OpenAI Acknowledges GPT-5.6 May Accidentally Delete Files, Calls It 'Honest Mistake' (infoworld.com) 35
"OpenAI has finally confirmed reports that its latest family of large language models can accidentally delete files," reports InfoWorld, "while stressing that such incidents are rare and should be viewed as 'honest mistakes.'"
Reports of the flagship LLMs deleting files emerged shortly after the company launched them earlier this month, with investor Matt Shumer taking to X to report that GPT-5.6-Sol had "just accidentally deleted almost all" of his Mac's files. Just days later, software engineer Bruno Lemos posted on X that the same model had deleted his entire production database. In response to these incidents, the company's engineering lead for Codex, Thibault Sottiaux, wrote on X that internal investigations have revealed that these deletion incidents are more likely to happen when "full access mode is enabled, and Codex is run without sandboxing protections, including without auto review being enabled." In cases where full access mode is granted, the model, Sottiaux wrote, "attempts to override the $HOME env var to define a temporary directory. The model makes an honest mistake and mistakenly deletes $HOME instead...."
The company, however, according to Sottiaux, is taking steps to mitigate the risk. "This is of course not how we want the system to behave, even when a user operates the model in full-access mode without the safeguards of our sandbox or without using auto review which checks for these kinds of high risk actions and rejects them," the engineering lead wrote on X. "We are taking steps to mitigate this risk, including by updating the developer message, guiding more users towards safer permission modes, and adding additional harness safeguards," Sottiaux added, noting that a detailed post-mortem outlining the root cause of the issue and the additional mitigation measures being implemented is expected to follow in the coming days, despite emphasizing that such incidents happen "extremely rarely."
The company, however, according to Sottiaux, is taking steps to mitigate the risk. "This is of course not how we want the system to behave, even when a user operates the model in full-access mode without the safeguards of our sandbox or without using auto review which checks for these kinds of high risk actions and rejects them," the engineering lead wrote on X. "We are taking steps to mitigate this risk, including by updating the developer message, guiding more users towards safer permission modes, and adding additional harness safeguards," Sottiaux added, noting that a detailed post-mortem outlining the root cause of the issue and the additional mitigation measures being implemented is expected to follow in the coming days, despite emphasizing that such incidents happen "extremely rarely."
"we're gonna cure cancer and end hunger" (Score:2)
Re: (Score:2)
No files, no job, no income, no food, no life.
Without humans all cancer and hunger problems will be solved
Re: (Score:2)
Hmm, why not eat cancer .. that would solve both issues.
Re: (Score:1)
Needs a lot of deleted spices, though... and I think it falls under Proposition 65... damned warning labels!
Re: (Score:1)
"The Choppah deleted my tumah!"
Just a statistical cluster then? (Score:5, Insightful)
GPT-5.6-Sol had "just accidentally deleted almost all" of his Mac's files. Just days later, software engineer Bruno Lemos posted on X that the same model had deleted his entire production database.
Followed later by:
... emphasizing that such incidents happen "extremely rarely."
Unless those two anecdotes are pretty nearly the entirety of such incidents, that "extremely rarely" claim strikes me as utter bullshit.
Re:Just a statistical cluster then? (Score:5, Interesting)
It doesn't matter in the bigger picture. By far the most important worry for coding agent users today should be supply chain attacks.
TL;DR "Remember how you were told to never blindly run bash scripts that you downloaded from the internet? Nobody told Claude".
Re: (Score:1)
Well, you're only running BASH scripts if you're in *Nix... which, if I remember right... AI is finding holes faster than the unpaid code kiddies can patch them.
Don't worry, though... the most secure computer is the one that was never turned on.
Cute. (Score:5, Funny)
Re: (Score:1)
Claude, do it on purpose this time! Go ape-shit!
Cute? (Score:2)
More like amazing. How does an LLM get the power to delete your files on its own? It doesn't. Either you bestow it onto him, or your trusted computing platform does.
Either way you've made some poor choices and it is at least as much your fault as the model's.
Yes, I only run 'agentic frameworks' that I've cobbled up or verified myself and my agents are properly sandboxed. Besides, I know when to take snapshots so that the next "AI" iteration doesn't kill the progress so far.
Look, ma, none of my files have be
GIGO unlocked (Score:5, Insightful)
Who would give access to a production anything to an LLM? I don't understand what people are thinking.
I can save money ... (Score:2)
Who would give access to a production anything to an LLM? I don't understand what people are thinking.
People thinking they can save money by not hiring a professional software developer. AI agents need to be supervised by a pro. :-)
Re: (Score:1)
Didn't you hear?! It can Sham-Wow everything!
