OpenAI has launched ChatGPT Agent, an upgrade to its flagship artificial intelligence (AI) model that equips it with a virtual computer and an integrated toolkit.
These new tools allow the agent to carry out complex, multi-step tasks that previous iterations of ChatGPT were incapable of — controlling your computer and completing tasks for you.
This more powerful version, which is still highly dependent on human input and supervision, arrived shortly before Mark Zuckerberg announced that Meta researchers had observed their own AI models showing signs of independent self-improvement. It also launched shortly before OpenAI launched GPT-5 — the latest version of OpenAI’s chatbot.
With ChatGPT Agent, users can now ask the large language model (LLM) to not only perform analysis or gather data, but to act on that data, OpenAI representatives said in a statement.
For instance, you could command the agent to assess your calendar and brief you on upcoming events and reminders, or to study a corpus of data and summarize it in a pithy synopsis or as a slide deck. While a traditional LLM could search for and provide recipes for a Japanese-style breakfast, ChatGPT agent could fully plan and purchase ingredients for the same breakfast for a specific number of guests.
Yet the new model, while highly capable, still faces a number of limitations. Like all AI models, its spatial reasoning is weak, so it struggles with tasks like planning physical routes. It also lacks true persistent memory, processing information in the moment without reliable recall or the ability to reference previous interactions beyond immediate context.
ChatGPT Agent does show significant improvements in OpenAI’s benchmarking, however. On Humanity’s Last Exam, an AI benchmark that evaluates a model’s ability to respond to expert-level questions across a number of disciplines, it more than doubled the accuracy percentage (41.6%) versus OpenAI o3 with no tools equipped (20.3%).
Related: OpenAI’s ‘smartest’ AI model was explicitly told to shut down — and it refused
It also performed much better than other OpenAI tools, as well as a version of itself that lacked tools like a browser and virtual computer. In the world’s hardest known math benchmark, FrontierMath, ChatGPT agent and its complement of tools again outperformed previous models by a wide margin.
The agent is built on three pillars derived from previous OpenAI products. One leg is ‘Operator’, an agent that would use its own virtual browser to plumb the web for users. The second is ‘deep research’, built to comb through and synthesize large amounts of data. The final piece of the puzzle is previous versions of ChatGPT itself, which excelled in conversational fluency and presentation.
“In essence, it can autonomously browse the web, generate code, create files, and so on, all under human supervision,” said Kofi Nyarko, a professor at Morgan State University and director of the Data Engineering and Predictive Analytics (DEPA) Research Lab.
Nyarko was quick to emphasize, however, that the new agent is still not autonomous. “Hallucinations, user interface fragility, or misinterpretation can lead to errors. Built-in safeguards, like permission prompts and interruptibility, are essential but not sufficient to eliminate risk entirely.”
The danger of advancing AI
OpenAI has itself acknowledged the danger of the new agent and its increased autonomy. Company representatives stated that ChatGPT agent has “high biological and chemical capabilities,” which they claim potentially allow it to assist in the creation of chemical or biological weapons.
Compared to existing resources, like a chem lab and textbook, an AI agent represents what biosecurity experts call a “capability escalation pathway.” AI can draw on countless resources and synthesize the data in them instantly, merge knowledge across scientific disciplines, provide iterative troubleshooting like an expert mentor, navigate supplier websites, fill out order forms, and even help bypass basic verification checks.
With its virtual computer, the agent can also autonomously interact with files, websites, and online tools in ways that empower it to do much more potential harm if misused. The opportunity for data breaches or data manipulation, as well as for misaligned behavior like financial fraud, is amplified in the event of a prompt injection attack or hijacking.
As Nyarko pointed out, these risks are in addition to those implicit in traditional AI models and LLMs.
“There are broader concerns for AI agents as a whole, like how agents operating autonomously can amplify errors, introduce biases from public data, complicate liability frameworks, and unintentionally foster psychological dependence,” he said.
In response to the new threats that a more agential model poses, OpenAI engineers have also strengthened a number of safeguards, company representatives said in the statement.
These include threat modeling, dual-use refusal training — where a model is taught to refuse harmful requests around data that could have either beneficial or malicious use — bug bounty programs, and expert red-teaming — analyzing weaknesses by attacking the system yourself — focused on biodefense. However, a risk management assessment conducted in July of 2025 by SaferAI, a safety-focused non-profit, called OpenAI’s risk management policies Weak, awarding them a score of 33% out of a possible 100%. OpenAI also only scored a C grade on the AI Safety Index compiled by the Future of Life Institute, a leading AI safety firm.
