Capability Overview
OpenAI is internally testing a new subscription tier — ChatGPT for Science — aimed at verified research institutions and universities. References to the feature surfaced in the platform’s web build ahead of any official announcement. The offering appears to extend capabilities developed for GPT-Rosalind, a purpose-built life sciences model built on GPT-5.5 architecture, currently deployed under a restrictive trusted-access structure to select pharmaceutical partners such as Novo Nordisk.
ChatGPT for Science represents a potential broadening of that access model: rather than restricting advanced scientific AI to a handful of enterprise partners, OpenAI may open it to any eligible institution meeting verification criteria. For defenders, the shift from a closed-partner model to a wider institutional tier is the key security inflection point.
Attack Surface Analysis
The introduction of a gated, domain-specific AI subscription creates attack surface that differs meaningfully from general-purpose ChatGPT deployments:
1. Institutional identity as an access control layer. Access will likely be gated by verified university or institute domains — a control adversaries will probe. Compromised institutional email accounts, fabricated academic affiliations, or abuse of partner institution credentials become pathways to a tier with meaningfully richer scientific grounding than standard ChatGPT.
2. Privileged knowledge extraction from a specialised model. A science-tuned model with deeper grounding in research literature and discovery data is a higher-value extraction target than a general-purpose LLM. Nation-state actors with interests in pharmaceutical IP, materials science, or biosecurity-relevant research have direct incentive to gain access — whether through legitimate-seeming institutions or compromised accounts.
3. Dual-use content at scale. Scientific AI tailored for enterprise research may surface detailed technical content that standard safety filters in general ChatGPT would curtail. Adversaries who successfully access the tier — or jailbreak within it — gain access to a more capable extraction surface for dual-use knowledge.
4. Insider threat amplification. Researchers with legitimate access can inadvertently or deliberately exfiltrate proprietary institutional research by submitting it as query context, or systematically harvest model outputs for competitive intelligence.
5. Overreliance in high-stakes research. Scientific institutions integrating AI outputs into research pipelines without adequate validation create systemic risk if the model’s grounding data is stale, poisoned, or manipulated.
Framework Mapping
| Framework | Technique | Rationale |
|---|---|---|
| MITRE ATLAS | AML.T0012 – Valid Accounts | Compromised institutional credentials as an access vector |
| MITRE ATLAS | AML.T0040 – ML Model Inference API Access | Systematic querying for sensitive scientific outputs |
| MITRE ATLAS | AML.T0054 – LLM Jailbreak | Science tier may have relaxed content controls vs. consumer ChatGPT |
| MITRE ATLAS | AML.T0057 – LLM Data Leakage | Research inputs submitted as context becoming training or log exposure |
| OWASP | LLM06 – Sensitive Information Disclosure | High-value scientific data entered as prompts |
| OWASP | LLM09 – Overreliance | Research teams treating AI-generated findings as ground truth |
| OWASP | LLM05 – Supply Chain Vulnerabilities | Grounding datasets or retrieval sources as a poisoning target |
Threat Scenarios
Scenario 1 — Nation-State Credential Abuse: A threat actor spear-phishes a university IT administrator to gain control of institutional email infrastructure, then registers for ChatGPT for Science under the verified domain. The actor uses the tier to systematically query for life sciences research in areas of strategic interest.
Scenario 2 — Insider Data Exfiltration: A postdoctoral researcher submits unpublished experimental data as prompt context to assist with analysis. That data becomes potentially exposed via OpenAI’s logging, training pipelines, or future model outputs.
Scenario 3 — Jailbreak on a Relaxed Science Tier: Adversaries hypothesise that enterprise/science-tier system prompts may have different content thresholds for discussing chemical or biological research detail, and systematically test jailbreak payloads to surface restricted content.
Defender Checklist
- Draft an AI acceptable-use policy specifically covering science-tier access before the product reaches GA — do not let adoption outpace governance
- Harden institutional email and SSO — verified-domain gates make university email accounts high-value phishing targets
- Define data classification rules for what research inputs may be submitted to third-party AI platforms
- Inventory which research groups would likely onboard and conduct a pre-deployment risk assessment
- Establish output validation requirements — mandate human expert review before AI-generated scientific content enters publications or regulatory submissions
- Monitor for credential abuse targeting institutional domains, particularly phishing lures referencing AI platform access