Running Codex safely at OpenAI

Source: OpenAI Date: 2026-05-08 URL: https://openai.com/index/running-codex-safely

Summary

OpenAI published its internal playbook for deploying Codex at enterprise scale: a combination of technical sandboxing (scoped file write paths, allowlist-based network policy, no open outbound access), a tiered approval model (frictionless for low-risk shell commands, explicit review or block for high-risk ones), and agent-native telemetry via OpenTelemetry export. Credentials are stored in the OS keyring, access is pinned to the ChatGPT Enterprise workspace, and Codex logs flow into an AI-powered security triage agent that correlates endpoint alerts with agent intent. Configuration is enforced through a mix of cloud-managed requirements and macOS managed preferences that individual users cannot override.

Implications

• This is the first detailed public reference architecture for enterprise agentic coding agent governance — it establishes a vocabulary (sandbox boundary, approval policy, auto-review subagent, agent-native telemetry) that will likely become the baseline expectation for enterprise CLI agent deployments.
• The auto-review subagent pattern — a secondary agent that auto-approves low-risk cross-sandbox actions — is a novel orchestration primitive worth tracking; it decouples agent productivity from human approval latency without fully removing oversight.
• OpenTelemetry as the telemetry layer for agent activity (prompts, tool calls, approval decisions, network blocks) is a significant convergence signal: it means agent observability can plug into existing SIEM stacks, lowering the adoption bar for security teams.
• The framing of “sandbox + approval policy working together” mirrors Claude Code’s own hard_deny and auto mode classifier additions (v2.1.136), suggesting the two vendors are converging on the same governance model independently.