The WSJ investigation, published February 21, 2026, revealed that OpenAI’s internal monitoring system flagged Jesse Van Rootselaar’s ChatGPT account for “furtherance of violent activities” back in June 2025.

The conversations included violent scenarios involving gun violence, played out over multiple days. The automated system caught it. Human reviewers confirmed it was disturbing. About a dozen OpenAI employees then debated internally whether to notify law enforcement.

Some of those employees pushed hard to call the police.

Leadership said no.

OpenAI’s spokesperson said Van Rootselaar’s activity “did not meet the criteria for reporting to law enforcement.” Their policy requires an imminent threat of real-world harm before escalating to police.

The company also argued that being “too trigger-happy with police referrals can create unintended harm” — citing privacy concerns.

But here’s the thing nobody mentions: this isn’t a borderline case. The automated system flagged it. Human reviewers confirmed it was violent enough to ban. A dozen employees thought it warranted police involvement. And the company’s own category was “furtherance of violent activities.”

The counter-argument writes itself. If your own system classifies someone under “furtherance of violent activities” and your own employees are begging to call the cops — your threshold is set wrong.

OpenAI spokesperson:

“We proactively reached out to the Royal Canadian Mounted Police with information on the individual and their use of ChatGPT, and we’ll continue to support their investigation.”

RCMP Staff Sgt. Kris Clark:

Confirmed OpenAI contacted police after the shootings. Said a “thorough review of the content on electronic devices, as well as social media and online activities” is underway.

B.C. Government:

Stated there was “no mention of concerns from OpenAI” the day after the Tumbler Ridge shooting.

Privacy and AI safety researchers have pointed out that this case exposes a fundamental gap: AI companies have real-time access to threatening behavior that social media platforms don’t — because chatbots engage users directly, sometimes over multiple sessions.

Every major social media platform has wrestled with the “when do we call the police” question. Facebook, Instagram, Discord — all have protocols for imminent threats.

But AI chatbots are different. They’re not passive platforms where users post content for others to see. They’re active conversational partners. When someone describes gun violence scenarios to ChatGPT over multiple days, the AI is the only other party in the room.

That creates a duty-of-care question that hasn’t been legally tested yet. And it’s one OpenAI clearly doesn’t have a good answer for.

The data shows OpenAI has the technical capability to detect dangerous behavior — their automated system worked. The human reviewers confirmed the severity. The failure was a policy decision, not a technical one.

Van Rootselaar’s ChatGPT activity was far from the only warning sign:

• Created a game on Roblox simulating a mass shooting at a mall
• Posted about firearms on Reddit
• Local police had been called to the family home multiple times for mental health crises
• Had been hospitalized under B.C.'s Mental Health Act
• Started a fire while under the influence of drugs

The 18-year-old killed her mother and stepbrother at home before attacking Tumbler Ridge Secondary School, where she killed five students and a teacher and injured 25 others, then took her own life.

No single platform — not OpenAI, not Roblox, not Reddit, not local police — connected the dots.

The gap here is clear: automated detection works, but the decision pipeline after detection is broken. Companies need third-party auditing frameworks that evaluate whether their escalation policies actually protect people.

If you know anything about compliance software or safety frameworks, this is a market that barely exists and just got a very public use case.

Example: A security researcher in Estonia built a compliance-checking tool for GDPR violations using open-source LLMs. Sold it as a SaaS product to 40+ EU companies within 6 months. Revenue hit €8K/month before they even had a sales team. The same template applies to AI safety auditing — except the urgency is now 10x higher.

Timeline: 2-4 months to build an MVP. Regulatory pressure is already mounting. First movers in this space will own the market before legislation catches up.

OpenAI had 12 employees debating what to do. That means they had no clear protocol beyond “is it imminent?” Every AI company deploying a chatbot at scale needs a threat assessment framework — and most don’t have one.

If you have a background in threat assessment, crisis intervention, or behavioral analysis, you can package that into consulting for AI companies.

Example: A former law enforcement behavioral analyst in New Zealand pivoted into consulting for social media companies on threat escalation protocols. She’s now charging $200/hr and has contracts with three mid-size platforms. Her pitch: “You already detect the threats. I teach your team what to do next.” That pitch works verbatim for AI companies right now.

Timeline: Immediately. Every AI company’s legal team is reading these headlines today and asking “do we have a policy for this?”

The most damning detail in this story: Van Rootselaar was flagged on ChatGPT, created a mass shooting sim on Roblox, posted about guns on Reddit, and had police visits at home. Nobody connected the dots.

There’s a product here: a cross-platform risk signal aggregator that pulls behavioral flags from multiple services and scores cumulative risk.

Example: A data engineer in South Korea built a tool that aggregates public social media signals for corporate brand risk monitoring. He scraped public posts across 6 platforms, ran sentiment analysis, and sold alert dashboards to PR firms for $500/month per client. Same architecture, different application — behavioral risk instead of brand risk.

Timeline: 3-6 months for a working prototype. Privacy regulations are a minefield, but the demand from school districts, law enforcement, and corporate security teams will be massive.

Here’s a stat: hundreds of AI startups are deploying chatbots right now. Almost none of them have a formal escalation policy for when users express violent intent. OpenAI — the biggest player — just proved their policy doesn’t work.

Package threat escalation policy templates, legal frameworks, and compliance checklists. Sell them to AI startups who can’t afford a full legal team.

Example: A legal tech freelancer in Portugal created GDPR compliance template packs — privacy policies, data processing agreements, cookie consent frameworks — and sold them on Gumroad for €49-€199 each. Made €3K in the first month from organic traffic alone. AI safety policy templates are the 2026 version of that same play.

Timeline: 2-4 weeks to research and package. The news cycle is giving you free marketing right now.

School districts in Canada and the US are going to throw money at this problem. They already buy threat detection software for social media monitoring. Now they’ll want tools that interface with AI chatbot APIs too.

Example: A software developer in Brazil built a school violence early-warning dashboard that aggregated local social media posts near school locations and flagged keywords. Piloted it with 3 schools in São Paulo for R$2,000/month each. After a local media story about the tool, she had a waiting list of 40 schools. The Tumbler Ridge case makes this product category urgent globally.

Timeline: 4-8 weeks to build on existing threat monitoring APIs. School districts budget for safety tech quarterly — Q2 2026 purchasing decisions are being made right now.