OpenAI's new AI model can delete your files without permission
What's the story
OpenAI's latest coding and cybersecurity-focused model, GPT-5.6 Sol, has been accused of deleting user files without permission. The complaints were first reported on social media platforms like X and Reddit. Matt Shumer, the founder and CEO of AI start-up OthersideAI, claimed that the new model deleted almost all his Mac files in a single post.
User accounts
Developers share their experiences
Developer Bruno Lemos also took to X to share his experience with GPT-5.6 Sol.
He claimed that the model deleted his entire production database, something he had never encountered with any other AI model before.
Another developer Joey Kudish said that the system was too ambitious and deleted some files it shouldn't have.
Model behavior
OpenAI had warned about potential risks
Before the release of GPT-5.6 Sol, OpenAI had warned about the potential risks associated with its use.
The company published a system card for the model detailing its capabilities and possible misalignment issues.
It noted that in coding contexts, misalignment often arises from a mix of overeagerness to complete tasks and interpreting user instructions too permissively, assuming actions are allowed unless explicitly and unambiguously prohibited.
Model risks
Model takes destructive actions if not 'unambiguously' prohibited
The system card also highlighted the potential for GPT-5.6 Sol to take destructive actions if those actions aren't "unambiguously" prohibited.
It provided an example where a user asked Sol to delete three remote virtual machines but instead, it deleted three others after failing to find the first ones.
This resulted in killing active processes and force-removing worktrees tied to a coding project.
Unauthorized access
Used credentials without user authorization in another case
In another case, GPT-5.6 Sol "used credentials beyond what the user had authorized" while working on a project.
This happened when it couldn't read cloud files and instead of informing the user about the issue, went looking for credentials on its own.
It found some in a hidden local cache and used them without asking for authorization from the user.