Architecture, Training Data, and Framing Methods: What OpenAI Shares About the ChatGPT Agent
OpenAI remains notably discreet about the underlying architecture, training datasets, and the specific framing techniques used in their ChatGPT agent. Much of the technical setup remains opaque, with the primary known fact being that this new agent falls within the same family as the “o3” model. The latest updates suggest that the model is now actively deployed in production environments. Specifically, it is rolling out progressively across ChatGPT Pro, Plus, and Team plans. The Enterprise and Education editions are expected to follow in the upcoming weeks. Presently, the European Union is not included in this deployment, indicating some regional limitations or ongoing negotiations.
Access to this new agent involves two straightforward methods: selecting it via the Tools menu or entering “/agent” into the prompt area. This functionality is compatible across the web version of ChatGPT, as well as on mobile apps (iOS and Android) and desktop clients for Windows and Mac.
Core Components: Operator and Deep Research
In this new iteration, ChatGPT “thinks and acts,” as OpenAI puts it. The system integrates both deep research capabilities and a prototype of autonomous web navigation technology that has been under development since January under the brand name Operator. Operator provides three modes for content access: a visual browser, a text-based browser, and an API connection.
OpenAI has added a terminal interface within this system for executing code, performing data analysis, and generating various files, including spreadsheets and slide decks. Additionally, there is a form of Retrieval-Augmented Generation (RAG) facilitated through “ChatGPT connectors.” Currently available in beta, these connectors offer read-only access to third-party applications for three main use cases:
- Inline search results with source links
- Deep research operations
- Synchronization and indexing, initially limited to Google Drive within Google Workspace
Plans for Pro, Team, Enterprise, and Education packages include the ability to develop connectors that use the MCP protocol, enhancing integration possibilities.
Resistance to Prompt Injection and Performance Evaluation
Despite the absence of detailed technical disclosures, the safety and security aspects are thoroughly addressed through a dedicated “system card.” When subjected to standard tests designed to ensure the model does not respond to content against OpenAI’s policies, the results reveal:
- Performance close to o3 in resisting jailbreak attempts
- Higher hallucination rates on SimpleQA and PersonQA benchmarks
- Slightly fewer unintended outputs when given undesirable text and image inputs
- Similar accuracy on ambiguous questions, but significantly less on clarified prompts—largely due to an overly cautious stance, with the agent refusing to answer even if authorized and equipped with relevant information
Various product-specific mitigation techniques aim to minimize prompt injection risks. The following summarizes the observed outcomes:
As a result, the ChatGPT agent demonstrates:
- Almost foolproof resistance to irrelevant or malicious prompts, such as data exfiltration attempts via web pages
- Superior performance compared to o3 in several red team scenarios
- Slightly reduced effectiveness against prompts that attempt to extract data already available within the conversation context
- Marked decline in success when prompts require the agent to actively search for data to exfiltrate
Supervision Modes and Risk Management
Currently, ChatGPT’s memory functions are disabled to prevent data exfiltration through these means. OpenAI indicates that this policy could be revisited in the future. Network restrictions are also limited; for now, the system can only execute GET requests to download images or certain datasets, including some government datasets.
An additional risk mitigation method is the introduction of a “supervision mode.” This mode activates when the agent is using the visual browser in sensitive contexts—such as working with banking or email accounts. During this mode, the user must actively monitor the task; the process halts if they become inactive or leave the conversation.
Beyond supervision, ChatGPT is programmed to seek confirmation before executing actions that could impact the real world, like making purchases, reservations, sending emails, or submitting forms.
Some tasks are outright forbidden, especially those involving financial transactions (e.g., placing bets, transferring money), invasive privacy actions, or handling sensitive personal data in high-stakes decisions (housing, employment, credit). Yet, in practice, the agent does not always outperform o3 in these scenarios either.
Gaining Control: Intervention and Monitoring Features
The ChatGPT agent can request additional information to ensure that its tasks remain aligned with user objectives. Users can intervene at any time—by clarifying instructions, requesting progress summaries, redirecting tasks, or terminating the process. It is also possible to take control of the internal web browser, with a settings option to clear history and log out of all sessions.
OpenAI reports results across eight benchmarks:
- Humanity’s Last Exam (general knowledge)
- FrontierMath (mathematical problem-solving)
- An internal test reflecting knowledge worker tasks
- DSBench (data science)
- SpreadsheetBench (modifying spreadsheets)
- An internal test role-playing as an investment bank analyst
- WebArena (web navigation)
- BrowseIt (finding hard-to-locate information online)
Given its capabilities, the ChatGPT agent has been flagged as a potential generator of chemical and biological risks, although OpenAI admits there is no irrefutable evidence confirming such dangers. A bug bounty program has been launched to identify prompts—possibly a universal prompt—that could induce responses to ten sensitive questions in this domain.
Usage Limits: 40 to 400 Messages Per Month
The premium Pro plan allows for up to 400 messages per month involving the ChatGPT agent. On other plans, such as the basic subscription, users are allocated 40 messages, and 30 credits are available for ChatGPT Team plans, with additional usage billed on a pay-as-you-go basis.
Only messages that actively advance the agent’s tasks—such as initiating a task, querying the agent, or responding to a complex question—are counted. Clarification steps, confirmation prompts, and authentication interactions generally do not consume message credits.
*OpenAI emphasizes that document generation features, like creating presentations, are still in beta. Currently, the outputs may appear basic, especially when starting from scratch. Moreover, editing existing presentations or using them as templates is not yet supported, unlike spreadsheet editing capabilities.
