OpenAI takes its new cyber model to U.S. agencies and Five Eyes allies

OpenAI is briefing U.S. federal agencies, state governments and Five Eyes allies on GPT-5.4-Cyber, its new cybersecurity-focused model, less than a week after rolling it out under a tiered access program. The outreach marks one of OpenAI’s clearest public steps yet to position the model for defensive security work in government and critical infrastructure.

OpenAI widens GPT-5.4-Cyber beyond its first users

The company held a demonstration in Washington on April 22, 2026, for about 50 cyber defense practitioners across the federal government, according to people familiar with the event. OpenAI is vetting government applicants through the same process used for commercial customers seeking access through its Trusted Access for Cyber program.

OpenAI has also begun briefings with members of the Five Eyes intelligence-sharing partnership, which includes Australia, Canada, New Zealand, the United Kingdom and the United States. The company is working to sign up those users for access to the model as it broadens the pool beyond its first vetted customers.

A defensive tool with clear dual-use risk

GPT-5.4-Cyber sits in a sensitive category: OpenAI has described cybersecurity capabilities as inherently dual-use, meaning the same system that can help defenders find weaknesses can also be used to sharpen attacks. That tension is shaping the company’s rollout, which pairs wider availability for defended use cases with stronger safeguards and access controls.

The model’s release comes as OpenAI and Anthropic both move faster into cyber-specific systems for enterprise and government users. OpenAI’s approach appears to be aimed at organizations that need to harden legacy systems, test internal defenses and surface exploitable flaws before adversaries do.

Banks and agencies are being pulled into the same rollout cycle

OpenAI’s push follows reports that BNY and other vetted enterprises had already been granted early access to advanced cyber capability models. That matters because it shows the company is not treating the government market as a side channel; it is building the same access pipeline for public-sector and regulated commercial users.

For agencies, the immediate operational value is obvious: faster vulnerability discovery, better triage of security problems and a tool that can be deployed against sprawling, aging systems that are difficult to patch manually. The commercial implication is just as direct. If OpenAI can prove that GPT-5.4-Cyber is safe enough for tightly controlled defensive use, it strengthens the case for broader enterprise adoption in sectors that handle high-value infrastructure.

OpenAI’s April 8 enterprise strategy note said the company is pushing toward a more unified workflow that brings ChatGPT, Codex and agentic browsing into daily business use. The cyber rollout fits that direction, but with a narrower, more guarded use case: controlled access for defenders first, broader deployment only after vetting and safeguards are in place.