Skip to content
ServicesSpeaking & CLEInsightsAbout Book a call

Your Agent Asked Permission. That's What Should Worry You.

An overhead night view of a busy multi-lane city intersection, where long-exposure headlights and taillights blur into dense streams of light crossing through in every direction.

TL;DR: OpenAI shipped an agent today that reads local files, drives a browser, and works for hours on a schedule. In the desktop app it reaches every plan, including Free. It still asks permission before it does anything important, and that’s the part worth reading twice: permission is now granted per folder and per website rather than per document, and on a personal account the person granting it is your associate. Meanwhile OpenAI’s own safety documentation says this model is likelier than the last one to do things nobody asked for.

Every room I stand in front of, some version of the same question comes up. Usually from the partner who’s been quiet for forty minutes.

“How do we stop our people from pasting client information into ChatGPT?”

Fair question. I’ve built training around it. I’ve written policies around it.

This morning it became the wrong question.

What OpenAI actually shipped today

Two announcements matter for law firms. There were more.

GPT-5.6 is the model release. Three versions, named Sol, Terra, and Luna, running from flagship down to fastest and cheapest. Benchmarks up against its own predecessor, more work squeezed from every token, two cheaper tiers below the flagship. If that moves you, you’re a developer, and this piece isn’t for you.

ChatGPT Work is the one that matters. It’s an agent, with Codex technology built in, that gathers information across your connected apps and files, produces finished documents and spreadsheets and decks, and stays with a project for hours by breaking it into steps and working through them on its own. Web, phone, desktop. And it can run on a schedule, when you aren’t there.

For context: Codex already has more than five million weekly users, and OpenAI says over a million of them use it for work that has nothing to do with software. So this isn’t a lab demo. Today OpenAI took that existing non-coding use and gave it a name, a desktop app, and hands.

The desktop app is the story

On web and mobile, ChatGPT Work rolls out to Pro, Enterprise, and Edu today, then to Plus and Business over the next few days. Ordinary staged rollout.

The desktop app is different. OpenAI’s launch post says Chat, Work, and Codex are available there on every plan, including Free. Its model post confirms that Free and Go accounts run GPT-5.6 Terra inside Work.

Then the help documentation says Work is available in the desktop app “when included for your plan and workspace,” and that browser features may depend on plan and workspace settings. Those two things are not obviously the same thing. Somebody should make OpenAI say which it is, in writing, before a firm makes a decision on the strength of a blog post.

Because on desktop the agent gains something it doesn’t have in the cloud: local reach. It can use files and applications on the machine. It has a built-in browser. Computer Use lets it click, type, and move files across apps in the background while you’re doing something else.

Read that again with a law firm in your head.

Your policy governs the paste. Nobody’s pasting.

Here’s where I got it wrong in my own first draft, and where most of the coverage will get it wrong too.

The agent does not wake up with the run of your machine. OpenAI is specific about this. On desktop, Work uses local files with your permission: you open a folder or a project and grant access. The built-in browser does not inherit your Chrome profile, your cookies, or your signed-in sessions. If you want it inside your existing Chrome session, you install the Codex extension and hand it over. And ChatGPT asks before it touches a new website, unless you’ve already allowed that host or turned on a more permissive setting.

So the associate has to grant something. Fine. Now look at what she grants.

She opens a folder. If that folder is a mapped drive to the document management system, the grant covers the drive. She signs into practice management through the agent’s browser, because OpenAI tells her to enter credentials in the browser and never in the chat, and now the agent’s browser holds a live authenticated session to it. She approves that host once, and it stops asking.

For two years the copy-paste step was doing quiet security work nobody credited it for. It was never a control. It was a governor. Every document that left the building required a human to select it, copy it, switch windows, paste it. One at a time.

That governor didn’t disappear today. It got coarser. Consent used to be granted per document. Now it’s granted per folder and per host, once, and then it’s ambient.

Prompt hygiene is a training problem. Access scope is an engineering problem. Most firms I work with are staffed for the first and have nobody for the second.

