IT Brief Asia - Technology news for CIOs & IT decision-makers
Asia
OpenAI imposes passkey rule for high-risk ChatGPT users

OpenAI imposes passkey rule for high-risk ChatGPT users

Thu, 16th Jul 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

OpenAI has introduced a hardware-backed passkey requirement for certain high-risk ChatGPT users, affecting access to advanced models and tightening protections around sensitive accounts.

Members of OpenAI's Trusted Access Cyber programme must now use hardware-backed passkeys to log in to ChatGPT, including when accessing GPT-5.6. OpenAI is also restricting access for higher-risk entities and jurisdictions as generative AI systems become more deeply embedded in business processes.

Security specialists see the change as a sign of how AI adoption is reshaping identity management and cyber defence. Analysts say the move by a major AI provider highlights how quickly authentication is shifting away from passwords and legacy multifactor tools.

"OpenAI's mandate for hardware-backed passkeys is the definitive market signal that phishing-resistant authentication is no longer a best practice - it's a business necessity. This is one of the clearest signs yet that the era of passwords and legacy MFA is coming to an end. AI has completely weaponized the economics of cybercrime. Today, attackers rarely break in; they simply log in using AI-powered phishing, deepfakes and automated social engineering. To counter this, the industry must shift from vulnerable shared secrets to cryptographic, device-bound identity. By binding authentication directly to trusted hardware, passkeys completely neutralize credential theft. When one of the world's leading AI pioneers enforces this standard, it validates years of security innovation and proves that phishing-resistant identity is scalable and practical for enterprise use. What's particularly significant is that OpenAI is pairing hardware-backed passkeys with identity verification and trusted access for users seeking access to its most cyber-capable AI models, including GPT-5.6. That combination of identity verification and phishing-resistant authentication recognizes that protecting powerful AI systems requires confidence in how users authenticate and in who they are," said Bojan Simic, Chief Executive Officer and Co-Founder, HYPR.

Simic argued that the rise of AI agents inside organisations is also forcing a rethink of identity fundamentals. Non-human actors, he said, now operate with levels of autonomy that many existing controls do not address.

"As AI moves from passive assistant to active agent, the definition of identity in the enterprise has to change. We're giving non-human actors the ability to take actions, make decisions, and touch critical data, often using legacy service accounts or blanket permissions that were never designed for autonomous execution. If you can't answer exactly who an agent is acting on behalf of, what its boundaries are, and how to stop it in real time, you don't have a policy, and without policy comes real security risk and exposure.
Scaling AI safely comes down to basic identity fundamentals applied to non-human actors:
- Verifiable Ownership: Binding every agent to a human owner with an explicit, time-bounded scope of authority.
- Inline Control: Enforcing security at the point of execution through an agent gateway to ensure real-time response rather than trying to audit actions after they've already happened.
- Real-Time Oversight: Dynamically keeping a human in the loop who can constrain or shut down an agent instantly if it strays.
AI Appreciation Day is a good reminder that speed is only half the equation. The organizations that get the most value out of AI won't just be the ones deploying it fastest-they'll be the ones that solved how to govern non-human identity before things scaled out of control," said Simic.

The security implications extend beyond authentication. As AI tools spread across development, operations and security workflows, experts say balancing automation with human judgment is becoming more important.

Dhruv Majumdar, Vice President, Security Solutions at Fleet Device Management, pointed to the effect of AI on patching and remediation cycles.

"AI is helping security researchers uncover vulnerabilities faster than ever before, but it's also accelerating the speed at which those same weaknesses can be exploited, from days to hours. As AI-powered vulnerability discovery becomes more capable, the gap between finding a flaw and seeing it weaponized will continue to shrink. We need to respond to them faster. AI-assisted, and eventually autonomous, patching will become a necessity, not a luxury, because security teams won't be able to keep pace manually. But speed alone isn't enough. The real challenge is deploying fixes safely, with an understanding of business context and user experience. An autonomous system can't reboot a trader's workstation in the middle of a billion-dollar transaction or interrupt a Chief Executive Officer during a board meeting just because a patch is available. The organizations that get this balance right, combining AI-driven speed with intelligent operational guardrails, will have a significant competitive advantage over those still relying on manual processes. AI deserves appreciation because it's pushing us towards entirely new ways of operating that simply weren't practical before," said Majumdar.

Penetration testing providers are also reporting limits to purely automated approaches, arguing that live attackers adapt faster than rule-based tools.

"AI is already making security teams faster and more effective, but we also need to be honest about where the industry is today. There's a growing tendency to assume AI can replace security expertise, when the evidence suggests the opposite. Our research found that 78% of security teams have seen automated scanning tools miss critical vulnerabilities, and support for fully automated pentesting has dropped to just 9%. That's proof that context still matters. The challenge is even more pronounced with AI applications themselves. LLMs introduce new attack paths, business logic risks and behavioral flaws that can't always be identified by pattern matching or automated validation. That's why we're seeing organizations embrace a more pragmatic approach: automate what machines do well, but rely on experienced security researchers to uncover the issues that require human judgment. As AI becomes embedded in every business, confidence won't come from trusting automation alone. It will come from knowing you've validated your most critical systems with both intelligent tooling and expert adversarial testing," said Gunter Ollmann, Chief Technology Officer, Cobalt.

The shift is also reshaping the security jobs market, with training providers and employers starting to treat AI literacy as a baseline requirement.

"One of the biggest misconceptions about AI is that it's going to replace cybersecurity professionals. What's actually happening is far more significant: it's redefining the skills that every cybersecurity professional will need to succeed. We're already seeing employers look for AI knowledge alongside traditional cybersecurity expertise, and AI-focused training and certifications will soon become just as important as many of the security credentials the industry has relied on for years. Understanding AI models, prompt engineering, LLM risks and how attackers are weaponizing AI is rapidly becoming part of the baseline skillset, even for entry-level security roles. That shift shouldn't be viewed as a threat. Every major technological change has created new specialties, new career paths and new opportunities, and AI will be no different. Cybersecurity professionals who invest in AI skills today will likely be the ones leading security teams tomorrow. Those who combine strong security fundamentals with AI expertise will have a significant advantage over those who treat AI as someone else's problem. AI, whether we like it or not, is shaping the next generation of cybersecurity professionals. The challenge now is making sure education, certifications and workforce development evolve quickly enough to prepare them," said Laurent Halimi, Chief Executive Officer and Founder, Cyberr.