OpenAI enhances Codex with secure self-hosted sandboxes via Ona acquisition

OpenAI’s acquisition of Ona is a decisive step toward making Codex a true enterprise-grade platform—with secure, self-hosted sandboxes at its core. By giving enterprises direct control over where and how autonomous AI agents run, OpenAI closes a critical trust gap. For teams under real compliance and risk constraints, Ona’s persistent, customer-controlled environments finally enable secure, continuous agent-driven workflows across platforms and devices. Every AI enterprise story touts scale and speed; this one is about control, audit, and operational safety—the unsolved blockers for deploying AI agents in production.

What is the OpenAI Ona acquisition and why it matters

OpenAI acquired Ona—a 79-person cloud development environment provider—for an estimated $450 million to integrate its sandbox technology directly into Codex. This isn’t a team hire or an incremental roadmap shuffle. Ona (formerly Gitpod) is built around making disposable, secure, and persistent cloud environments. By acquiring Ona, OpenAI is not just buying infrastructure; it’s buying a platform designed for enterprise control.

Enterprises balk at letting fully autonomous agents operate in hosted black boxes or fleeting cloud sessions. CIOs and CISOs need proof that execution environments can be locked down, logged, and managed according to their policies. The Ona acquisition directly addresses this: it gives enterprise users the “building blocks agents need for enterprise work”—as Ona CEO Johannes Landgraf puts it—specifically, “trusted, customer-controlled cloud environments where work continues across devices, inside the systems where software actually lives.” Large customers are already on board: Ona agent sessions now run at marquee names including the oldest US bank and major European pharma firms.

Pairing Codex’s agent intelligence with Ona’s trusted execution platform means enterprises will no longer need to choose between AI automation and operational safety. This move enables deployments that were previously blocked by risk and compliance teams.

How do self-hosted sandboxes enhance Codex for enterprise AI agents?

Ona’s self-hosted sandboxes give Codex agents a secure, persistent, enterprise-controlled space to run—even as workloads jump between devices, sessions, and clouds. This is a structural shift—one that OpenAI itself could not have built quickly in-house. As Landgraf put it, "Ona brings the building blocks agents need for enterprise work: trusted, customer-controlled cloud environments where work continues across devices, inside the systems where software actually lives.”

Every detail points at risk reduction without giving up flexibility:

• Isolation: Each agent gets its own environment, fully separated from the rest of the customer’s infrastructure.
• Persistence: Environments don’t vanish when the laptop sleeps or the browser closes; work picks up where it left off.
• Control: Enterprises decide what code, data, and secrets live inside. Only systems administrators grant access.
• Auditing: All actions within the sandbox are visible, with logs for compliance and incident investigation.
• Integration: The sandboxes can be layered inside existing stacks, so agents work inside “the systems where software actually lives.”

Concrete example: an enterprise can grant their Codex agent a pre-configured sandbox with only the data and permissions needed for a given E2E test, not production root keys. If the agent tries to exceed its boundaries, controls stop it cold—no more “AI deleted half our cloud resources by mistake.” This reduces the blast radius of agent-driven automation, making new workflows safe to try in production for the first time.

What operational risks do autonomous AI agents pose without sandboxes?

Without strong sandboxing, autonomous AI agents are a golden ticket to operational risk: uncontrolled code execution, privileged access gone wrong, and zero visibility into what happened when—until it’s too late.

Every CIO’s nightmare comes into play:

• Data loss: Agents can—and have—erased vital files or data stores when run with broad permissions and no policy boundaries.
• Unpredictable costs: An agent stuck in a loop can rack up huge token bills or spin up runaway compute jobs in minutes.
• Malicious manipulations: If an agent’s environment is compromised—by prompt injection or external attackers—it can become an entry point for broader system breaches.
• Audit gaps: When agents run in generic hosted clouds, there’s often no credible way to audit, restrict, or roll back actions.

Anecdotes multiply: a single agent left unsupervised with access to cloud admin credentials or unrestricted APIs has generated massive bills or impacted critical infrastructure. The risks aren’t theoretical—major financial, pharmaceutical, and government users have demanded auditable, customer-owned sandboxes before deploying Codex agents beyond pilot projects.

Sandboxes are the missing kill switch. They ensure that one agent’s bad decision or one compromised key is contained, not a prelude to an enterprise-wide incident.

