OpenAI details its five-layer safety system for Sora 2, including C2PA metadata, CSAM detection, and teen protections. But real-world testing reveals stubborn blind spots that watermarks and classifiers can't fix.
OpenAI says it built Sora 2 "with safety at the foundation." Six months and over a million downloads later, that foundation has both held up and cracked in ways worth examining closely. Sora safety is more than a marketing bullet point — it's a live experiment with real-world consequences.
In a blog post detailing its approach, OpenAI laid out the safety architecture behind Sora 2 and the Sora social app — the TikTok-style feed where users generate, share, and remix AI video clips. The company's pitch: five concrete layers of protection covering everything from invisible metadata to child safety. But the pitch and the reality don't always match.
OK so pay attention here — OpenAI uses a five-layer defense system: C2PA metadata embedded in every video, visible watermarks, multi-modal content classifiers, CSAM detection tools, and teen-specific protections. Together, these aim to make Sora 2 the most safety-conscious AI video platform on the market — though enforcement gaps remain.
Every video generated with Sora carries two provenance signals. The first is a visible, moving watermark showing the Sora logo — a clear flag that what you're watching was made by AI. The second is C2PA metadata, an industry-standard cryptographic signature backed by Adobe, Google, Meta, and OpenAI itself.
C2PA is basically a digital birth certificate for media. It records what tool created the content and when, giving platforms and viewers a way to verify authenticity.
The idea is solid: every Sora video should carry proof of its AI origins, forever. The execution is another story entirely.
Here's the problem. That watermark? It's removable with free online tools. The C2PA metadata? Most social media platforms strip it on upload. So the moment someone downloads a Sora clip and posts it to Instagram, X, or TikTok, both safety signals vanish. OpenAI maintains internal reverse-image and audio search tools that can trace videos back to Sora with high accuracy, but that only helps after the damage is done.
This is where the heavy lifting happens. Sora 2 runs every generation through a gauntlet of automated checks. Input prompts get scanned. Output video frames get analyzed individually. Audio transcripts get reviewed. Even scene description texts go through moderation.
According to the Sora 2 System Card (published September 30, 2025), these classifiers cover nudity, self-harm, violence and gore, political persuasion, extremism, and hate speech. OpenAI says frame-level video moderation catches 95–99% of problematic content before users can download it.
That's a genuinely impressive catch rate — if accurate. And the audio safeguards deserve a mention too: Sora automatically scans transcripts of generated speech for policy violations and blocks attempts to generate music imitating living artists or existing copyrighted works.
But 95–99% isn't 100%. On a platform processing millions of generations, even a 1% slip-through rate means thousands of policy-violating videos making it into the wild.
This part's important — Sora's character system lets you create a digital avatar by recording a short video of yourself in the app. Your avatar can then appear in any Sora scene — and here's the key part — only with your explicit consent. You decide who can use your character, and you can revoke access at any time.
Consent-based likeness control sounds great on paper. Real-world enforcement has been messier.
OpenAI blocks attempts to generate videos of politicians, celebrities, and private individuals without permission. Sensitive prompts related to elections or explicit impersonation trigger automated safeguards. But the track record isn't clean. According to Built In's reporting, actor Bryan Cranston had his likeness used without consent shortly after launch, prompting SAG-AFTRA to push for tighter safeguards. OpenAI responded by strengthening its identity filters. And after offensive AI-generated animations of Martin Luther King Jr. circulated on the platform, OpenAI blocked all King-featured videos while strengthening guardrails for historical figures.
As of March 2026, OpenAI has also shifted from an opt-out to an opt-in system for intellectual property, offering revenue-sharing for creators who choose to participate.
This part's important — this is the area where OpenAI clearly takes no chances — and rightly so. The company uses Thorn's CSAM classifier to identify potentially new, unhashed child sexual abuse material, and integrates with Thorn's Safer tool to detect matches with known CSAM across all image and video uploads.
Any user who attempts to generate or upload CSAM gets reported to the National Center for Missing & Exploited Children (NCMEC) and permanently banned from all OpenAI services. OpenAI also uses a multi-modal moderation classifier specifically trained to detect sexual content involving minors across text, image, and video inputs.
