When OpenAI runs its own Codex coding agent inside its engineering org, it doesn't let it operate without guardrails. In a post published May 8, the company detailed four controls that govern how the agent works - the most concrete reference architecture OpenAI has published for internal AI agent governance.
The four controls:
- Sandboxing: Code runs in isolated containers that can't reach production systems. Each task gets a fresh environment, destroyed when the task ends. Nothing persists between sessions unless explicitly saved.
- Approval workflows: Consequential actions - merging code, deploying changes - require human sign-off before proceeding. The agent drafts and proposes; it can't ship unilaterally.
- Network policies: Instead of blocking the internet entirely, OpenAI uses allowlists - specific domains the agent can reach (package registries, documentation) with everything else blocked by default.
- Agent-native telemetry: Standard API logs capture individual calls. Agent telemetry logs the full sequence of decisions across a multi-step task - which tools ran, in what order, and what prompted each choice.
None of this is conceptually new. Sandboxes and approval gates are standard in enterprise software. What's notable is that OpenAI is publishing the actual governance model for its own internal coding agent use, rather than leaving customers to design this from scratch.
The telemetry piece is the one most teams overlook. If you're deploying Cursor or any AI agent that executes code in your environment, you need logs that can reconstruct a full multi-step session - not just individual API call records. Building that in from the start is far easier than retrofitting it after something goes wrong.
The implicit message: if OpenAI needs these controls for its own internal use of Codex, your team probably needs them too.