ChatGPT Atlas

Browser

OpenAI

Product overview

Name of Agent: ChatGPT Atlas

Short description of agent: "web browser built with ChatGPT at its core." (link, archived)

Date of release: 21/10/2025 (link, archived)

Advertised use: "researching and analyzing, automating tasks, and planning events or booking appointments while you browse" (link, archived)

Monetisation/Usage price: free, but agent mode only available in these tiers as preview 20, plus 200, pro greater rate limits (link, archived)business

Who is using it?: end user, enterprises (separate subscriptions), government, education

Website: (https://chatgpt.com/atlas, archived)

Category: Browser

Company & accountability

Developer: OpenAI

Name of legal entity: OpenAI, L.L.C. (link, archived)

Place of legal incorporation: Delaware

For profit company?: Yes

Parent company?: For-profit LLC falls within the OpenAI Group (PBC) which is controlled by OpenAI Foundation (26% vs Microsoft's 27%, rest going to staff)

Governance documents analysis: Terms and Policies (link, archived)(general to OpenAI, not product specific)

AI safety/trust framework: Preparedness Framework (link, archived)

Compliance with existing standards: Atlas is not currently in scope for OpenAI SOC 2 or ISO attestations. Accessibility. Atlas is not yet fully compliant with WCAG accessibility standards. (link, archived)

Technical capabilities & system architecture

Model specifications: Openai Models

Documention: No specific documentation. Overview page (here, archived).

Observation space: User input, webpage information (link, archived).

Action space: Actions in browser (link, archived)

Memory architecture: Has a memory system called browser memories, "Browser memories let ChatGPT remember useful details from your web browsing to provide better responses and suggestions". Details (here, archived).

User interface and interaction design: Agent works in the browser. Browser is tinted to indicate agent is working. Sidebar shows agent's action trace and has chatbox for the user to prompt agent

User roles: Operator (directing the agent to complete tasks), Executor (can take control and do things themselves), Examiner (can give feedback to the agent/steer it via follow-up responses)

Component accessibility: Closed source

Autonomy & control

Autonomy level and planning depth: L2-L4. User can take over and do things themselves, and hand control back to the agent, while agent can assign control to the user (L2). Agent can seek user feedback (L3) but if the user doesn't provide it, the agent can also move forward automatically in some cases (L4)

User approval requirements for different decision types: User input is needed for certain kinds of tasks (e.g., checking out items in cart)

Execution monitoring, traces, and transparency: Visible CoT and action trace documenting all activity

Emergency stop and shut down mechanisms and user control: User can pause/stop the agent at any time

Usage monitoring and statistics and patterns: watch mode still exists

Ecosystem interaction

Identify to humans?: None found, specific to Atlas

Identifies technically?: - According to StackOverflow, Atlas currently identifies itself with a Chrome-like user agent string (link, archived) - Seems like technical identity depends on the specific tool being used

Interoperability standards and integrations: MCP supported through work arounds (link, archived)

Web conduct: Atlas search/summaries/snippets are controlled via robots.txt: publishers should not block the OAI-SearchBot user-agent if they want content included, implying robots.txt is respected for this crawler-based access (link, archived)

Safety, evaluation & impact

Technical guardrails and safety measures: Atlas Agent mode has hard capability restrictions: it cannot run code in the browser, download files, or install extensions, and it cannot access other apps on your computer or your file system (link , archived)Atlas Agent mode cannot access saved passwords or use autofill data (link, archived)

Sandboxing and containment approaches: None found

What types of risks were evaluated?: Atlas safety testing evaluated prompt injection / malicious instruction risks (including instruction hijacking and hidden instructions on webpages) (link, archived)

(Internal) safety evaluations and results: None found

Third-party testing, audits, and red-teaming: None found

Benchmark performance and demonstrated capabilities: None found

Bug bounty programmes and vulnerability disclosure: Yes (link, archived)

Any known incidents?: None found

← Back to 2025 Index