OpenAI has published details of the Windows sandbox architecture that powers its Codex coding agent, highlighting the engineering tradeoffs required to balance security, usability, and developer productivity on Microsoft’s operating system. . The company explained that it built a custom sandboxing approach after finding that existing Windows isolation mechanisms did not fully satisfy the requirements of autonomous coding agents. As OpenAI noted, Windows does not provide a single primitive that cleanly maps to a safe execution environment for agentic workloads.
Codex, OpenAI’s coding agent, runs locally on developer machines through command line interfaces, IDE extensions, and desktop applications. Because the agent can execute commands, read files, modify source code, and perform development tasks, OpenAI needed a mechanism to restrict its access while minimizing interruptions to developer workflows. According to David Wiesen, a member of OpenAI’s technical staff, users previously faced a tradeoff between approving nearly every agent action or granting unrestricted system access through a full-access mode.
OpenAI said in a LinkedIn post announcing the release:
This work helps make Codex on Windows both powerful and secure, enabling developers to use coding agents in real-world environments with greater confidence.
The company evaluated several existing Windows security technologies, including Windows Sandbox and Mandatory Integrity Control (MIC). While Windows Sandbox provides strong isolation through a disposable virtual machine, OpenAI concluded it was not suitable because Codex requires direct access to a developer’s working environment, tools, and repositories. Additionally, Windows Sandbox is not available across all Windows editions, limiting its applicability.
The first implementation, referred to internally as the unelevated sandbox, combined Windows security identifiers (SIDs), access control lists (ACLs), and write-restricted tokens. OpenAI introduced a synthetic security identifier, sandbox-write, granting write access only to designated directories such as the current workspace and explicitly configured writable locations. Sensitive paths, including Git metadata directories, remained protected through ACL enforcement.
OpenAI later redesigned the system into what it calls the elevated sandbox. During setup, the sandbox creates dedicated local Windows accounts, including CodexSandboxOffline and CodexSandboxOnline. Commands are executed under these isolated accounts using restricted tokens. Network access can be controlled through firewall rules, allowing enforcement of both filesystem and networking boundaries while preserving compatibility with common developer workflows.
Complete sandbox architecture (Source: OpenAI Blog Post)
The announcement also sparked discussion among developers evaluating the security implications of coding agents. Responding on X, Marcus commented:
The sandbox architecture is the unsung hero. Every other coding agent treats your filesystem like a playground. The fact that Codex on Windows actually isolates the environment means you can let it run without hovering over it like a nervous parent.
As coding agents become increasingly capable of executing actions on behalf of users, vendors must balance strict security constraints against expectations for seamless automation. Unlike traditional applications, autonomous coding agents require access to source code, development tools, and operating system resources while still maintaining meaningful isolation boundaries. OpenAI’s approach illustrates how existing operating system primitives may need to be combined and adapted to support this emerging class of workloads, where usability, compatibility, and enforcement must be balanced simultaneously.