OpenAI has released the System Card for its Deep Research model—an agentic system based on an early version of o3, specifically designed for deep web research. Unlike standard chatbots, this tool acts more like a full-cycle analyst: it performs multi-step navigation across websites, parses PDFs and images, and autonomously writes and executes Python code for data processing. This transition from passive text generation to "active agency" forced the company to run the system through its Preparedness Framework to ensure an internet-facing model doesn't spiral out of control.
Results from external red-teaming and OpenAI's internal testing show that Deep Research sits at the "Medium" risk threshold across four critical domains:
Cybersecurity Persuasion Autonomy CBRN (Chemical, Biological, Radiological, and Nuclear threats)
Under Sam Altman's protocols, a "Medium" rating is the maximum allowable threshold for public release. Any category scoring a "High" or "Critical" rating would immediately send the project back for remediation.
For business leaders, the primary concern is not a "nuclear" threat, but the model's resilience against prompt injections it might encounter on dubious sites during autonomous searches. Without strict guardrails, such agents can become perfect tools for compromising corporate data via external web pages.
Protective Measures and Business Standards
To minimize risks, OpenAI has restricted code execution to isolated sandboxes and implemented robust PII (Personally Identifiable Information) filters. The system was specifically trained to ignore destructive content that could derail its mission or hijack the research objective. For CTOs and risk managers, these constraints aren't censorship—they represent the new industrial standard for managing "frontier risks."
Key Takeaways
Models are evolving from answering questions to performing autonomous workflows. Controlling whether an agent bypasses corporate security protocols, intentionally or accidentally, is now a critical priority. The era of "wild" AI agents is ending: any enterprise-grade system must now include a clear risk assessment and operate within isolated environments.
Deep Research confirms that autonomous agency has become a regulated feature where safety metrics directly dictate time-to-market. When a model is granted the power to act, your security focus must shift from what it says to what it is actually permitted to do.