How OpenAI’s Codex uses Ona’s technology to secure AI agent deployment

With Ona’s platform on board, Codex can now run agents in persistent, enterprise-controlled environments—breaking free from the constraints of single-device, single-session architectures. Previously, Codex could only execute agent workloads while a session or device was active; everything else was ephemeral or brokered through managed clouds. That approach does not work for production workflows spanning teams, approvals, or days without pause.

Ona’s sandboxes add two missing capabilities:

1. Persistent, resumable environments so agents can maintain context, artifacts, and credentials across days or weeks.
2. Customer-side execution, meaning the agent’s workspace is hosted wherever the enterprise wants—inside a private cloud, a regulated region, or a partitioned VPC.

Since the start of the year, Ona’s agent sessions have grown 13× in production deployments, with sessions running at institutions including the oldest US bank and a top European pharma company. OpenAI labels this as expanding Codex “beyond a single device or active session”—in other words, real operational workloads, not just demos.

Gartner frames the move as “giving Codex essential scaling capabilities” and directly answering Anthropic’s promise of self-hosted sandboxes by May 2026. The real outcome: Codex agents can now operate as long-running, auditable workers in the places where enterprise software actually runs.

How can enterprises start using Codex with Ona’s sandboxes today?

Enterprises ready to adopt agent-driven automation with Codex plus Ona’s sandboxes should follow a three-step sequence:

1. Enable enterprise-grade Codex access.
Provision Codex for your organization through the OpenAI enterprise portal—validate licensing, service levels, and agent support. Ensure your project or workspace is approved for Codex agent integrations, with API keys or SSO as needed.

2. Deploy Ona sandbox infrastructure.
Work with OpenAI (and Ona team) to provision sandbox environments in the deployment location that meets your regulatory and operational requirements. Most enterprises will spin up sandboxes inside a private cloud, VPC, or tightly scoped public cloud project—connected to existing authentication and secrets management systems. Ensure each agent gets a unique, audited workspace:

# Example: Create a new Ona sandbox for a Codex agent test run
ona create-sandbox --project my-enterprise --env openai-codex

3. Enforce policy, control, and logs.
Define policies: restrict outbound internet, bind secrets to roles, enable audit logging, and set resource quotas. Codex agents inherit permissions only from what’s explicitly granted in the sandbox. Use Ona’s environment controls to shut down or snapshot workspaces as workflows complete. Example safeguard:

# ona-sandbox-policy.yaml
outbound_network: false
secrets:
  - name: DB_ACCESS_TOKEN
    access: read-only
logs: enabled
session_timeout: 1h

Best practices:

• Never grant agents production credentials in development sandboxes.
• Review agent audit logs regularly.
• Rotate sandboxes and secrets as part of your CI/CD process.
• Validate agent code before each deployment phase.

Teams that follow this baseline can safely deploy autonomous AI agents at scale—without ceding control or ignoring audit requirements.

What future impact could this acquisition have on enterprise AI?

Ona’s technology fundamentally changes what’s possible for AI agent deployment in enterprises: persistent, customer-controlled sandboxes make real autonomy—finally—deployable within even the most risk-averse organizations.

Expect several direct outcomes:

• Enterprise adoption accelerates: More financial, pharma, and government workloads move to Codex-powered agents as sandboxing removes the last big compliance and ops blockers.
• Security and auditing bar rises: As OpenAI/Codex delivers stronger sandbox and audit tools, compliance and regulatory arguments start to tip in favor of AI adoption—especially as competitors like Anthropic ship managed sandboxes of their own.
• Broader industry shift: The control afforded by Ona’s sandboxes will pressure every major LLM/agent vendor to offer similar persistent, enterprise-owned execution. This sets a new default: if you want to win regulated customers, you need on-prem or tightly controlled cloud agent environments, not just hosted SaaS.

Down the line, expect regulation, audit, and even insurance requirements to draw a sharp dividing line: only sandboxes that can prove customer control, audit visibility, and kill-switch isolation will clear the bar for production agent deployment.

The upshot: OpenAI's Ona acquisition is the enterprise AI trust milestone

OpenAI’s acquisition of Ona delivers what enterprise AI needs but most vendors still lack: persistent, secure, self-hosted sandbox environments for autonomous agents. For developers and CIOs blocked by compliance and risk, Codex plus Ona finally enables enterprise-grade agent workflows—with the guardrails, logging, and customer control required to pass every audit. The real signal: this is an acceleration point, not a science project. Secure, agent-driven automation can now actually leave the prototype phase and land in production. The best part? You no longer have to choose between AI power and operational safety. Deploy both—today.