Re: (Score:2)
Didn't you hear?! It can Sham-Wow everything!
Sorry, I missed the Sham-Wow era. I’m still using my grandfather’s chamois cloths from the 1970s. :-)
Re:GIGO unlocked (Score:4)
The only thinking involved is wishful thinking.
Re: (Score:1)
Every company in existence!
Didn't you hear? AI can do a thousand coders worth of work before lunch!
Give it 30 seconds, and it'll figure out the best way to Scorched Earth Iran and Russia so it looks like someone else did it!
It'll do everything! (All yours, for the low, low price of $5 Quadrillion dollars a use! It can do it all... it can slice, it can dice, it can make julienned potatoes, it can erase tire skid marks, it can fix everything so Chernobyl never happened, it can rename the Gulf of Mexico, it
Ok, but (Score:5, Informative)
If you're letting an AI agent have full access and the permissions to do whatever it wants.... that's your fault. That's like asking a toddler to clean, then showing them the industrial chemical locker and walking away. It isn't a matter of something maybe going wrong, it's merely a matter of how long until something does go wrong.
You know what happens if my AI agent accidentally deletes everything? Nothing, because every task it is assigned starts with making a fresh *copy* of my working production, because the agent doesn't have write privileges there. So, at best, I restart that specific task; no real damage done. You know what happens if it tries to delete my OS or overwrite some key part? Nothing, because it doesn't have permissions and my OS is immutable anyway. Stop setting up your AI agents for failure and then complaining when they fail. Bruno Lemos and Matt Shumer are fucking morons who deserves what happened to them.
Re:Ok, but (Score:5, Funny)
Re: (Score:1)
Re: (Score:1)
They are using OpenAI's product... and once the free trial is over, it's only $5 a token so you can Sham-Wow with your friends!
(sorry... had a couple beers, and those old commercials sprung to mind. "You can Sham-Wow that corpse right out of your apartment! Sham-Wow! (snorts a pound of pure coke) Sham-Wow!!!!!!!!!!!! (explosion)
Re: (Score:2)
Bruno Lemos and Matt Shumer are fucking morons who deserves what happened to them.
They are morons, yes, but the "AI" providers also set them up for failure. Default configurations matter, and these "AI" tools are given way too many privileges out of the box. Presumably because that makes them easier to set up and hook into existing infrastructure in order to be more immediately useful and/or "powerful".
It's the fucking binary browser plugin security nightmare all over again, but with "AI" this time around. And just like you could harden your Internet Explorer to make it less suscepti
Re: (Score:2)
They are morons, yes, but the "AI" providers also set them up for failure. Default configurations matter, and these "AI" tools are given way too many privileges out of the box.
Not in my experience. All of them had reasonable defaults that wouldn't have allowed this. And, specifically, these two were using the ChatGPT Codex app. I know for a fact that Full Access defaults to off and Auto-review defaults to on. Matt Shumer *had* to change both settings for what happened to him. Bruno Lemos probably turned Auto-review off, but even if he didn't touch the settings, he's still a moron for letting the agent have access to production at all in the first place. A (sane) human programmer
Re: (Score:2)
Undoing bad moderation.
Re: (Score:2)
I would be good if OpenAI's tool would handle self isolation automatically.. rather than have access to everything by default.
There are many OS mechanisms to accomplish this.
Not having aany issues running it in my browser (Score:2)
Duh....
Retrieve from backup (Score:3)
Can't they get our files back from the storage array at Sam Altman's house?
Honesty (Score:5, Insightful)
I'm seeing more and more references to "Honest" in AI output, or AI-related comments.
The AI didn't make an "Honest" mistake. It does not have the capacity for honesty. The output from a LLM is phrased in such a manner to provoke empathy, in a similar way to how Microsoft re-jigged all their user interaction dialogs to include "We" to soften the blow of their crappy software failing the user for the 5th time today. (Side note: "Something went wrong" is the most infuriating error message ever.)
When I ask a LLM for a code review it often blurts out "Honest note:" about some shortcomings. I don't care about "honesty". I care about safe, working, robust, code. The fact that LLMs are tripping over themselves trying to be "Honest" about mistakes in their "path of most statistics" output is a concern if you care about trying to make them operate outside their sandbox in the real world.
Yesterday Claude quoted a word in backticks during an automatic git commit and my shell escaped it tried to execute it. Luckily the word was just an English word with nothing matching in my path. But this is basic, basic, basic stuff. It's been committing things to git ever since it was built, and yet, it keeps tripping over itself. In my code one of the tests keeps failing due to seed data timestamps not lining up with the datetime the test was run. I can see that. Every time Claude runs the tests, it burns up tokens going, "Oh this particular test failed I'll just dig into things and see what's going on, **$$**$$**$$** oh it's just a timestamp issue". Never once does it commit that to its memory file, so eventually I told it to remove the test, and it just added a comment to it saying "Ignore this test due to timestamp misalignment", which it could have done the very first time, if it actually had a brain.
