How OpenAI Built a Secure Windows Sandbox for Codex Agents

2026-06-05 · Source: InfoQ · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Intermediate, quick

Summary

OpenAI detailed its custom Windows sandbox architecture for the Codex coding agent, released on June 05, 2026. This engineering effort addresses the challenge of balancing security, usability, and developer productivity on Windows, as existing isolation mechanisms like Windows Sandbox and Mandatory Integrity Control (MIC) proved inadequate for autonomous coding agents. Codex, which runs locally and interacts with developer environments, required a solution to restrict its access without disrupting workflows. OpenAI initially implemented an "unelevated sandbox" using Windows security identifiers (SIDs), access control lists (ACLs), and write-restricted tokens, creating a "sandbox-write" SID for controlled directory access. This was later redesigned into an "elevated sandbox," which establishes dedicated local Windows accounts, such as CodexSandboxOffline and CodexSandboxOnline, for executing commands with restricted tokens and managing network access via firewall rules. This approach aims to provide a secure yet functional environment for coding agents.

Key takeaway

For AI Architects designing agentic systems on Windows, this architecture demonstrates a viable path to secure execution. If you are evaluating how to integrate coding agents without granting unrestricted system access, consider adapting OpenAI's approach of custom local accounts and granular access controls. This allows your agents to interact with developer tools and files securely, mitigating risks associated with autonomous code execution while preserving workflow efficiency.

Key insights

OpenAI built a custom Windows sandbox for Codex to balance agent security with developer workflow integration, overcoming limitations of existing OS primitives.

Principles

• Existing OS isolation primitives may be insufficient for agentic workloads.
• Custom sandboxing requires balancing security, usability, and productivity.
• Granular access control is crucial for agent interaction with developer environments.

Method

OpenAI's sandbox design evolved from an "unelevated" system using SIDs/ACLs/write-restricted tokens to an "elevated" one with dedicated local Windows accounts and firewall-controlled network access.

In practice

• Implement synthetic SIDs for fine-grained write access control.
• Create dedicated local accounts for agent execution with restricted tokens.
• Use firewall rules to enforce network boundaries for agent processes.

Topics

• Windows Sandbox
• Codex Agent
• Security Identifiers
• Access Control Lists
• Agentic Workloads
• Application Security

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Engineer, AI Architect, AI Security Engineer

Related on AIssential

• Building a safe, effective sandbox to enable Codex on Windows — Effective sandboxing for coding agents on Windows requires custom solutions due to OS-level isolation gaps.
• Microsoft launches MXC, an OS-level sandbox for AI agents, with OpenAI and Nvidia already on board — MXC provides OS-level, policy-driven sandboxing for AI agents, enabling secure enterprise deployment by enforcing resource access boundaries.
• Running Codex safely at OpenAI — Securely deploying AI coding agents requires robust controls, granular visibility, and a balance between productivity and risk management.
• NVIDIA OpenShell: 18+ Practical Tips to Run AI Agents Without Losing Sleep — NVIDIA OpenShell provides kernel-level sandboxing for AI agents using declarative YAML policies.
• AI Agent Sandboxing for SaaS: How Builders Let Agents Work Without Letting Them Roam — AI agent sandboxing enables safe, controlled automation by enforcing strict boundaries around agent actions and resources.
• langchain-ai / open-swe — Open SWE provides an open-source framework for building internal coding agents, replicating architectures of leading tech companies.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by InfoQ.