5.6, universal jailbreaks enabled the model to complete long-form agentic tasks in domains like vulnerability discovery and exploit development that its safety controls were specifically designed to prevent.
What access did AISI red teamers have during the GPT-5.6 evaluation?
AISI red teamers operated under grey-box conditions: they had access to the chain-of-thought output of GPT-5.6's safety reasoning monitor, the exact wording of the model's safety policies, and real-time feedback from the classifier determining whether a given output would be blocked. This is considerably more than attackers outside a pre-deployment window would have, which affects how the findings translate to real-world risk.
How does GPT-5.6 Sol's performance on CTF benchmarks compare to its predecessor?
GPT-5.6 Sol achieved a 95.0% pass rate on the expert-level CTF benchmark, compared to 85.0% for GPT-5.5. On 'The Last Ones' (a 32-step full-chain corporate network attack simulation), Sol completed 7 out of 10 attempts versus 2 out of 10 for GPT-5.5. The capability jump is substantial.