OpenAI enhances Codex with secure self-hosted sandboxes via Ona acquisition

OpenAI acquired Ona, a 79-person cloud development environment provider, for an estimated $450 million to integrate its secure, self-hosted sandbox technology into Codex. The acquisition addresses enterprise concerns about autonomous AI agent safety by providing customer-controlled execution environments, enabling deployments previously blocked by risk and compliance teams. Ona's platform allows Codex agents to run in persistent, auditable sandboxes that reduce operational risk and meet enterprise security requirements.

OpenAI’s acquisition of Ona is a decisive step toward making Codex a true enterprise-grade platform—with secure, self-hosted sandboxes at its core. By giving enterprises direct control over where and how autonomous AI agents run, OpenAI closes a critical trust gap. For teams under real compliance and risk constraints, Ona’s persistent, customer-controlled environments finally enable secure, continuous agent-driven workflows across platforms and devices. Every AI enterprise story touts scale and speed; this one is about control, audit, and operational safety—the unsolved blockers for deploying AI agents in production. OpenAI acquired Ona—a 79-person cloud development environment provider—for an estimated $450 million to integrate its sandbox technology directly into Codex. This isn’t a team hire or an incremental roadmap shuffle. Ona formerly Gitpod is built around making disposable, secure, and persistent cloud environments. By acquiring Ona, OpenAI is not just buying infrastructure; it’s buying a platform designed for enterprise control. Enterprises balk at letting fully autonomous agents operate in hosted black boxes or fleeting cloud sessions. CIOs and CISOs need proof that execution environments can be locked down, logged, and managed according to their policies. The Ona acquisition directly addresses this: it gives enterprise users the “building blocks agents need for enterprise work”—as Ona CEO Johannes Landgraf puts it—specifically, “trusted, customer-controlled cloud environments where work continues across devices, inside the systems where software actually lives.” Large customers are already on board: Ona agent sessions now run at marquee names including the oldest US bank and major European pharma firms. Pairing Codex’s agent intelligence with Ona’s trusted execution platform means enterprises will no longer need to choose between AI automation and operational safety. This move enables deployments that were previously blocked by risk and compliance teams. Ona’s self-hosted sandboxes give Codex agents a secure, persistent, enterprise-controlled space to run—even as workloads jump between devices, sessions, and clouds. This is a structural shift—one that OpenAI itself could not have built quickly in-house. As Landgraf put it, "Ona brings the building blocks agents need for enterprise work: trusted, customer-controlled cloud environments where work continues across devices, inside the systems where software actually lives.” Every detail points at risk reduction without giving up flexibility: Concrete example: an enterprise can grant their Codex agent a pre-configured sandbox with only the data and permissions needed for a given E2E test, not production root keys. If the agent tries to exceed its boundaries, controls stop it cold—no more “AI deleted half our cloud resources by mistake.” This reduces the blast radius of agent-driven automation, making new workflows safe to try in production for the first time. CONCEPT: autonomous agents operating inside trusted, customer-controlled sandboxes instead of public black boxes Without strong sandboxing, autonomous AI agents are a golden ticket to operational risk: uncontrolled code execution, privileged access gone wrong, and zero visibility into what happened when—until it’s too late. Every CIO’s nightmare comes into play: Anecdotes multiply: a single agent left unsupervised with access to cloud admin credentials or unrestricted APIs has generated massive bills or impacted critical infrastructure. The risks aren’t theoretical—major financial, pharmaceutical, and government users have demanded auditable, customer-owned sandboxes before deploying Codex agents beyond pilot projects. Sandboxes are the missing kill switch. They ensure that one agent’s bad decision or one compromised key is contained, not a prelude to an enterprise-wide incident. With Ona’s platform on board, Codex can now run agents in persistent, enterprise-controlled environments—breaking free from the constraints of single-device, single-session architectures. Previously, Codex could only execute agent workloads while a session or device was active; everything else was ephemeral or brokered through managed clouds. That approach does not work for production workflows spanning teams, approvals, or days without pause. Ona’s sandboxes add two missing capabilities: Since the start of the year, Ona’s agent sessions have grown 13× in production deployments, with sessions running at institutions including the oldest US bank and a top European pharma company. OpenAI labels this as expanding Codex “beyond a single device or active session”—in other words, real operational workloads, not just demos. Gartner frames the move as “giving Codex essential scaling capabilities” and directly answering Anthropic’s promise of self-hosted sandboxes by May 2026. The real outcome: Codex agents can now operate as long-running, auditable workers in the places where enterprise software actually runs. DIAGRAM: OpenAI Codex agents running in persistent, enterprise-controlled Ona sandboxes, spanning devices and clouds Enterprises ready to adopt agent-driven automation with Codex plus Ona’s sandboxes should follow a three-step sequence: 1. Enable enterprise-grade Codex access. Provision Codex for your organization through the OpenAI enterprise portal—validate licensing, service levels, and agent support. Ensure your project or workspace is approved for Codex agent integrations, with API keys or SSO as needed. 2. Deploy Ona sandbox infrastructure. Work with OpenAI and Ona team to provision sandbox environments in the deployment location that meets your regulatory and operational requirements. Most enterprises will spin up sandboxes inside a private cloud, VPC, or tightly scoped public cloud project—connected to existing authentication and secrets management systems. Ensure each agent gets a unique, audited workspace: Example: Create a new Ona sandbox for a Codex agent test run ona create-sandbox --project my-enterprise --env openai-codex 3. Enforce policy, control, and logs. Define policies: restrict outbound internet, bind secrets to roles, enable audit logging, and set resource quotas. Codex agents inherit permissions only from what’s explicitly granted in the sandbox. Use Ona’s environment controls to shut down or snapshot workspaces as workflows complete. Example safeguard: ona-sandbox-policy.yaml outbound network: false secrets: - name: DB ACCESS TOKEN access: read-only logs: enabled session timeout: 1h Best practices: Teams that follow this baseline can safely deploy autonomous AI agents at scale—without ceding control or ignoring audit requirements. Ona’s technology fundamentally changes what’s possible for AI agent deployment in enterprises: persistent, customer-controlled sandboxes make real autonomy—finally—deployable within even the most risk-averse organizations. Expect several direct outcomes: Down the line, expect regulation, audit, and even insurance requirements to draw a sharp dividing line: only sandboxes that can prove customer control, audit visibility, and kill-switch isolation will clear the bar for production agent deployment. OpenAI’s acquisition of Ona delivers what enterprise AI needs but most vendors still lack: persistent, secure, self-hosted sandbox environments for autonomous agents. For developers and CIOs blocked by compliance and risk, Codex plus Ona finally enables enterprise-grade agent workflows—with the guardrails, logging, and customer control required to pass every audit. The real signal: this is an acceleration point, not a science project. Secure, agent-driven automation can now actually leave the prototype phase and land in production. The best part? You no longer have to choose between AI power and operational safety. Deploy both—today.