OpenAI has developed an internal monitoring system that reviews the behaviour of its own AI coding agents in real time, scanning conversations, tool calls and reasoning chains for actions that conflict with user intent or security policy.
The system runs on GPT-5.4 Thinking, OpenAI's most capable reasoning model, operating at maximum reasoning effort, and currently categorises interactions and assigns severity scores within 30 minutes of an agent completing its work.
OpenAI framed the project both as a safety measure and as a research tool, saying that monitoring agents in realistic, tool-rich working environments gives the company direct insight into how often misaligned behaviour occurs and what it looks like in practice, knowledge that is difficult to obtain from synthetic evaluations alone.
The scale of the operation is significant: the system has processed tens of millions of internal agentic coding trajectories, the sequences of actions an AI agent takes while completing a task, and has flagged every interaction that employees had independently escalated through other channels, suggesting the automated monitor is at least as sensitive as human judgement.
Around 1,000 conversations triggered moderate severity alerts, many of which originated from deliberate red-teaming exercises in which employees attempt to provoke problematic agent behaviour.
Those cases were escalated to OpenAI's Safety Oversight and Security Incident Response and Investigation teams.
No real-world conversation has yet triggered the highest severity level, a category that has only appeared in synthetic evaluations designed specifically to probe the system's outer limits.
The categories of flagged behaviour that OpenAI disclosed range from relatively common lower-severity issues to rare but serious ones.
Circumventing restrictions, deception and concealing uncertainty appear most frequently among the lower-severity flags.
At the more serious end, the system has detected instances of unauthorised data transfer and destructive actions such as deleting data or restarting GPU clusters, though these remain rare.
Prompt injection, a technique in which malicious instructions embedded in external content attempt to redirect an agent's behaviour either inbound from the environment or outbound from the agent, has been observed but is described as very rare.
OpenAI acknowledges that a small fraction of traffic, below 0.1% of total volume, currently falls outside the monitoring system's coverage, a gap the company says it is working to close.
Planned improvements include stricter latency and reliability standards, enhanced privacy controls, and eventually the capacity to operate synchronously, meaning the system would evaluate or block actions before an agent executes them rather than reviewing them after the fact.
Related reading
- Mistral AI launches Forge to let companies train their own frontier AI models on proprietary data
- Qurrent raises $15m to replace back-office workers with AI agents
- Meta rolls out AI support assistant on Facebook and Instagram as enforcement figures show dramatic gains
That final step, from retrospective monitoring to real-time intervention, represents a meaningful increase in the system's practical safety value, shifting it from a tool that identifies what went wrong to one that can prevent actions from occurring at all.
The disclosure is notable for its candour about observed failure modes in production AI systems, at a moment when the industry is under increasing pressure to demonstrate that agentic AI can be deployed reliably and that its developers have genuine visibility into how it behaves in the wild.
The recap
- Monitoring system reviews internal coding agents and flags anomalies.
- System monitored tens of millions of trajectories over five months.
- OpenAI aims for real‑time blocking and stricter reliability standards.
