OpenAI Enhances Codex Security with Advanced Controls

Running Codex Safely at OpenAI

As artificial intelligence systems become more sophisticated, they are starting to act autonomously on behalf of users. Coding agents, like Codex, are capable of examining repositories, executing commands, and interacting with development tools—tasks that previously required direct human intervention.

At OpenAI, the development of Codex is accompanied by the implementation of rigorous controls to ensure secure deployment. Security teams need mechanisms to regulate the operation of agents: determining what they can access, when human approval is necessary, which systems they can interact with, and what telemetry is available to explain their behavior.

OpenAI's primary goal is to keep Codex within precise technical boundaries, allowing developers to quickly perform low-risk actions while making higher-risk actions explicit. The agent-specific telemetry is also preserved to understand and audit its actions. This involves managed configuration, constrained execution, strict network policies, and native agent logging.

Controlling Codex's Operation

OpenAI deploys Codex based on a fundamental principle: it must be productive in a defined environment, where low-risk daily actions occur seamlessly, while higher-risk actions are halted for review.

Sandboxing and Approvals

Sandboxing and approvals work in tandem. The sandbox defines the technical execution boundaries, including where Codex can write, its network access, and protected paths. The approval policy determines when Codex must request permission for an action, particularly when it needs to operate outside the sandbox. Users can approve an action on a one-time basis or for the entire session.

For routine approval requests, OpenAI employs the Auto-review mode, which automatically approves certain types of requests to reduce the frequency of interruptions. Codex sends the intended action and recent context to a self-approval sub-agent, which can automatically approve low-risk actions, allowing Codex to continue routine tasks while stopping for higher-risk actions or those with unexpected consequences.

Network Access

Codex does not have unlimited outgoing network access. The network policy managed by OpenAI only allows intended destinations, blocks undesirable ones, and requires approval for unknown domains. This enables Codex to complete common workflows without granting it extensive network access.

Identity and Credentials

Managing Codex's authentication is crucial. OAuth CLI and MCP credentials are stored in the OS's secure keychain, and login is enforced via ChatGPT. Access is tied to the ChatGPT enterprise workspace, keeping Codex usage under control and making Codex's activity available in the compliance logging platform for the enterprise workspace.

Rules

OpenAI employs rules to ensure that Codex does not treat every shell command as equally safe. Common benign commands used by engineers in daily development are allowed without approval outside the sandbox, while certain dangerous commands may be blocked or require approval. This allows Codex to progress quickly in ordinary engineering tasks while forcing a review or blocking undesirable patterns outside the sandbox.

Managed Configurations

OpenAI applies this posture through a combination of managed cloud requirements, managed macOS preferences, and local requirement files. Requirements are controls imposed by the administrator that users cannot bypass. Managed macOS preferences and local requirement files help maintain a consistent baseline while testing different configurations by team, user group, or environment. These configurations apply to all local surfaces of Codex, including the desktop application, CLI, and IDE extension.

Native Agent Telemetry and Audit Trails

Control is only part of the challenge. Once agents are deployed, security teams need visibility into what these agents are doing and why. Traditional security logs remain useful for examining actions taken by Codex, but they primarily answer the question of what happened: a process started, a file changed, a network connection was attempted. Defenders still need to determine why Codex acted that way or what the user's intent was.

Codex can provide security teams with a more conscious view of the agent. It supports the export of OpenTelemetry logs for various Codex events such as user prompts, tool approval decisions, tool execution outcomes, MCP server usage, and network proxy authorization or denial events. Codex activity logs are also available through the OpenAI compliance platform for enterprise and educational clients.

At OpenAI, Codex logs are used alongside the AI-powered security triage agent. When an endpoint alert indicates that Codex has acted unusually, the endpoint security tool notifies that a suspicious event has occurred. Codex logs then help explain the intent surrounding the user's and agent's actions. The AI security triage agent uses Codex logs to review the original request, tool activity, approval decisions, tool outcomes, and any relevant network policy decisions or blocks. The AI security triage agent presents its analysis to the security team for review to distinguish between expected agent behavior, benign errors, and activities that genuinely require escalation.

We also use the same telemetry operationally. These logs are used to understand how internal adoption is evolving, which tools and MCP servers are being used, how often the network sandbox blocks or invites, and where deployment still needs adjustment. OpenTelemetry logs can be centralized in SIEM and compliance logging systems.

Outlook

As coding agents like Codex integrate into development workflows, security teams need tools specifically designed to manage this change. Codex provides the control surfaces, configuration management, sandboxing, and detailed agent-aware telemetry necessary to ensure secure adoption. With these capabilities in place, security teams can enable Codex with greater confidence, balancing developer productivity with the visibility and control required for enterprise security.