Running Codex safely at OpenAI
Source: OpenAI Blog
Overview
As AI systems become more capable, they increasingly act on behalf of users. Coding agents can now:
- Autonomously review repositories
- Run commands
- Interact with development tools
These tasks previously required direct human execution.
Codex — Capabilities + Controls
With Codex, we’ve built powerful agent capabilities and the controls organizations need for safe deployment.
What security teams need to govern
- Access limits – Define which files, services, or APIs the agent may touch.
- Human‑in‑the‑loop – Specify when explicit approval is required before an action proceeds.
- System interaction boundaries – Restrict which external systems (e.g., CI pipelines, databases) the agent can communicate with.
- Telemetry & observability – Capture detailed logs that explain the agent’s behavior.
Deployment Goals at OpenAI
- Technical containment – Keep the agent inside clear, enforceable boundaries.
- Rapid low‑risk actions – Allow developers to move quickly on safe operations without unnecessary friction.
- Explicit high‑risk actions – Make any higher‑risk activity visible and require explicit acknowledgment.
- Agent‑native telemetry – Preserve detailed logs so we can understand and audit every step the agent takes.
How we achieve these goals
- Managed configuration – Centralized policies that dictate what the agent can do.
- Constrained execution – Sandboxed runtimes that enforce the defined limits.
- Network policies – Whitelists/blacklists that control outbound and inbound traffic.
- Agent‑native logs – Structured, searchable logs that record inputs, decisions, and outcomes.
By combining robust capabilities with strict governance, Codex enables developers to leverage autonomous coding agents safely and transparently.
Controlling How Codex Operates
We run Codex with a simple principle: productivity inside a bounded environment.
- Low‑risk, everyday actions should be friction‑less.
- Higher‑risk actions must stop for review.
1. Sandbox + Approval Policy
| Component | What It Controls | Example |
|---|---|---|
| Sandbox | Technical execution boundary (write locations, network reach, protected paths). | Limits file‑system writes to /tmp and /var/app. |
| Approval Policy | When Codex must ask for permission (e.g., actions outside the sandbox). | Requires user approval for any network request to an unknown domain. |
| Interaction | Users can approve a single request or approve that type of request for the whole session. | “Approve all git push operations for this session.” |
2. Auto‑Review Mode
- Purpose: Reduce interruptions for routine, low‑risk requests.
- How it works:
- Codex sends the planned action + recent context to the auto‑approval sub‑agent.
- The sub‑agent automatically approves actions that meet low‑risk criteria.
- Only higher‑risk or ambiguous actions interrupt the user.
Result: Codex stays productive on routine work while still stopping for potentially risky operations.
3. Network Access Controls
- No open‑ended outbound access.
- Managed network policy
- Allows known, expected destinations.
- Blocks disallowed destinations.
- Requires approval for unfamiliar domains.
This lets Codex complete common, trusted workflows without granting broad internet access.
4. Authentication Management
| Element | Implementation |
|---|---|
| Credentials | CLI and MCP OAuth tokens stored in the OS keyring (secure). |
| Login flow | Forced through ChatGPT, tied to the enterprise workspace. |
| Auditability | All Codex activity appears in the ChatGPT Compliance Logs Platform for the workspace. |
5. Command‑Safety Rules
- Benign commands (e.g.,
git status,npm install) → allowed without approval, even outside the sandbox. - Dangerous commands (e.g.,
rm -rf /,dd if=) → blocked or require explicit approval.
This enables fast, ordinary engineering tasks while preventing unwanted or destructive actions.
6. Enforcement Mechanisms
- Cloud‑managed requirements – Admin‑enforced controls that users cannot override.
- macOS managed preferences – Centralized baseline configuration.
- Local requirements files – Allow testing of different configurations per team, user group, or environment.
These mechanisms apply uniformly across all Codex surfaces:
- Desktop app
- CLI
- IDE extension
By combining sandboxing, approval policies, auto‑review, strict network/auth controls, command‑safety rules, and layered enforcement, we achieve a secure yet productive Codex deployment.
Agent‑Native Telemetry and Audit Trails
Control is only half the job. Once agents are deployed, security teams need visibility into what the agents are doing and why. Traditional security logs still capture events such as “process started”, “file changed”, or “network connection attempted”, but they rarely explain the intent behind those actions.
What Codex Provides
| Feature | Description |
|---|---|
| OpenTelemetry log export | Streams Codex‑specific events (user prompts, tool‑approval decisions, tool execution results, MCP server usage, network‑proxy allow/deny events) to any OTEL‑compatible collector. |
| Compliance Platform access | Activity logs are also available through the OpenAI Compliance Platform for Enterprise and Edu customers. |
| Agent‑aware view | Logs tie together the user request, the agent’s reasoning, and the resulting actions, giving security teams the context they need. |
How We Use the Telemetry
-
Incident triage
- An endpoint alert flags “Codex did something unusual”.
- The endpoint tool reports the suspicious event.
- Codex logs are queried to reveal:
- The original user request.
- Any tool invocations and their results.
- Approval decisions made by the agent.
- Network policy decisions (allow/deny).
- Our AI‑powered security triage agent synthesizes this information and surfaces a concise analysis for the security team, helping them distinguish:
- Expected agent behavior.
- Benign mistakes.
- Activity that truly warrants escalation.
-
Operational insights
- Track internal adoption trends (which tools and MCP servers are most used).
- Measure network‑sandbox activity (frequency of blocks vs. prompts).
- Identify rollout friction points that need tuning.
-
Centralized monitoring
- Exported OpenTelemetry logs are ingested into SIEM and compliance logging systems, enabling:
- Real‑time alerting.
- Long‑term retention for audits.
- Correlation with other security telemetry.
- Exported OpenTelemetry logs are ingested into SIEM and compliance logging systems, enabling:
Benefits
- Contextual visibility – Security teams see both the what and the why of agent actions.
- Faster investigation – Automated triage reduces mean‑time‑to‑investigate (MTTI).
- Continuous improvement – Operational metrics guide policy refinements and agent updates.
- Compliance readiness – Logs meet enterprise audit requirements and can be retained per regulatory mandates.
By leveraging Codex’s native telemetry, organizations gain a comprehensive, agent‑aware audit trail that turns raw events into actionable intelligence.
Looking Ahead
As coding agents like Codex become integrated into development workflows, security teams need tools specifically designed for managing this shift. Codex provides the control surfaces, configuration management, sandboxing, and detailed agent‑aware telemetry needed to ensure safe adoption. With those capabilities in place, security teams can enable Codex with greater confidence, balancing developer productivity with the visibility and control required for enterprise security.