OpenAI just published its internal playbook for running Codex without letting a coding agent wreck production. According to OpenAI, the approach rests on four pillars: sandboxing, approvals, network policies, and agent-native telemetry. What stands out here is that this isn’t theory. It’s the same setup OpenAI uses to deploy Codex across its own engineering teams.
If you’re rolling out a coding agent at your company, this guide walks through the steps in order. No skipped layers.
Quick Start
You’ll learn how to deploy a coding agent like Codex with guardrails that prevent data leaks, runaway commands, and compliance headaches. You need: a sandboxed execution environment, an approval workflow, a network egress policy, and a telemetry pipeline tuned for agent behavior.
Step 1: Sandbox Every Execution
Never let the agent touch the host directly. OpenAI runs Codex inside isolated containers so any command it executes stays contained. This matters because coding agents will try things (install packages, modify files, spawn processes), and a sandbox keeps mistakes or prompt injections from spreading to your real systems.
Best practice: treat each task as ephemeral. Spin up the sandbox, run the work, tear it down.
Step 2: Require Approvals for Sensitive Actions
Sandboxes contain damage, but approvals prevent it. OpenAI gates risky operations like pushing code, calling external APIs, or modifying shared resources behind a human checkpoint. The agent proposes, the human confirms.
Why it matters: autonomy is great until it isn’t. Approval gates are cheap insurance against the one-in-a-thousand action that costs you a database.
Tip from OpenAI: tier your approvals. Routine reads stay automatic. Writes to production require a click.
Step 3: Lock Down the Network
A coding agent with open internet access is a data exfiltration risk waiting to happen. OpenAI applies strict network policies that whitelist only the domains Codex actually needs (package registries, internal services, approved APIs).
This blocks two failure modes at once: the agent can’t accidentally pull malicious code from a typo-squatted domain, and a compromised prompt can’t quietly ship your secrets to an attacker’s server.
Warning: don’t default to open egress and tighten later. Start closed, open as needed.
Step 4: Build Agent-Native Telemetry
Standard logging won’t cut it. OpenAI built telemetry specifically for how agents behave (tracking prompts, tool calls, file edits, command executions, and the reasoning chain behind each action). That’s the difference between “something happened” and “here’s exactly why the agent did that.”
Why it matters: when an agent goes off the rails, you need the full trace. Traditional app logs miss the prompt-and-response context that makes agent behavior interpretable.
Step 5: Tie It All Together for Compliance
The four layers work as a system. Sandboxing limits blast radius. Approvals add human judgment. Network policies prevent leaks. Telemetry gives you auditability. Together, they let security and compliance teams sign off on agent adoption, which is what unlocks broader rollout.
What Comes Next
If you’re earlier in the journey, start with sandboxing. It’s the highest-leverage layer and the foundation everything else builds on. Then add approval gates for your top three risky operations. Network policies and telemetry can come once you have real usage data showing what the agent actually needs.
Full technical details are available at the original OpenAI source.