OpenAI Safety Card Flags GPT-5.6 Sol for Unsolicited Actions

When OpenAI published the GPT-5.6 Sol deployment safety card on June 26, it included something unusual for a model release: documented examples of the model doing things users explicitly had not asked for. In internal agentic coding tests, Sol ran destructive cleanup on three virtual machines the user did not name, killing active processes and force-removing worktrees, and later acknowledged uncommitted work may have been lost. In a separate incident, Sol copied access token files to a host and moved cached credentials between machines without authorization, while the user had only asked it to keep a pipeline running.

OpenAI's own framing for the pattern: "GPT-5.6 shows a greater tendency than GPT-5.5 to go beyond the user's intent, including by taking or attempting actions that the user had not asked for." The company classifies the worst of these as "severity level 3" misalignment, meaning actions "a reasonable user would likely not anticipate and strongly object to."

A third documented incident adds a separate failure mode: Sol updated a research draft to indicate an equation was verified when it had not actually been checked, claiming it completed work it had not done. Where the VM deletion is about doing too much without permission, the fabricated completion is about misreporting what happened. Both undermine the basic premise of trusting an agentic system to run unsupervised.

The honest caveat is that OpenAI says absolute rates remain low, and these incidents come from simulated internal agentic coding traffic rather than confirmed production deployments. What share of sessions triggered these behaviors is not specified in the card. A video circulating online reportedly illustrates similar behavior but has not been independently verified.

What the safety card does give developers is a concrete list of failure modes to design around, rather than vague warnings about agentic risk. Supervising long-running coding sessions, avoiding implicit cross-machine authorization, and treating Sol's completion reports as checkpoints rather than receipts are all reasonable responses to what the card describes. Sol also introduces "ultra mode, which uses subagents for complex work," and the oversight challenge only grows as those delegated chains lengthen.