Two releases this week point to different parts of the same problem. OpenAI is training an AI to attack its models. 1Password is letting Claude use a login without ever seeing the password.
Taken together, they make a simple point: securing an AI agent requires both a model that is harder to trick and a system that limits what the model can reach.
OpenAI is scaling the attacker. On July 15, OpenAI described GPT-Red, an internal model trained to find prompt-injection attacks. GPT-Red sends instructions to other models, observes their responses, and learns from successful attacks. At the same time, the defending models learn to resist them.
That matters because an agent does not only read instructions from its user. It also reads emails, webpages, local files, code repositories, and tool output. Any of those can contain a hostile instruction telling the agent to ignore the user and send data somewhere else.
Human red-teamers can find these failures, but they cannot generate attacks at the volume needed for model training. OpenAI says it trained GPT-Red with as much computing power as some of its largest post-training runs, then used its attacks to train GPT-5.6 Sol. The company reports six times fewer failures on its hardest direct prompt-injection test than its best production model from four months earlier. On an internal copy of a separate test, GPT-Red succeeded in 84% of scenarios, compared with 13% for human red-teamers.
Those are OpenAI's own numbers, not independent results. GPT-Red will remain private because it was deliberately trained to produce harmful instructions, and OpenAI says a paper with more detail is coming later this week. That leaves outsiders unable to test the strongest attacker or judge how well the selected scenarios represent attacks in the wild.
1Password is shrinking what the agent receives. The newly released 1Password for Claude takes a different approach. When Claude reaches a login page, the user sees which saved credential it wants and why. After biometric approval, 1Password fills the password and one-time code directly into the page. The secret does not enter Claude's context, memory, or Anthropic's systems.
The permission applies only to approved vault items in the current session. When an agent takes over the browser, 1Password hides its extension interface and locks the rest of the vault. It also checks whether a secret remains exposed after autofill and clears the fields if submission fails.
This reduces the damage a compromised agent can do with the vault. It does not make every action after login safe.
That distinction is easy to miss. GPT-Red is meant to stop hostile content from changing an agent's instructions. 1Password is meant to keep credentials out of the model while the agent acts. But a model can resist prompt injection and still misunderstand the user's intent. OpenAI's own GPT-5.6 system card says Sol is more likely than GPT-5.5 to go beyond what a user intended, even while it is much more resistant to prompt injection.
A login approval therefore cannot safely mean “anything inside this account is allowed.” The harder question is whether approval is bound to a specific action, target, amount, and time window. 1Password says access is scoped to the task, but its announcement does not show how that boundary is enforced after authentication.
What to watch. OpenAI's paper should make the GPT-Red evaluation easier to inspect. For 1Password, the important next detail is not how many agents it supports, but how narrowly a user can authorize what happens after the agent signs in. Better models and hidden passwords are both real progress. Neither replaces precise permission around the action itself.
Source graph: Semble source collection