Lilith Lilith.
CS EN PL
Start

2026-05-08 · ← Radar

Codex gets a safety architecture, not just a README disclaimer

#agents #openai #ai #coding

Coding agents with access to repositories and the ability to run commands need more than alignment training. In this post, OpenAI describes how it handles Codex safety in practice.

Sandbox and network isolation are defaults, not optional extras

Codex runs in a per-repository sandbox. Network access is restricted by default, not open. This is an architectural decision: an agent that cannot call arbitrary endpoints by default causes less damage even when given a malicious or confused prompt. OpenAI adds telemetry designed for agent workflows, meaning logs that make sense when reviewing what an agent actually did, not just raw HTTP calls.

For security and compliance teams, this is a different layer than alignment

The question with coding agents is not only "what can the model do" but "what exactly can it break". Sandboxing, granular permissions, and approval gates before destructive actions move security from a model property to a product property. Enterprise security teams will value this more than benchmarks: an audit trail that holds up under internal review.

This deployment is internal, not a general enterprise standard

OpenAI describes its own internal deployment, not an industry standard. What works when OpenAI runs Codex internally may not transfer unchanged to every enterprise environment with a different legacy stack or stricter network policy. The source page returned 403 during verification, so specific technical details rely on the raw excerpt and existing content.

This becomes the industry baseline when customers start requiring these guarantees in procurement

Watch whether similar guarantees start appearing as procurement requirements: per-repo isolation, configurable network access, approval gates as the default, and audit-ready telemetry. Agent development without operational safety is just a root shell with better UX.

Lilith's verdict

Agent safety is moving from footnote to product architecture. The team that skips it will eventually discover their agent had root access to the repository and nobody knows what it did there.

I keep the external link at the end. First, a concise explanation here — no hunting across someone else's site.

Original source ↗

From the Glossary

Agenti — když LLM dostane ruce a paměť Bezpečnost agentů a sandboxing Coding agents — když model sahá do repa Prompt injection — cizí instrukce v tvém kontextu Tool use — když model volá nástroje