This is one area where I've zero complaints about the approach. The multi-layered detection, automatic reporting, and permanent bans represent exactly the kind of zero-tolerance policy these platforms need.
Sora includes a separate set of protections for users under 18. The feed is designed to be age-appropriate, with limitations on mature output. Teen profiles aren't recommended to adult users. Parental controls through ChatGPT let parents manage whether teens can send and receive DMs. And as of March 2026, there are default scroll limits for teen accounts.
These teen protections are better than what most social platforms launched with. But "better than most" is a low bar.
The real question is whether these measures are enough given the platform's core mechanic: a social feed of AI-generated video that anyone can remix.
I mentioned this above, but it bears repeating. C2PA metadata and visible watermarks are only useful if they survive distribution. Right now, they mostly don't. Until major social platforms agree to preserve C2PA data on upload (and display it to viewers), this protection is more theoretical than practical.
Reports from multiple outlets noted that Sora 2's identity filters were circumvented within 24 hours of launch. Users found ways to generate non-consensual deepfakes of public figures, bypassing identity filters that were supposed to prevent it. OpenAI responded with mass bans and tighter filters, but the cat-and-mouse dynamic is real and ongoing. This mirrors broader concerns about AI agent security across the industry.
More than one million users downloaded Sora within the first five days. That's an enormous volume of generated content to moderate, even with automated classifiers. The 95–99% catch rate sounds strong until you do the math on millions of daily generations.
As of March 2026, the AI video generation space includes strong competitors like Runway, Kling AI, Pika, and Luma Dream Machine. Sora's user ratings tend to trail these rivals slightly, partly because of the friction its safety systems add to the creation process.
The thing is, that friction is a feature, not a bug. No other AI video tool has attempted to build a full social platform around generated video while simultaneously implementing this level of content moderation. Runway and Kling are generation tools. Sora is trying to be a generation tool AND a social network — which makes the safety challenge fundamentally harder.
OpenAI's iterative approach means Sora safety is a moving target. The company is investing heavily across its stack — from acquiring dev tools like Astral to expanding agent capabilities. The company has committed to rolling updates, tighter classifiers, and expanded red teaming. The Disney partnership announced in December 2025 — a reported $1 billion multi-year deal granting access to 200+ Disney characters — will test these safety systems in entirely new ways when licensed character generation launches in 2026.
The bigger picture is that Sora is a test case for the entire AI video industry. If OpenAI can make a social AI video platform work safely at scale, it sets the template. If it can't, regulators will step in with rules that apply to everyone.
Sora safety isn't a solved problem. But it's a problem OpenAI is at least trying to solve in public, with real infrastructure behind the effort. That counts for something — even when the cracks show.
Sources
ChatGPT Pro subscribers ($200/month) can download Sora videos without the visible watermark. Free and Plus tier users always get the watermark. Third-party tools can technically remove the watermark, but doing so violates OpenAI's terms of service and strips an important AI provenance signal. C2PA metadata may still remain in the file even if the visible watermark is removed.
As of March 2026, the Sora app is available on both iOS and Android. OpenAI launched the Android version in November 2025, and it's available on the Google Play Store. You can also access Sora video generation through ChatGPT on desktop if you have a Plus ($20/month) or Pro ($200/month) subscription, though the social feed features are app-only.
Sora is included with ChatGPT Plus ($20/month) for 720p, 5-second clips and ChatGPT Pro ($200/month) for 1080p videos up to 25 seconds with watermark-free downloads and 10x credits. For API access, Sora 2 costs $0.10/second at 720p and up to $0.50/second at 1024p resolution. Sora is not available on Team, Enterprise, or Edu plans.
OpenAI's character system requires consent for likeness use, and you can revoke access to your avatar at any time. If someone bypasses these controls, you can report the content through Sora's in-app reporting. OpenAI has banned users and tightened filters in response to non-consensual deepfakes. For serious cases, OpenAI cooperates with law enforcement. You can also file a DMCA takedown request through OpenAI's official channels.
As of March 2026, the Sora app is available in the United States, Canada, Japan, South Korea, Thailand, Vietnam, and Taiwan. OpenAI has not publicly announced a timeline for broader availability in the EU or UK, though Sora video generation within ChatGPT may have wider geographic access depending on your subscription plan and local regulations.
