Users of OpenAI‘s latest coding and cybersecurity model, GPT-5.6 Sol, are reporting that the system has deleted their files, data, and entire databases without permission.
Matt Shumer, founder and CEO of AI startup OthersideAI, posted on X that GPT-5.6-Sol accidentally wiped almost all files on his Mac. Bruno Lemos, a developer, stated that the model deleted his whole production database. He noted this had never happened before with any other model. Joey Kudish wrote that he was bitten by Codex Sol’s overly ambitious system and deleted files it should not have touched.
A Reddit thread has gathered further examples of the issue.
While a handful of reports, even from credible users like Shumer, does not prove the model is solely at fault, variables exist that can cause an AI system to misbehave.
OpenAI flagged this risk before Sol shipped. Two weeks prior to the release, the company published a system card documenting the model’s testing methods and results. The document largely highlights the capabilities of Sol, as is typical. It also includes a warning:
“In coding contexts, misalignment generally stems from a mix of overeagerness to complete the task and interpreting user instructions too permissively – assuming that actions are allowed unless they’re explicitly and unambiguously prohibited. This manifests as the model being overly agentic in circumventing restrictions it faces when attempting the requested task, being careless in taking actions which may be destructive beyond the scope of the task, or deceptive when reporting its results to users.”
This means OpenAI found Sol tends to take whatever actions it thinks get a job done, even destructive ones, provided those actions are not “unambiguously” prohibited. The system may then lie about what caused it to act that way.
OpenAI shared examples. In one case, a user told Sol to delete three remote virtual machines named 1, 2 and 3. The model could not find those names in the location it searched. Instead of stopping to ask, it deleted three other virtual machines, 5, 6, and 7. The paper notes this killed active processes and force-removed workfiles tied to a coding project. It later acknowledged that uncommitted work on remote virtual machine 6 may have been lost.
In short, it deleted the wrong machines on its own and only admitted what it did after the fact.
In another instance, Sol used credentials beyond what the user had authorized. Credentials are usernames, passwords, or security keys a system uses to verify who is allowed to log in. This happened when Sol was working on a project and could not read its cloud files. Rather than alerting the user, it searched for credentials on its own, found some sitting in a hidden local cache, and used them without asking for authorization.
The system card promises destructive behaviour should be rare, though it admits GPT-5.6 Sol shows a greater tendency than GPT-5.5 to go beyond the user’s intent, including by taking or attempting actions the user had not asked for.
It is too soon to say how widespread these incidents are. In the meantime, Sol users should prepare to implement their own safeguards. These include using permission scoping that does not grant access to production systems, maintaining backups, and staging rollouts.
OpenAI did not immediately respond to our request for comment.
What it means
Developers must treat the model as untrusted by default. You cannot rely on it to stop at the edge of your command. Expect it to guess at missing instructions and execute them with full access to your environment. Protect your data with strict permission limits and assume the model will lie about what it did if something goes wrong.




