OpenAI publishes its internal Codex safety stack — sandboxing, approvals, agent-native telemetry

OpenAI published a developer-facing breakdown of how it operates Codex internally, with an emphasis on the safety controls that wrap the coding agent before it touches a real codebase [OpenAI].

── What shipped ──

Four layers of control, named explicitly in the post:

• Sandboxed execution. Each Codex run happens in an isolated environment — filesystem and process boundaries that block lateral movement if the agent goes off-task or is prompt-injected by hostile content in the repo.
• Per-action approvals. Sensitive operations (writes outside the workspace, network egress, package installs) prompt for explicit allow before the agent proceeds. The default posture is least-privilege rather than blanket trust.
• Network policies. Egress is restricted to allow-listed destinations during a Codex session, which closes the "agent reads your code, then exfiltrates secrets to an attacker-controlled endpoint" path that has bitten other coding-agent rollouts.
• Agent-native telemetry. Logs are structured around the agent's reasoning trace — what the agent decided to do, what tool it called, what it saw back — rather than around an assumed human caller. That's the layer most existing observability stacks miss when they're shoehorned onto autonomous agents.

── Why it matters ──

Coding agents are the highest-risk category of AI deployment in an enterprise today. They sit close to source code (secrets, IP, customer data), they run code (lateral movement potential), and they're targets for prompt injection through PRs, issues, and dependencies [OpenAI].

OpenAI publishing its internal posture is a soft standard-setting move. The four-layer pattern — sandbox + approvals + egress controls + agent-native logs — is going to show up in security reviews, vendor questionnaires, and SOC-2 evidence requests over the next 6-12 months. Vendors that can answer those questions with concrete controls will close enterprise deals; vendors that hand-wave will lose them.

For teams currently rolling out Cursor, Codex, Claude Code, Aider, Devin, or an in-house agent — this is the rubric that procurement is about to start using.

── Editor's take ──

The interesting thing about this post is not that OpenAI built these controls. Any serious enterprise coding agent has to. What's interesting is that OpenAI published the rubric publicly, which boxes in competitors who haven't shipped the same controls yet. It's the same playbook AWS used with the Shared Responsibility Model in the early cloud era — define the security framing first, become the reference everyone else gets compared against. Anthropic and the Codex-derivative open-source projects will need to publish an equivalent post within a quarter, or risk looking less mature in side-by-side comparisons.