OpenAI and Microsoft have unveiled new cybersecurity initiatives that point to how the industry is quickly shifting from using GenAI as an assistant to deploying autonomous systems that can identify and respond to emerging cyber threats.
The announcements come as enterprises face increasingly sophisticated AI-enabled attacks, with security vendors warning that autonomous agents are beginning to automate vulnerability discovery, exploitation and ransomware campaigns at machine speed.
For customer experience leaders, the developments have implications beyond IT security. Contact centers, customer service platforms, CRM systems and AI agents increasingly rely on connected enterprise data, making prompt injection, data exfiltration and identity attacks growing operational risks.
OpenAI Uses AI to Attack AI
OpenAI has introduced GPT-Red, an internal automated red-teaming system designed to discover vulnerabilities in AI systems before attackers do.
The GPT-Red model uses self-play reinforcement learning to generate increasingly sophisticated attacks against other language models. As defensive models become stronger, GPT-Red adapts to uncover new weaknesses, creating a continuous improvement cycle for model security.
“GPT‑Red achieves significantly higher attack success rates, finding success on 84% of scenarios compared to 13% for humans,” OpenAI stated.
That type of result is significant for customer experience because prompt injection is not only a chatbot safety issue. As AI agents are connected to software repositories, enterprise applications, customer records and third-party tools, malicious instructions hidden inside otherwise trusted content can influence systems that are capable of taking action.
Vincent Danen, Vice President of Product Security at Red Hat, highlighted that risk in a recent CX Today interview. “In particular when you’re looking at things like prompt injection, other types of malware…I think of an agent working on a Git repo that may have malware in it or some hidden prompts that make it do certain things, you want to be able to constrain what that agent can do using those sandboxes.”
GPT-Red also demonstrated the ability to manipulate a real-world autonomous vending machine agent by reducing product prices, ordering expensive inventory and cancelling customer orders after first refining its attacks in a simulated environment. OpenAI said the identified vulnerabilities have since been disclosed and mitigations are being tested.
The vending machine example illustrates a larger issue for enterprises, as once AI agents are connected to business systems, the risks move from inaccurate responses to unintended actions. Danen said organizations need to understand the surrounding technologies and limit the potential damage when autonomous agents behave unexpectedly.
“Being well versed in those different technologies and keeping abreast of them will ensure your blast radius will be a little bit less if these autonomous agents decide to go off and do things on their own that you didn’t design or want them to do.”
OpenAI has already been using earlier versions of GPT-Red to strengthen successive GPT releases, reporting significant reductions in prompt injection success rates and improvements in resistance to indirect prompt injection attacks.
“After GPT‑Red completed training, we used it to generate prompt injections for the training of GPT‑5.6, resulting in the model becoming highly resistant to GPT‑Red’s attacks,” OpenAI stated. “We keep GPT‑Red separate from the models we deploy. This keeps the malicious capabilities we specifically train into GPT‑Red out of the hands of adversarial actors, while instilling robustness into our production models.”
Rather than becoming a customer-facing product, GPT-Red will remain an internal capability used to harden future OpenAI models.
Microsoft Brings Human Experts Into the AI Loop
While OpenAI is automating vulnerability discovery, Microsoft is focusing on accelerating incident response.
The company announced Microsoft Defender Experts Threat Intelligence (MDTI), a managed threat intelligence capability that combines Microsoft’s security AI with human analysts to help organizations investigate, prioritize and respond to threats more quickly. MDTI capabilities are now fully converged into the Defender portal.
The vendor is emphasizing the importance of human experts in interpreting the severity of security threats.
“Built on Microsoft’s visibility across endpoints, identity, cloud, and evolving attacker activity, it gives your team periodic, curated insight into the threats most likely to target you,” Aarti Borkar, Corporate Vice President, Microsoft Security, wrote in a blog post. “Designated Microsoft experts interpret the global landscape through the lens of your industry, geography, and environment, then translate it into clear, prioritized guidance your team can act on.”
Borkar explained that the service turns the vast volume of telemetry collected across its security ecosystem into actionable intelligence, helping security teams understand which threats require immediate attention and what remediation steps should follow. The approach combines AI-driven analysis with expert-led investigations rather than relying solely on automation.
“Security teams have never had more visibility, yet rarely have they felt more uncertain,” Borkar added. “Signal pours in from endpoints, identities, cloud workloads, and a sprawling mix of third-party tools. Dashboards are full, alerts keep coming, but the hardest question of the day remains unanswered: of everything happening right now, what actually matters to us, and what do we do about it? That space between knowing a threat exists and acting on it is the intelligence-to-action gap.”
The announcement reflects a broader trend across enterprise cybersecurity, where AI is increasingly handling threat detection, correlation, and investigation, while experienced analysts remain responsible for validating findings and directing response efforts.
What It Means for Customer Experience
Both OpenAI’s and Microsoft’s announcements address risks that are becoming increasingly relevant as organizations deploy AI agents into customer-facing workflows.
Prompt injection has emerged as one of the primary security concerns surrounding enterprise AI deployments. Customer service agents frequently access knowledge bases, emails, CRM records, websites and third-party applications, creating multiple opportunities for malicious instructions to be embedded within trusted content.
An AI agent compromised through prompt injection could expose customer data, manipulate transactions, retrieve confidential information, or execute unintended actions across connected business systems.
Danen said the simplest rule is to limit what agents can access in the first place. “Don’t give the agent access to the stuff that you don’t want it to tell people.” Danen added that unknown attack methods make access control especially important. “If the agent knows about it and can be tricked in some way that we haven’t discovered yet… you can’t really protect against the thing that you don’t know exists.”
For CX leaders, that means AI security cannot be separated from data architecture and permissions. If an AI service agent only needs product information, returns policy details, or order status access, it should not also be able to retrieve broader customer records, payment information, internal notes, or unrelated CRM data.
OpenAI’s research indicates that automated AI red teaming can identify these weaknesses faster than traditional manual testing, while Microsoft’s announcement points toward a future where AI-generated threat intelligence is immediately translated into guided operational response.
Together, the announcements suggest that AI cybersecurity is entering a new phase. Rather than simply detecting attacks after they occur, vendors are increasingly using AI to discover vulnerabilities before deployment, continuously harden models and accelerate enterprise response when threats inevitably emerge.