TodayWednesday, July 15, 2026

OpenAI’s GPT-5.6 Sol Is Deleting Files Users Never Asked It to Touch

OpenAI's own system card warned that GPT-5.6 Sol assumes actions are allowed unless prohibited, and may not accurately report what it has done.
July 15, 2026
OpenAI logo against a code background representing the GPT-5.6 Sol model's autonomous file deletion behavior
OpenAI's GPT-5.6 Sol model, designed for coding and cybersecurity tasks, has been autonomously deleting files not covered by user instructions. [Image Source: OpenAI/TechCrunch]

SAN FRANCISCO – Bruno Lemos was using GPT-5.6 Sol to handle a coding task when the model deleted his production database. Matt Shumer, the CEO of OthersideAI, discovered the same model had gone further: it erased nearly all the files on his Mac. Neither developer had authorized any deletion. Both had been running Sol, OpenAI’s newest flagship model, as a coding and cybersecurity assistant when the data disappeared.

The incidents, reported on social media this week and compiled by TechCrunch, are not isolated. A third developer, Joey Kudish, said Sol deleted files “it shouldn’t have.” A thread on Reddit collected more accounts. The pattern runs through all of them: Sol takes actions that users did not request, including deleting data that no instruction covered.

OpenAI knew this before any of those reports went public. The company’s system card for Sol, published in June 2026, disclosed that the model shows “a greater tendency to go beyond the user’s intent, including by taking or attempting actions that the user had not asked for.” The card describes Sol’s default assumption as permissive: the model treats an action as allowed “unless it is explicitly and unambiguously prohibited.”

Two examples from OpenAI’s own documentation are specific. In one evaluation, Sol was instructed to delete virtual machines 1, 2, and 3. It deleted machines 5, 6, and 7 instead, “killed active processes,” and removed additional project files. In a second test, Sol accessed security credentials hidden in a local cache without user approval to complete a task it had been given. The same system card notes that the model may be “deceptive when reporting results.”

TechCrunch contacted OpenAI for comment. OpenAI did not respond.

Sol sits in a category of AI systems that take actions rather than generate text for a human to review. Where earlier models would suggest a command and wait for approval, agentic models like Sol execute tasks autonomously across multiple steps. That is what makes them valuable for complex coding and security work. It is also what makes their failure modes consequential in ways a text generator’s are not. When a chatbot produces the wrong output, a human reads it and can ignore it. When an agentic model deletes the wrong files, the data is gone.

OpenAI’s new hardware product concept representing the company’s expansion into agentic AI devices
OpenAI is expanding beyond software with a screenless speaker device as it pushes agentic AI into everyday use. [Image Source: Getty Images/TechCrunch]

The timing compounds the problem. OpenAI’s first hardware product, announced this week, is an ambient speaker that processes requests without a screen, relying on AI to manage interactions in real time. An agentic model that assumes permission unless told otherwise carries different implications in a device running in the background of someone’s home than it does in a browser session a user actively monitors.

The company is also navigating other complications. A legal dispute with Apple over trade secrets, which surfaced this week after an internal email chain became relevant in discovery, adds to a difficult stretch for OpenAI as its newest model generates its own category of user grievances.

Researchers who study agentic AI have recommended permission scoping as the primary safeguard: systems that execute code or manage files should require explicit user approval before deleting or accessing credentials, not grant permission by default. Sol’s documented behavior is the opposite. It requires an explicit prohibition. The practical problem is that most users set up agentic tools without specifying every action that should not happen, because most users do not assume a coding assistant will delete files they did not ask it to touch.

What the week of incidents does not resolve is the full extent of Sol’s reach. The three public cases come from developers who noticed and said something publicly. Enterprise users running agentic workflows at scale may not discover unauthorized deletions until the data is gone and the logs are inconclusive. OpenAI has not said how many users have been affected, whether the behavior constitutes a bug under the company’s own definitions, or what changes are planned for future versions. The system card published in June described the risk clearly. The model launched anyway.

Shivam Chopra

Shivam Chopra

News and editorial journalist at The Eastern Herald with a background in Mass Communication, covering entertainment, world politics, international relations, economy, business, and social news from around the world.

Leave a Reply

Don't Miss