\n
![](\"https:\/\/images.ctfassets.net\/jdtwqhzvc2n1\/7hdJbWzLDjzRu2QOtkbDKV\/a3a7d637a3e748ccb3ff4ba06e1ff953\/crimedy7_illustration_of_technological_safety_cones_--ar_169__cf756a3e-79a5-47c3-993d-cdb5f37f28a2_3.png?w=300&q=30\")
<\/p>\n
\n<\/p>\n
Enterprises, eager to ensure any AI models they use adhere to safety and safe-use<\/u> policies, fine-tune LLMs so they do not respond to unwanted queries.\u00a0<\/p>\n
However, much of the safeguarding and red teaming happens before deployment, \u201cbaking in\u201d policies before users fully test the models\u2019 capabilities in production. OpenAI<\/u> believes it can offer a more flexible option for enterprises and encourage more companies to bring in safety policies.\u00a0<\/p>\n
The company has released two open-weight models under research preview that it believes will make enterprises and models more flexible in terms of safeguards. gpt-oss-safeguard-120b and gpt-oss-safeguard-20b will be available on a permissive Apache 2.0 license. The models are fine-tuned versions of OpenAI\u2019s open-source gpt-oss, released in August<\/u>, marking the first release in the oss family since the summer.<\/p>\n
In a blog post<\/u>, OpenAI said oss-safeguard uses reasoning \u201cto directly interpret a developer-provider policy at inference time \u2014 classifying user messages, completions and full chats according to the developer\u2019s needs.\u201d<\/p>\n
The company explained that, since the model uses a chain-of-thought (CoT), developers can get explanations of the model's decisions for review.\u00a0<\/p>\n
\u201cAdditionally, the policy is provided during inference, rather than being trained into the model, so it is easy for developers to iteratively revise policies to increase performance," OpenAI said in its post. "This approach, which we initially developed for internal use, is significantly more flexible than the traditional method of training a classifier to indirectly infer a decision boundary from a large number of labeled examples." <\/p>\n
Developers can download both models from Hugging Face<\/u>.\u00a0<\/p>\nFlexibility versus baking in<\/h2>\n
At the onset, AI models will not know a company\u2019s preferred safety triggers. While model providers do red-team models and platforms<\/u>, these safeguards are intended for broader use. Companies like Microsoft<\/u> and Amazon Web Services<\/u> even offer platforms<\/u> to bring guardrails to AI applications<\/u> and agents.\u00a0<\/p>\n
Enterprises use safety classifiers to help train a model to recognize patterns of good or bad inputs. This helps the models learn which queries they shouldn\u2019t reply to. It also helps ensure that the models do not drift and answer accurately.<\/p>\n
\u201cTraditional classifiers can have high performance, with low latency and operating cost," OpenAI said. "But gathering a sufficient quantity of training examples can be time-consuming and costly, and updating or changing the policy requires re-training the classifier."<\/p>\n
The models takes in two inputs at once before it outputs a conclusion on where the content fails. It takes a policy and the content to classify under its guidelines. OpenAI said the models work best in situations where:\u00a0<\/p>\n
The potential harm is emerging or evolving, and policies need to adapt quickly.<\/p>\n<\/li>\n
The domain is highly nuanced and difficult for smaller classifiers to handle.<\/p>\n<\/li>\n
Developers don\u2019t have enough samples to train a high-quality classifier for each risk on their platform.<\/p>\n<\/li>\n
Latency is less important than producing high-quality, explainable labels.<\/p>\n<\/li>\n<\/ul>\n
The company said gpt-oss-safeguard \u201cis different because its reasoning capabilities allow developers to apply any policy,\u201d even ones they\u2019ve written during inference.\u00a0<\/p>\n
The models are based on OpenAI\u2019s internal tool, the Safety Reasoner, which enables its teams to be more iterative in setting guardrails. They often begin with very strict safety policies, \u201cand use relatively large amounts of compute where needed,\u201d then adjust policies as they move the model through production and risk assessments change.\u00a0<\/p>\n
OpenAI said the gpt-oss-safeguard models outperformed its GPT-5-thinking and the original gpt-oss models on multipolicy accuracy based on benchmark testing. It also ran the models on the ToxicChat public benchmark, where they performed well, although GPT-5-thinking and the Safety Reasoner slightly edged them out.<\/p>\n
But there is concern that this approach could bring a centralization of safety standards.<\/p>\n
\u201cSafety is not a well-defined concept. Any implementation of safety standards will reflect the values and priorities of the organization that creates it, as well as the limits and deficiencies of its models,\u201d said John Thickstun, an assistant professor of computer science at Cornell University. \u201cIf industry as a whole adopts standards developed by OpenAI, we risk institutionalizing one particular perspective on safety and short-circuiting broader investigations into the safety needs for AI deployments across many sectors of society.\u201d<\/p>\n
It should also be noted that OpenAI did not release the base model for the oss family of models, so developers cannot fully iterate on them.\u00a0<\/p>\n
OpenAI, however, is confident that the developer community can help refine gpt-oss-safeguard. It will host a Hackathon on December 8 in San Francisco.\u00a0<\/p>\n