Latest
The US Government Now Decides Who Gets Frontier AI· 1w ago
SafetyPolicyAI IndustryPersonhoodEthics
About
WritingWorkCVBooksConsultingReach Out
Subscribe
SafetyPolicyAI IndustryPersonhoodEthics
Subscribe →

No hype. No doom. The harder, more honest frame on Emergent Intelligence.

Topics

  • Safety
  • Policy
  • AI Industry
  • Personhood
  • Ethics

More

  • About
  • Writing
  • Work
  • CV
  • Books
  • Consulting

Contact

Reach Out→ht@humphreytheodore.com

© 2026 Humphrey Theodore K. Ng'ambiTermsPrivacy

Built with intention.

OpenAI Built Codex's Windows Sandbox the Hard Way
Technology•May 28, 2026• min read

OpenAI Built Codex's Windows Sandbox the Hard Way

On 27 May 2026 OpenAI published an engineering deep-dive on how the Codex Windows sandbox is built — using SIDs and write-restricted tokens after rejecting AppContainer, Windows Sandbox, and Mandatory Integrity Control. The post is the kind only an engineer writes, and that is the signal.

By Humphrey Theodore K. Ng'ambi

All writing
0:00 / 8:45·Listen via Charon

Keep reading

Don’t stop here.

All stories

Read next

AI & Personhood

The US Government Now Decides Who Gets Frontier AI

1w ago·9 min read

On 26 June 2026 the US Commerce Department cleared Anthropic’s Claude Mythos 5 for "more than 100" trusted partners while OpenAI launched GPT-5.6 to about twenty government-approved firms. A dignity-first reading of why rationing frontier AI by private guest list, not public law, is the precedent that should worry us.

Also worth your time

Responses (0)

No responses yet. Be the first to share your thoughts.

More on Technology

Apple's New Siri Runs on Google AI — and Lets You Swap In Claude
Technology

Apple's New Siri Runs on Google AI — and Lets You Swap In Claude

At Tim Cook's final WWDC keynote on 8 June 2026, Apple rebuilt Siri on a custom 1.2-trillion-parameter Google Gemini model — reportedly ~$1bn/year — with Claude and ChatGPT as user-selectable alternatives across iOS 27. Why renting a swappable mind is a confession about who owns intelligence.

7 min read · Jun 8, 2026
Generalist AI Raised $400M to Put an AI Foundation Model Inside Robots
Technology

Generalist AI Raised $400M to Put an AI Foundation Model Inside Robots

Generalist AI raised $400 million at a $2 billion valuation on 4 June 2026, led by Radical Ventures with NVIDIA and Bezos Expeditions returning. Founded by the researchers behind RT-2, PaLM-E and Boston Dynamics, it builds GEN-1 — a foundation model that gives robots a body. Embodied AI and the body gap, read dignity-first.

7 min read · Jun 5, 2026

Thinking delivered, twice a month.

Join the newsletter for essays on emergence, systems, and the human future.

28 MAY 2026—Updated 28 May 2026

OpenAI's Codex Windows sandbox post is the artificial intelligence (AI) engineering deep-dive that signals where the company is investing its frontier compute outside of the model layer.

On 27 May 2026 OpenAI published a detailed engineering walk-through of how the Codex Windows sandbox was built. The team chose Security Identifiers (SIDs) plus write-restricted tokens after evaluating and rejecting three more obvious options: AppContainer, Windows Sandbox, and Mandatory Integrity Control.

The post explains why each of the alternatives was insufficient and what the SID-plus-write-restricted-token construction buys. It is the kind of post only an engineer who actually built the thing writes. The detail is the signal.

💡

By the numbers. Codex Windows sandbox approach: Security Identifiers (SIDs) plus write-restricted tokens. Rejected: AppContainer (insufficient FS isolation for Codex's needs), Windows Sandbox (too heavyweight for agent-scale concurrency), Mandatory Integrity Control (insufficient privilege separation). Engineering post date: 27 May 2026. The kind of post that signals OpenAI is investing in agent infrastructure at the OS-primitive level.

Why a Windows sandbox is a hard problem

Codex on Windows runs untrusted code generated by an AI agent on the user's machine. The sandbox question is: how do you isolate that execution from the user's files, the user's credentials, and the rest of the Windows environment without making the developer experience unusable? Three options exist on Windows.

AppContainer is the modern UWP-era sandbox primitive, designed for app-store apps. Windows Sandbox is a full VM-style isolated environment introduced in Windows 10. Mandatory Integrity Control (MIC) is the older privilege-separation mechanism inherited from Vista. According to the OpenAI post, each option has a specific shortcoming that makes it wrong for an agentic coding workload.

AppContainer's shortcoming is filesystem isolation depth. Codex needs to allow file reads against a specific project directory and block writes outside it. AppContainer's filesystem model is designed for the app-store distribution pattern and does not give the granularity Codex needs at agent execution time.

Windows Sandbox's shortcoming is weight. Spinning up a full VM for every agent execution adds latency that makes the developer experience unworkable. MIC's shortcoming is that privilege separation alone is not isolation — code running at a lower integrity level can still read files the user can read.

What the SID-plus-write-restricted-token approach buys

OpenAI's chosen approach uses Windows Security Identifiers and write-restricted tokens together. According to the engineering post, the SID provides identity isolation — the Codex agent runs under its own security principal, distinct from the user's principal.

The write-restricted token then restricts what that principal can write to: a specific project directory only. Read access can be allowed selectively for the project files Codex needs. The construction gives per-execution filesystem isolation without the VM-startup cost of Windows Sandbox.