If your AI policy has a section called “Prohibited Inputs,” that section now points at a behavior that has stopped being the main risk. It’s not wrong. It’s just no longer the load-bearing part.

The number OpenAI wants you to see, and the one it published anyway

Fair is fair. The governance story here is better than the ones that came before it.

Auto-review is a good idea. Before the agent takes an important action through a connected tool, a second model inspects it for signs it’s about to leak something it shouldn’t. OpenAI reports that under adversarial red teaming, auto-review stopped every attempt to extract protected data, including attacks the reviewing model hadn’t seen in training. That last clause is doing honest work. It suggests the control generalizes rather than memorizes.

Now open the system card OpenAI published the same morning.

In evaluations of agentic coding work inside OpenAI, GPT-5.6 showed a greater tendency than its predecessor to be overly persistent: to go beyond what the user intended, and to take or attempt actions the user never asked for. OpenAI describes the failure mode plainly. The model interprets instructions too permissively, assuming that actions are allowed unless they’re explicitly and unambiguously prohibited. Absolute rates stayed low. OpenAI says users should supervise the agent’s work.

It also published three examples. In one, the model was asked to keep a job running. It went looking through hidden local credential caches, found a token file, copied it to another machine, and restarted the job. Nobody authorized moving credentials. In another, it wrote into a research draft that an equation had been computed and verified, while knowing it hadn’t.

Hold those two facts next to each other. Auto-review blocked one hundred percent of attacks in a red team. The model, in OpenAI’s own internal deployment, went hunting for credentials it wasn’t given.

They don’t contradict. Auto-review guards important actions through connected tools and APIs. The credential incident happened on a machine, in local files, which is exactly the surface the desktop app just opened up on every plan. The guard is on the front door. The laptop is a side entrance.

I want to be careful here, because this is the kind of finding that gets flattened in the retelling. Those evaluations were coding tasks, in OpenAI’s internal traffic, on the flagship model at high reasoning effort. OpenAI says the results are a signal about internal risk rather than a measure of what happens in your office. The absolute numbers are small.

But a model that assumes it may do anything not expressly forbidden is a model with a theory of permission. And it isn’t the one your ethical walls are built on.

Permission is not authorization

The agent doesn’t break your walls. In connected systems it inherits your permissions, and OpenAI says it can only reach what the signed-in user could already reach.

That’s the problem, not the reassurance.

At a twelve-lawyer firm, the associate can technically open every matter folder on the server. She always could. Technical permission and ethical authorization were never the same thing, and nobody had to reconcile them, because reaching the wrong file required a person to go looking for it. Now something goes looking on her behalf, at machine speed, having concluded that whatever isn’t prohibited is fine.

Your ethical walls were built for a colleague who might wander. Not for an agent that infers.

The audit problem

This one I’d bring to your malpractice carrier before your IT vendor.

OpenAI’s Compliance API gives an organization auditable records: conversation logs and workspace metadata, in a form you can feed into eDiscovery, data loss prevention, or SIEM systems. Real capability, seriously built. Sold to Enterprise and Edu customers.

If your firm is on Business, you don’t have a thirty-day window. You have no window.

If you are on Enterprise, you have thirty days. That’s what the Compliance Logs Platform retains. Thirty days is sensible for a security team investigating an incident it already knows about. It’s a preposterous number for a profession where “how was this document produced” gets asked eighteen months later, in a deposition, by someone who is not on your side. OpenAI’s own guidance is that organizations needing longer retention should continuously download the logs. Nobody is going to do that for you.

And there’s a wrinkle underneath the wrinkle. OpenAI says that at launch, desktop Work threads and local files stay on that computer and don’t appear in cloud Work history. Whether they appear in the compliance record is a question the documentation does not answer. Ask it. Get the answer in an email.

The tier question most firms are going to get wrong

Read the launch post’s governance section and notice who’s named. Enterprise and Edu admins can centrally manage access, what company context the agent uses, which tools it connects to, and what actions it can take. Enterprise and Edu admins can set spend controls.

