OpenAI Admits a Core AI Security Flaw Is 'Unlikely to Ever Be Fully Solved'
OpenAI concedes that prompt injection, a core AI security flaw, is 'unlikely to ever be fully solved.' We analyze their new defense—an AI-powered attacker—and the expert consensus on the risks of agentic AI.
OpenAI has conceded that one of the most critical vulnerabilities in modern AI systems, known as <keyword>prompt injection</keyword>, is a risk that’s not going away anytime soon. In a Monday blog post, the company stated that these attacks—which manipulate AI agents into following malicious instructions hidden in web pages or emails—are "unlikely to ever be fully ‘solved,’” comparing them to the persistent nature of scams and social engineering. This admission raises urgent questions about how safely autonomous AI agents can truly operate on the open web.
A Widely Recognized, Unsolvable Problem
OpenAI isn't alone in this grim assessment. The U.K.’s National Cyber Security Centre (NCSC) warned earlier this month that <keyword>prompt injection</keyword> attacks "may never be totally mitigated." The government agency advised cyber professionals to focus on reducing the risk and impact rather than thinking the attacks can be "stopped." For its part, OpenAI views the issue as a "long-term AI security challenge," acknowledging that its "agent mode" in <keyword>ChatGPT Atlas</keyword> significantly "expands the security threat surface."
Fighting AI with AI: The Automated Attacker
The company’s answer to this Sisyphean task is to build its own highly advanced hacker: an "LLM-based automated attacker." This bot, trained using reinforcement learning, is designed to proactively discover novel attack strategies before they are exploited in the wild. According to OpenAI, this automated attacker has already uncovered sophisticated, long-horizon attack methods that were missed by human red teaming campaigns.
Its key advantage is its insider access. The bot can see the target AI’s internal reasoning, allowing it to rapidly test an attack, study the response, tweak the exploit, and try again. While rivals like Google and Anthropic also emphasize layered defenses and continuous testing, OpenAI's internal AI attacker represents a more aggressive, self-testing approach to hardening its systems.
Expert Reality Check: Does the Value Justify the Risk?
Despite these efforts, security experts remain cautious. Rami McCarthy, principal security researcher at Wiz, told TechCrunch that the risk in AI systems can be understood as "autonomy multiplied by access." Agentic browsers like <keyword>ChatGPT Atlas</keyword> are in a particularly dangerous position, combining moderate autonomy with extremely high access to sensitive data like emails and payment information.
"For most everyday use cases, agentic browsers don’t yet deliver enough value to justify their current risk profile," McCarthy said, suggesting the trade-offs are still very real. OpenAI itself recommends users constrain their agents by giving them specific instructions and requiring user confirmation before sending messages or making payments—an implicit acknowledgment of the current limitations.
This content is AI-generated based on source articles. While we strive for accuracy, errors may occur. We recommend verifying with the original source.
Related Articles
Cerebras Systems has refiled for an IPO targeting mid-May, backed by a $23B valuation, a reported $10B OpenAI deal, and an AWS partnership. What does this mean for Nvidia's dominance and the AI chip landscape?
After two months of bitter conflict, Anthropic and the Trump administration may be thawing—thanks to a new cybersecurity AI model. What does it mean when principle meets political pressure?
A disgruntled security researcher published working exploit code for three unpatched Windows Defender vulnerabilities. Hackers weaponized it within days. Here's what it means for everyone running Windows.
OpenAI's $852B valuation is drawing skepticism from its own backers as Anthropic's ARR tripled in three months. The secondary market is already voting with its feet.
Cerebras Systems has refiled for an IPO targeting mid-May, backed by a $23B valuation, a reported $10B OpenAI deal, and an AWS partnership. What does this mean for Nvidia's dominance and the AI chip landscape?
After two months of bitter conflict, Anthropic and the Trump administration may be thawing—thanks to a new cybersecurity AI model. What does it mean when principle meets political pressure?
A disgruntled security researcher published working exploit code for three unpatched Windows Defender vulnerabilities. Hackers weaponized it within days. Here's what it means for everyone running Windows.
OpenAI's $852B valuation is drawing skepticism from its own backers as Anthropic's ARR tripled in three months. The secondary market is already voting with its feet.
Thoughts
Share your thoughts on this article
Sign in to join the conversation