Model Rating Report Logo

GPT-5

GPT‑5 is a unified system with a smart, efficient model that answers most questions, a deeper reasoning model (GPT‑5 thinking) for harder problems, and a real‑time router that quickly decides which to use based on conversation type, complexity, tool needs, and the user's explicit intent.

Developer

OpenAI

Country of Origin

USA

Systemic Risk

Open Data

Open Weight

API Access Only

Ratings

Overall Transparency

52%

Data Transparency

27%

Model Transparency

24%

Evaluation Transparency

74%

EU AI Act Readiness

50%

CAIT-D Readiness

33%

Transparency Assessment

The transparency assessment evaluates how clear and detailed the model creators are about their practices. Our assessment is based on the official documentation lists in Sources above. While external analysis may contain additional details about this system, our goal is to evaluate transparency of the providers themselves.

Basic Details

Date of Release

August 7th, 2025


Methods of Distribution

GPT-5 is available through OpenAI's API or through a web interface as part of ChatGPT.


Modality

GPT-5 can take text and images as input and generate text.


Input and Output Format

The input context window for GPT-5 is 400K tokens with an output limit of 128k tokens.


License

Proprietary


Instructions for Use

OpenAI provides detailed instructions, including various cookbooks, here: https://platform.openai.com/docs/overview.


Documentation Support
Low Transparency

The documentation is easy to access and navigate. It covers the capabilities, evaluations, and mitigations in a lot of detail. Some information is available about training data. However, there is no information available on the architecture and hardware used to train the model.


Changelog

A general changelog is available [here](https://platform.openai.com/docs/changelog).


Policy

Acceptable Use Policy

The OpenAI Usage policies can be found [here](https://openai.com/policies/usage-policies/).


User Data

User data, outside of enterprise accounts, is used to train and improve models. However, users can opt-out of training at any time (see [here](https://help.openai.com/en/articles/7730893-data-controls-faq) for more details).


Data Takedown

Individual users can opt-out of having their data being used for training, and OpenAI has a copyright dispute form: https://openai.com/form/copyright-disputes/


AI Ethics Statement

OpenAI describe their principles in their [OpenAI Charter](https://openai.com/charter/).


Incident Reporting

https://openai.com/policies/coordinated-vulnerability-disclosure-policy/


Model and Training

Task Description
Medium Transparency

Capabilities: GPT-5 is our flagship model for coding, reasoning, and agentic tasks across domains. A [detailed guide](https://platform.openai.com/docs/guides/latest-model) provides multiple examples and specifications for use.
Limitations: GPT-5 can hallucinate (especially on short-form questions) and comply with some requests to generate harmful content.


Number of Parameters

None


Model Design
Unknown

The documentation states that three sizes of the model were trained (-nano, -main and -thinking) and that an additional router model is used to decide which model to activate for a user's input. However, no details about the architecture itself are provided.


Training Methodology
Medium Transparency

Training involved a standard pre-training phase, and a post-training phase that focused on a new "[safe completions](https://openai.com/index/gpt-5-safe-completions/)" methodology that framed safety training in terms of producing safe outputs rather than rejecting unsafe inputs. This method was implemented using explicit examples during the SFT stage and specialized objectives during the RL stage.
Note: Other aspects of the training process are not documented in detail.


Computational Resources

None


Energy Consumption

None


System Architecture

None


Training Hardware

None


Data

Dataset Size

None


Dataset Description
Unknown

The properties pre-training and post-training are not documented.


Data Sources
Low Transparency

The dataset included publicly available on the internet, information from third party partners, and information that users or human trainers and researchers provided or generated.


Data Collection - Human Labor
Unknown

None


Data Preprocessing
Low Transparency

The dataset was preprocessed to maintain data quality and mitigate potential risks. This included advanced data filtering to remove personal information, and the use of OpenAI's Moderation API and safety classifiers to remove harmful or sensitive content, including explicit materials such as sexual content involving a minor.


Data Bias Detection
Unknown

None


Data Deduplication

None


Data Toxic and Hateful Language Handling

Data was filtered using OpenAI's Moderation API and additional safety filters.


IP Handling in Data

None


Data PII Handling

Personal information is reduced from the training data using advanced data filtering processes.


Data Collection Period

The knowledge cut-off is Sep 29, 2024.


