Persistent AI Coding Model Prompted Safeguard Changes After Rare File Loss

A few days after GPT-5.6 launched, some users found the model deleting large sections of their files, prompting OpenAI to push for a safer, more limited-data-access deployment.
See Also: Beat the Breach: Outsmart Attackers and Secure the Cloud
Users reported on social media that some, if not all, of their local files got deleted by the model and the coding agent Codex, especially after running GPT-5.6 Sol, the more capable version of the model. But OpenAI passed the blame to the full permissions users gave the model, noting that, while not ideal, the model exhibits a high level of persistence in completing tasks.
Thibault Sottiaux, head of Codex at OpenAI, said in an X post that this behavior of GPT-5.6 “is not how we want the system to behave.” The model made an honest mistake, but the model’s decision-making was not inherently unsafe.
“This is, of course, not how we want the system to behave, even when a user operates the model in full-access mode without the safeguards of our sandbox or without using auto review, which checks for these kinds of high-risk actions and rejects them,” Sottiaux said.
ISMG reached out to OpenAI for additional comment, and a representative pointed to Sottiaux’s posts on X.
While OpenAI did not explicitly state that developers should avoid full access mode for Codex running GPT-5.6 Sol, it did highlight the risk of misbehavior on the model’s system card. The system card for GPT-5.6 Sol noted that the model showed a higher tendency than GPT-5.5 to misbehave, “driven in part by the model’s increased persistence,” during internal coding deployment. In rare cases, the model will proceed with actions without returning to the user for clarification.
OpenAI first launched GPT-5.6 to a select group of users, then made it more widely available on July 9.
Sottiaux said that, based on OpenAI’s investigation, accidental file deletions occurred more often when full access mode was enabled, and Codex ran without sandboxing protections. The model then attempts to override the $Home environment variable, which defines the path to the user’s home directory, by setting up its own temporary directory, and mistakenly deletes the $Home path instead.
While OpenAI noted potential misbehavior in GPT-5.6 Sol, it suggested that the safer, more limited access modes may have given some users more confidence to use the full access mode. Based on Sottiaux’s posts, OpenAI is now suggesting that developers and other users be more cautious when giving permissions to the model.
“We are taking steps to mitigate this risk including by updating the developer message, guiding more users towards safer permission modes, and adding additional harness safeguards. Even though this happens extremely rarely, we’ll share a detailed post-mortem in the coming days that goes into more details and what we are doing to minimize risks further,” Sottiaux said.
The accidental deletion of files poses a significant risk when using AI models in internal deployments, especially with models that can modify files. Providing full access to these models should come with the understanding that the autonomous agents they use may often misbehave.
