OpenAI is treating coding agents like governed infrastructure

OpenAI's Codex safety notes are notable because they focus on approvals, network policy, and logs rather than raw coding benchmarks. That is what production agent deployment looks like when risk is taken seriously.

Agent Governance - May 8, 2026

OpenAI's Codex safety architecture is built around three layers that matter in sequence: process isolation, network policy, and approval routing. The execution environment is a Windows sandbox using App Container isolation - not a Linux container - which is a deliberate choice. App Container restricts filesystem access, inter-process communication, and network connectivity at the OS level without requiring a separate hypervisor. Every tool call Codex makes - git, npm, a compiler, a test runner - runs inside that boundary. The default-deny network posture allowlists package registries and VCS hosts and blocks everything else. That default is what makes autonomous execution safe to enable in the first place.

The approval routing model is where the practical enterprise architecture lives. Codex classifies each planned action into a risk tier before executing it. Read-only operations - file reads, test runs, local builds - run automatically. Write operations that cross repository boundaries - git push, external API calls, file writes outside the working directory - trigger asynchronous approval requests. Operations with production or security implications - credential access, schema modifications, infrastructure changes - require synchronous human approval before the step proceeds. That three-tier model mirrors the coarse-to-fine permission structure in any well-designed RBAC system. What is novel is applying it dynamically to agent action sequences rather than to static resource access.