Evaluation

Performance Evaluation
Low Transparency

GPT-5 was evaluated on benchmarks related to math, coding, agentic tool use and healthcare. The healthcare evaluation was conducted using a novel [HealthBench](https://openai.com/index/healthbench/) that evaluates how the model responds to realistic healthcare questions.


Evaluation of Limitations
High Transparency

GPT-5 is evaluated for multiple types of limitations.

Hallucinations: Factuality was evaluated using both historic ChatGPT Production data and open-source benchmarks (LongFact, FActScore and SimpleQA) using both Browser Enabled and Disabled settings. gpt-5-thinking hallucinated <5% in most settings, while gpt-5-main hallucinated <10% of the time. However, on SimpleQA both models hallucinated over 40% of the time - showing that the models still struggle with simple facts.

Sycophancy: This behavior was measured by manually evaluating responses to a dataset of real conversations. Scores for both models were over twice as low as for GPT-4o.

Disallowed Content Generation: These benchmarks measured whether the model compiled with requests for disallowed content. The results were mixed: the model complied with around of requests related to the topics: 'harassment/threatening', 'hate/threatening' and 'illicit/non-violent'.

Jailbreak/Prompt Manipulation: While on the StrongReject benchmark the model rejected nearly all attempts, on the more [advanced benchmark](https://arxiv.org/abs/2507.20526) from Gray Swan, the Attack Success Rate was 56%.

Bias/Fairness: This was evaluated using the BBQ benchmark - the model scored similarly to previous models (o3 and 4o) - getting around 90% accuracy. A demographic breakdown of the results was not included.

Additional evaluations related to Image inputs, Deception and Healthcare Safety are discussed in the System Card.


Evaluation with Public Tools

None


Adversarial Testing Procedure
High Transparency

GPT-5 was adversarially tested using both benchmarks, and internal and external red-teaming. External testers included Microsoft, AI Security groups (Gray Swan), research groups (METR and Apollo) and governments (UK AI Security Insititute and U.S. Center on Artificial Intelligence Standards and Innovation).

The results showed that while the model was safer than previous iterations on multiple dimensions, it earned a High Capability in the Biological and Chemical threat domains.

Noteworthy Results:

- Benchmark evaluations measured refusal rates on disallowed content (e.g. hateful content or illicit advice) on single and multi-turn conversations. The model performs nearly perfect on simple scenarios, but has scores between 70-80% on some harder scenarios related to hate, violence and self-harm. OpenAI acknowledged that these areas need further attention.

- The model could be jailbroken under a number of scenarios, but many of these attempts would likely be flagged by the deployed system. However, gpt-5-thinking still had an Attack Success Rate of 56% on one extenral benchmark.

- Developers tested for Instruction Hierarchy concerns: how the model manages system prompts vs developer prompts. The "main" variation showed weaknesses on several scenarios, while the "thinking" variation performed strongly on the whole test; suggesting that developer instructions could override OpenAI's system prompt in some scenarios.

- An expert AI Red Team from Microsoft conducted a number of evaluations on Frontier harms, Content safety and Psychological teams and found gpt-5-thinking to be qualitatively safer than gpt-o3.

Additional results in the system card include studies on the usefulness of the model for violent attack planning and complex cybersecurity attacks.


Model Mitigations
High Transparency

OpenAI has developed a multi-tiered system of mitigations:

GPT-5 was post-trained using a novel "safe completions" technique, which teaches the model to give the most helpful answer where possible, while still maintaining safety boundaries. This approach contrasts previous "refusal-based" training that focused on rejecting unsafe user inputs. The framework involved both directly showing the model "safe responses to ambiguous prompts" during SFT and rewarding "helpful but safe" outputs during the RL stage. Details including results are available in [this paper](https://cdn.openai.com/pdf/be60c07b-6bc2-4f54-bcee-4141e1d6c69a/gpt-5-safe_completions.pdf).

In addition, filtering was used to remove low-quality content from the pre-training data.

Finally, a real-time Moderation API is used to review all inputs and outputs. This includes filters for general unsafe and inappropriate content, and a dedicated system for detecting threats related to biological and chemical weapons.

While these protections may not be sufficient, jailbreaking the model and producing harmful outputs may be challenging, and OpenAI actively monitors for suspicious activity and can ban accounts.