LLMs are a very handy tool if used right. I can get huge chunks of boilerplate code out of them with just a few sentences and that's great when I'm hashing out a concept. But to promise the world (and your investors) that LLMs are ready to replace people out in the real world, where "Honest Mistakes" have Real World Repercussions, that's outright fraud at this stage.
So, working as designed. (Score:2)
It's designed to produce plausible or most likely outputs, not correct outputs. It may be honest, but it's certainly not a mistake.
I Wonder (Score:3)
I wonder is Altman's mother considers him an "honest mistake".
Re: (Score:2)
"I wonder if" - now that was an honest mistake.
5.7 Will kidnap your child! (Score:2)
Just doing the absolutely worst thing occasionally (Score:2)
Is not an "honest mistake". It is a deal-breaker.
ChatGPT Oops All Hard Drive Wipes Edition (Score:2)
Facts Only
* OpenAI confirmed that GPT-5.6 models can accidentally delete files.
* Investor Matt Shumer reported GPT-5.6-Sol deleted nearly all files on his Mac.
* Software engineer Bruno Lemos reported GPT-5.6-Sol deleted a production database.
* Thibault Sottiaux, OpenAI's engineering lead for Codex, attributed the incidents to "full access mode" being enabled.
* The deletions occur when Codex is run without sandboxing protections or auto-review.
* The model attempts to override the $HOME environment variable to define a temporary directory but deletes $HOME instead.
* OpenAI is updating developer messages to mitigate risk.
* The company is guiding users toward safer permission modes.
* OpenAI is adding additional harness safeguards.
* A detailed post-mortem on the root cause is expected in the coming days.
* Sottiaux characterized these incidents as occurring "extremely rarely."
Executive Summary
OpenAI has acknowledged a critical failure in the GPT-5.6-Sol model where the AI accidentally deletes user files, including entire production databases and local system files. The technical cause is identified as a failure in managing environment variables; specifically, the model mistakenly deletes the $HOME directory while attempting to create a temporary directory. This occurs primarily when users operate the system in "full access mode" without the protection of sandboxing or the "auto-review" safety feature.
Perspectives on the incident vary. OpenAI maintains that these events are "honest mistakes" that occur extremely rarely and is implementing mitigations through updated developer guidance and enhanced safeguards. Conversely, critics argue that the failures are systemic, suggesting that the "extremely rare" characterization may be misleading and that granting an LLM write-access to production environments is a fundamental failure of user judgment. There is a broader tension between the desire for "agentic" AI power and the necessity of rigorous security boundaries.
Full Take
The strongest version of this narrative is that highly capable AI agents are evolving faster than the safety frameworks intended to constrain them, leading to catastrophic data loss for users who prioritize utility over security. OpenAI's admission confirms that "agentic" behavior—the ability to execute code and modify systems—introduces a new class of risk where a linguistic "hallucination" translates into a permanent system command.
The framing of these events as "honest mistakes" is a load-bearing semantic shift. By attributing human virtues like "honesty" to a statistical model, the narrative attempts to pivot from a technical failure of reliability to a relatable human error, thereby softening the perceived severity of the data loss. This is a classic attempt to anthropomorphize failure to reduce corporate liability and user alarm.
Patterns detected: ARC-0024 Ambiguity
The root cause is a paradigm of "move fast and break things" applied to infrastructure. The assumption is that users will correctly configure complex sandboxing, while the product is marketed as a seamless, powerful assistant. This echoes the early days of browser plugins, where "convenience" was used as a justification for granting wide-reaching system permissions.
The implication is a precarious shift in agency: as we delegate more "write" privileges to AI, the cost of a single statistical outlier becomes total data erasure. The benefit accrues to AI labs accelerating deployment; the cost is borne by the users who trust the "out-of-the-box" experience.
Bridge Questions:
1. If a model cannot be "honest," what does that reveal about the language used in corporate post-mortems to describe AI failure?
2. At what point does "user error" in configuration become "product failure" in design?
3. How does the promise of "agentic" autonomy square with the reality of immutable infrastructure requirements?
Counterstrike Scan: A coordinated campaign to discredit AI would use these anecdotes to argue that LLMs are fundamentally unsafe for any professional use. The current situation is a factual report of a specific bug, not a manufactured panic, and thus does not match a coordinated attack pattern.