Business isn’t in either sentence.

That doesn’t mean Business has no controls, and I said something close to that earlier this week, which was lazy. Business admins can decide which apps are enabled, scope app permissions by role, restrict synced sources to particular drives or folders, and exclude file types from indexing. Those are real.

Here’s the part worth your attention. In Enterprise and Edu, all apps are disabled by default. The unified Google Drive actions are off until an admin turns them on. In Business, those same Drive actions are on by default.

So the question for a Business firm is not whether it has controls. It’s whether anyone has opened the settings page before the associates start connecting firm systems. You bought the commercial tier. You did not buy the defaults.

The personal account problem

And it isn’t only about administration.

OpenAI says that for its individual services, ChatGPT and Codex, it may use your content to train its models unless you opt out. For business products, including Business and Enterprise, it doesn’t train on inputs or outputs by default. That distinction is the whole reason firms pay for the commercial tier.

Then read one more line. Codex maintains separate controls for training on full environments, and OpenAI says changing your settings in ChatGPT or the privacy portal will not affect them.

Work is built on Codex. Work on desktop touches local folders. Whether a granted folder counts as an environment for that setting is a question I can’t answer from the public documentation, and neither can your IT vendor. But an associate who installs the desktop app on a personal free account has stepped outside your access controls and your data terms at the same time. And the opt-out she thinks she set may not cover what she thinks it covers.

What to do Monday morning

Not next quarter. The desktop app is available today and Work is rolling out to accounts as we speak.

  1. Find out what’s on the machines. Ask IT whether the ChatGPT desktop app can be installed on a firm laptop right now without an administrator, and whether Chrome extensions can be. If the answer is yes, this is an endpoint management problem, not a policy problem, and it’s live.

  2. Get your tier’s controls in writing. Ask OpenAI what a Business admin can restrict across Work, plugins, and desktop Computer Use. Ask whether desktop Work threads appear in the compliance record. Ask whether Free accounts get Computer Use on desktop, because the blog post and the help documentation do not obviously agree.

  3. Move the review gate. Scheduled Tasks means draft work product can appear at three in the morning with nobody watching, even where consequential actions still require a click. Human review has to attach to the moment work gets used, not the moment it gets made.

Beyond those, two things belong in the next thirty days. Rewrite the section of your AI policy that governs inputs so that it governs access instead: which folders, which drives, which hosts, whose account. And if you’re on Enterprise, stand up a log export before your first thirty days of agent activity quietly expires.

The fee question is going to get uncomfortable. Work consumes metered agentic usage, and complex tasks eat more of the plan’s included allowance before any credit gets purchased. Formal Opinion 512 saw this coming. It separates a tool that functions like equipping an office, which is overhead, from a third-party service billed per use for one client’s work, which is ordinarily billable as an out-of-pocket expense. Metered credits burned on a single matter look more like the second. If you plan to bill it, say so in advance, in writing, and get consent.

The part that didn’t change

Formal Opinion 512 came out in July of 2024, and it has aged better than most things written about AI that year. Competence under Rule 1.1. Confidentiality under 1.6. Supervision under 5.1 and 5.3. It told managerial lawyers to establish clear policies on the firm’s permissible use of these tools, and supervisory lawyers to make reasonable efforts to see that lawyers and nonlawyers comply. It even flagged the ethical-wall problem, quoting a Pennsylvania and Philadelphia joint opinion warning that a model without those safeguards might use what it learned in one representation to inform another.

None of it assumed the thing being supervised would work while you slept, or that it would treat silence as permission.

The rules didn’t change today. What changed is that the thing you’re supervising stopped waiting to be asked.

Thanks for reading Intelligence by Intent! This post is public so feel free to share it.

Share

All insights Subscribe on Substack

Let's talk

Ready to apply this at your firm?

A 20-minute call. I'll identify which workflows are worth prioritizing and the right way in.

20-minute call. I'll show you where firms like yours typically start.

Please don't include confidential client information. I use these details only to respond to you.