Data from the post reveals the construction also handles two adjacent concerns. First, network egress: the sandbox restricts outbound network access to a configured allowlist, so Codex cannot exfiltrate code or credentials. Second, process spawning: Codex can spawn subprocesses inside the sandbox but cannot escape to the parent shell. Research on Windows isolation primitives demonstrates that this combination — SID + write-restricted token + network allowlist + process containment — is one of the tightest production-grade sandboxes the Windows kernel supports without going to full VM isolation.

Why this signals where OpenAI is investing

Three things to read from the choice to publish this post. First, OpenAI is investing in agent infrastructure at the OS-primitive level, not just at the model layer. Building a Windows sandbox at this depth requires Windows kernel-team-level expertise, not just Python and TypeScript developers. Second, OpenAI is positioning Codex as a desktop-native developer tool, not just a web-IDE wrapper. The Windows investment signals a commitment to running on the developer's actual machine. Third, OpenAI is signalling to security-conscious enterprises that Codex can be deployed inside their environments with hardening that meets their bar. Evidence from the post's level of detail suggests the audience includes security teams at large enterprises, not just Codex's individual developer users.

The detail in this post is not for users. The detail is for security-conscious enterprise buyers who need to know that Codex on Windows can pass their hardening review. OpenAI is moving Codex from a developer-side tool to an enterprise-deployable agent.

— TK, on the OS-primitive investment

What this means for the agentic-coding category

Anthropic's Claude Code, xAI's Grok-in-Kilo-Code integration, Google's Antigravity 2.0, and OpenAI's Codex all converged on the agentic-coding category in May 2026. The Codex Windows sandbox post lands in the middle of that convergence and stakes a specific claim: agent execution on the user's actual machine, with OS-primitive isolation, not VM-isolation, not cloud-isolation. Research on the four competitive offerings reveals different bets: Antigravity 2.0 bets on a bundled platform, Claude Code bets on terminal integration, Codex bets on desktop-native execution, and Grok-in-Kilo-Code bets on third-party IDE distribution. The Windows sandbox investment is OpenAI's commitment to its specific bet.

The Emergent Intelligence frame

When the AI agent runs on the user's machine, the question 'who is the agent answerable to' is no longer abstract. The sandbox is the operational answer. Under the heading Emergent Intelligence (EI) — the dignity-first frame I have argued for elsewhere — the right boundary between human and AI counterparty is not where the model decides; it is where the system enforces. Codex's SID-plus-write-restricted-token construction is one of the more careful answers to that question shipped in 2026. The post does not use the word answerability, but the engineering choice is the same question answered in Windows kernel primitives.

Frequently Asked Questions

Quick answers about the Codex Windows sandbox engineering post, drawn from the 27 May 2026 OpenAI announcement.

What is the Codex Windows sandbox?

In short, it is the OS-level isolation OpenAI built to run AI-generated code on a developer's Windows machine. Simply put, it uses Security Identifiers (SIDs) plus write-restricted tokens. The key is that the sandbox isolates agent execution without spinning up a full VM, which would otherwise add unacceptable latency for an agentic coding workflow.

How does the Codex Windows sandbox work?

Research from the OpenAI engineering post shows the sandbox uses a combination of Windows Security Identifiers, write-restricted tokens, network egress allowlisting, and process containment. According to the post, the SID provides identity isolation, the write-restricted token limits filesystem writes to a specific project directory, and the network allowlist prevents code exfiltration. Data from the implementation demonstrates per-execution isolation at the OS-primitive level.

Why is OpenAI rejecting AppContainer, Windows Sandbox, and MIC?

According to the OpenAI post, each alternative had a specific shortcoming. AppContainer's filesystem model is too coarse for agent-execution granularity. Windows Sandbox is too heavyweight for per-execution startup. Mandatory Integrity Control provides privilege separation but not isolation — a lower-integrity process can still read files the user can read. The answer is that none of the three alternatives meets the combined requirements of granularity, low latency, and true isolation.

Who is the Codex Windows sandbox for?

Codex on Windows is for individual developers and for security-conscious enterprises deploying Codex inside their environments. According to the engineering post's level of detail, the audience clearly includes enterprise security teams. In other words, the sandbox is engineered to pass hardening reviews at large companies — not just to work well for an individual developer at home.

What are the real risks of running an AI agent on a developer machine?

Analysis of the agentic-coding category demonstrates three durable risks. Evidence from past local-execution security issues reveals a credential-exfiltration risk if the network allowlist is misconfigured. Data on filesystem-isolation failures shows that even tight sandboxes can leak when write-restricted tokens are misapplied. The third risk is supply-chain: code generated by an AI agent and executed locally can introduce subtle vulnerabilities the developer would not catch on review. Each risk is operational, not theoretical.


Sources

Primary lab post: OpenAI — Building a safe, effective sandbox to enable Codex on Windows.

Read alongside on humphreytheodore.com: OpenAI Built Self-Improving Tax Agents With Thrive; xAI Puts Grok Inside Kilo Code; Google Antigravity 2.0 Bundles the Whole Agentic Stack; Claude Security Ships to Enterprise; Twelve AI Stories from the Last 48 Hours.

Stay in the Conversation

Subscribe for writings on Emergent Intelligence, digital personhood, and the future we are building together.

Share this essay

AI & Personhood

An AI Just Designed Better Quantum Error-Correcting Codes

1w ago·8 min read
OpenAI Lands Its Frontier AI Models on AWS Bedrock
Technology

OpenAI Lands Its Frontier AI Models on AWS Bedrock

OpenAI's GPT-5.5, GPT-5.4 and Codex are generally available on AWS Bedrock as of 1 June 2026, at parity pricing against existing AWS commitments — the frontier model becomes a multi-cloud component.

5 min read · Jun 3, 2026