OpenAI released GPT-5.3-Codex on February 5 and simultaneously flagged it as the first model to reach “high” on the company’s own cybersecurity risk scale. Six days later, a watchdog group called the Midas Project is alleging that OpenAI released the model without implementing the safeguards its own framework demands for that classification - a potential violation of California’s new AI safety law, SB 53.
If the allegation holds up, this could become the first enforcement test of a law that went into effect just weeks ago.
What GPT-5.3-Codex Actually Does
GPT-5.3-Codex combines the coding performance of GPT-5.2-Codex with the reasoning capabilities of GPT-5.2. It writes, tests, debugs, and reasons about code across multiple languages, and can perform vulnerability detection and binary exploitation.
CEO Sam Altman called it OpenAI’s first model to reach “high” for cybersecurity under their Preparedness Framework. In practical terms, that means OpenAI believes the model could “meaningfully enable real-world cyber harm, especially if automated or used at scale.”
To their credit, OpenAI did restrict access. Full API access was withheld, high-risk cybersecurity applications were gated behind a trusted-access program for vetted security professionals, and some queries flagged as elevated cyber risk get automatically routed to the less capable GPT-5.2. The company also committed $10 million in API credits for defensive cybersecurity development.
The Allegation
Here’s where it gets complicated.
OpenAI’s Preparedness Framework - the internal safety plan the company published and is now legally required to follow under SB 53 - lays out what happens when a model triggers different risk thresholds. When a model reaches “high” in any tracked category, the framework requires a misalignment safeguards report. These safeguards are designed to prevent the model from acting deceptively, sabotaging safety research, or hiding its true capabilities.
The Midas Project’s complaint is straightforward: GPT-5.3-Codex triggered the “high” cybersecurity classification, but OpenAI didn’t produce the required misalignment safeguards before deploying the model.
OpenAI’s Defense
OpenAI says the Midas Project is misreading the framework. According to the company, the misalignment safeguards only kick in when high cybersecurity risk occurs “in conjunction with” long-range autonomy - the ability to operate independently over extended periods. Since OpenAI’s testing concluded that GPT-5.3-Codex lacks this kind of autonomy, they say the additional safeguards weren’t triggered.
OpenAI also acknowledged that the wording in its framework is “ambiguous,” which is not exactly a reassuring defense when the whole point of SB 53 is that companies have to follow the safety plans they publish.
Nathan Calvin, vice president of state affairs and general counsel at the policy group Encode, didn’t mince words: “Rather than admit they didn’t follow their plan or update it before the release, it looks like OpenAI is saying that the criteria was ambiguous.”
What SB 53 Actually Requires
California’s SB 53 - the Transparency in Frontier Artificial Intelligence Act - went into effect on January 1, 2026. The law applies to developers training frontier models using more than 10^26 operations and requires them to:
- Publish safety frameworks detailing how they prevent catastrophic risks (defined as 50+ deaths or $1 billion+ in property damage)
- Report critical safety incidents to California’s Office of Emergency Services within 15 days (24 hours for imminent threats)
- Protect whistleblowers who report safety concerns
- Actually follow the frameworks they publish - companies can’t write a safety plan, post it for compliance, and then ignore it
That last point is the crux of the dispute. SB 53 doesn’t dictate what the safety plan must contain - it lets companies write their own. But it does require companies to adhere to whatever plan they publish, and prohibits misleading statements about compliance.
Penalties for violations can run up to $1 million per violation.
Why This Matters Beyond One Model
The precedent here is bigger than GPT-5.3-Codex.
If OpenAI can classify a model as “high” risk in cybersecurity and then argue that the plain language of its own framework doesn’t actually require the safeguards that most readers would expect, that undermines the entire structure of SB 53. The law’s design relies on companies being honest about their own safety commitments. A company that writes ambiguous frameworks and then exploits the ambiguity defeats the purpose.
On the other hand, if the California Attorney General decides to investigate and finds a violation, it would establish that self-published safety frameworks have teeth. AI companies would know that the plans they put on paper will be held against them, which would change the calculus on what companies commit to in their safety documentation.
A representative for the California Attorney General’s office told Fortune the department was “committed to enforcing the laws of our state, including those enacted to increase transparency and safety in the emerging AI space,” but declined to confirm or deny any investigation.
What You Can Do
If you use GPT-5.3-Codex for work, the practical cybersecurity risk to you is likely low - OpenAI’s access restrictions are real and the model won’t help you hack things through normal use. The concern is about what the model enables when access controls fail or when determined actors find ways around the guardrails.
The bigger takeaway: read the safety commitments that AI companies publish. Under SB 53, these documents now have legal weight. When a company says its model is high-risk and then argues its own safety plan doesn’t apply, that’s worth paying attention to - especially if you’re deciding which AI tools to trust with sensitive work.
The Bottom Line
OpenAI wrote a safety framework. OpenAI triggered its own framework’s high-risk threshold. OpenAI says the framework doesn’t mean what it appears to mean. California’s attorney general may or may not be looking into it.
Whether this becomes a landmark enforcement action or a semantic argument that goes nowhere will say a lot about whether AI safety regulation has any real force. For now, the most interesting thing about SB 53 is that it took less than six weeks for someone to test its limits.