Building a safe, effective sandbox to enable Codex on Windows

2026-05-13 · Source: OpenAI News · Field: Technology & Digital — Software Development & Engineering, Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, long

Summary

OpenAI's Codex engineering team implemented a new "elevated sandbox" for Windows to enable safe and effective use of its coding agents, addressing limitations of an earlier "unelevated sandbox" prototype. Released on May 13, 2026, this solution overcomes the lack of native Windows isolation utilities comparable to macOS's Seatbelt or Linux's seccomp. The team evaluated and rejected existing Windows tools like AppContainer, Windows Sandbox, and Mandatory Integrity Control labeling due to their incompatibility with open-ended developer workflows or security risks. The final design, which requires administrative privileges during setup, utilizes synthetic SIDs, write-restricted tokens, dedicated local Windows users (`CodexSandboxOffline`, `CodexSandboxOnline`), and Windows Firewall rules to enforce granular file write restrictions and robust network access control. This complex architecture balances security with the agent's need to operate effectively within a user's development environment.

Key takeaway

For AI Architects and CTOs evaluating coding agent deployments on Windows, recognize that robust security requires a custom, multi-component sandbox. Your teams should anticipate an elevated setup process and a more complex architecture than on other operating systems. This design ensures agents can operate effectively within developer workflows while mitigating critical risks like unauthorized file writes and data exfiltration, justifying the initial setup complexity for enhanced operational safety.

Key insights

Effective sandboxing for coding agents on Windows requires custom solutions due to OS-level isolation gaps.

Principles

• Balance agent utility with robust security enforcement.
• Compose multiple OS primitives for comprehensive isolation.

Method

The elevated sandbox creates dedicated Windows users, synthetic SIDs, and write-restricted tokens, then applies Windows Firewall rules and ACLs to control file writes and network access for agent processes.

In practice

• Use synthetic SIDs for granular ACL-based file permissions.
• Employ dedicated users and firewall rules for strong network isolation.

Topics

• Codex
• Windows Sandbox
• Process Isolation
• Security Identifiers
• Write-Restricted Tokens

Best for: AI Architect, CTO, VP of Engineering/Data, AI Engineer, AI Security Engineer, Software Engineer

Related on AIssential

• How OpenAI Built a Secure Windows Sandbox for Codex Agents — OpenAI built a custom Windows sandbox for Codex to balance agent security with developer workflow integration, overcoming limitations of existing OS primitives.
• Running Codex safely at OpenAI — Securely deploying AI coding agents requires robust controls, granular visibility, and a balance between productivity and risk management.
• Run Untrusted AI Agent Code Safely with Azure Container Apps Sandboxes — Azure Container Apps Sandboxes provide hardware-isolated microVMs for securely executing untrusted AI agent code, preventing host compromise.
• Microsoft launches MXC, an OS-level sandbox for AI agents, with OpenAI and Nvidia already on board — MXC provides OS-level, policy-driven sandboxing for AI agents, enabling secure enterprise deployment by enforcing resource access boundaries.
• Securing our codebase with autonomous agents — Autonomous agents can significantly scale codebase security by automating vulnerability identification and remediation.
• NVIDIA OpenShell: 18+ Practical Tips to Run AI Agents Without Losing Sleep — NVIDIA OpenShell provides kernel-level sandboxing for AI agents using declarative YAML policies.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by OpenAI News.