New OpenAI Codex Features in 2026 and Their Security Implications
- The 2026 OpenAI Codex features widen where the agent runs and what it can touch - each release is a new surface to inventory, not just a productivity gain.
- Codex Remote (GA June 2026) lets a phone drive a connected Mac or Windows host through authenticated QR pairing - a remote-execution trigger that never touches the developer's keyboard.
- Skills and plugins follow the open agentskills.io standard - the same one Claude Code uses - so a poisoned skill is now a cross-tool supply-chain risk, not a single-vendor one.
- Computer Use on Windows and Codex in the ChatGPT desktop app move Codex off the terminal into OS-level reach and a new managed-endpoint surface.
- Team Config and Auto-review turn fleet configuration and the approval trust boundary into things you must inventory and enforce, not assume.
- Anomity's Endpoint Sensor inventories Codex with its skills, plugins, and CLIs across every managed endpoint, and returns allow/deny/log on tool calls where an agent exposes a hook.
The OpenAI Codex features shipping through 2026 do not just make the agent smarter - they change where it runs and what it can touch. In the first half of the year alone Codex moved into the ChatGPT desktop app, gained a phone-driven remote mode, adopted an open skills-and-plugins standard, and expanded its Computer Use reach to Windows. Each of those is convenient for developers, and each is a new surface a security team now has to discover, classify, and govern.
The through-line matches what we have written about every coding agent: the vendor owns the runtime, but the *fleet posture* - who is running which version, in which mode, with which skills installed - is unowned by default. We walked the trust boundary itself in Codex's sandbox and approval model; this post walks the 2026 feature list and asks, for each addition, what it means for visibility across your fleet. It builds on the category-wide argument in securing AI coding agents and CLIs.
A newer frontier model behind the same agent
OpenAI released GPT-5.5 on April 23, 2026 and recommends it for most Codex tasks, following GPT-5.4 and GPT-5.4 mini earlier in the year. From a security standpoint the interesting fact is not the benchmark - it is that the model behind Codex is now a moving target. A more capable frontier coding model is a more capable agent inside whatever sandbox and approval combination a developer has set, which is exactly the boundary we broke down in Codex's sandbox and approval model and the hardening steps in the Codex sandbox and approvals guide.
For governance, the model version becomes one more configuration fact you want to be able to read per endpoint rather than assume. Capability changes underneath a policy you set months ago are the quiet kind of drift, and they are invisible unless something is watching the endpoint, not the model.
Codex moves into the ChatGPT desktop app
On July 9, 2026 Codex arrived inside the ChatGPT desktop app on both macOS and Windows, including GitHub pull-request review from within the app. This matters because it changes the shape of the endpoint. Codex is no longer only a CLI or a cloud IDE session - the distinctions we mapped in Codex CLI vs cloud vs IDE security differences - it is also a desktop application that can read, review, and comment on code on a managed machine.
A desktop app that reviews pull requests is a real actor in your development flow. If it can approve or shape a PR, it belongs in your inventory next to the CLIs and extensions your developers already run. The question for every managed endpoint is simple: is the Codex desktop app installed here, and does anyone centrally know?
Codex Remote turns a phone into a remote-execution trigger
Codex Remote reached general availability on June 25, 2026. It lets a developer start or continue work on a connected Mac or Windows host from the ChatGPT mobile apps, paired through an authenticated QR code. Put plainly: a phone can now drive a desktop coding agent.
That is a remote-execution surface, and it deserves to be treated as one. The action originates on a device you may not manage and lands on a host you do, without a keyboard in between. The host's sandbox and approval policy still apply - which is why the full-access trust boundary matters more, not less, once a remote trigger exists - but the person initiating the work is now one QR pairing away from the machine. Knowing which endpoints have Codex Remote paired is a visibility question, and comparing how remote and unattended modes differ across agents is exactly the ground covered in Claude Code vs Codex vs Cursor permission models.
Skills and plugins make Codex a supply-chain surface
Codex adopted skills - reusable bundles of instructions - following the open agentskills.io specification, and plugins that package skills, app integrations, and MCP server configuration together. The detail that should stop a security reader is that this is the *same* open skill standard that Claude Code uses. Skill risk is no longer a single-vendor concern; a skill authored for one agent can travel across tools that honor the standard.
That makes skills and plugins a supply-chain surface. A plugin bundles instructions, app integrations, and MCP configuration into one installable unit - three of the eight AI artifact types we inventory, wrapped together. A malicious or over-scoped skill is now something that can spread cross-tool, which is why we treat skills as a first-class artifact in our review of AI agent skills in 2026 and why the same discipline applies to Claude Code in the 2026 Claude Code features and their security implications.
Record & Replay and Computer Use widen what Codex can touch
Two features expand Codex's reach beyond the repo. Record & Replay (June 18, 2026, macOS) turns a demonstrated workflow into a reusable skill - meaning skills are now *created* on the endpoint, not only installed from a registry. A skill that captures a real workflow can capture whatever that workflow touched, so a locally minted skill is an artifact to inventory just like a downloaded one.
Computer Use expanded to Windows on May 29, 2026, letting Codex operate desktop apps by seeing, clicking, and typing. That is broad OS-level reach: an agent that drives the desktop is no longer fenced to a workspace directory the way a file-editing agent is. Combined with the desktop app and remote mode, the practical surface of what Codex can act on has grown well past the terminal, and the framework for reasoning about that reach is laid out in our AI security framework.
Sites and Team Config: new outputs, new fleet configuration
Sites (June 2, 2026) lets Codex create and deploy web apps hosted by OpenAI - a new output and deploy path that leaves the endpoint entirely. Team Config (January 23, 2026) goes the other direction: teams can share standardized config.toml defaults, rules/, and skills/ across repositories. Shared configuration is a governance gift when you can see it and a blind spot when you cannot.
Team Config is precisely the kind of fleet-level setting you want to inventory and enforce as a floor rather than hope each repo inherited correctly. That is the rollout problem we work through in rolling out Codex with fleet governance: a shared default is only a control if you can confirm it is the default that is actually live on each endpoint.
Auto-review moves the trust boundary
Codex can now route eligible approval prompts through an automatic reviewer agent before the request runs. Sandbox and approval modes remain the core trust boundary, but Auto-review changes who, or what, sits at that boundary. An approval that once paused for a human can now be resolved by an agent.
That can be a net improvement in consistency, and it can also mean fewer moments where a person sees what was approved. Either way, the approval decision is exactly the point at which policy should be enforced org-wide and recorded durably, rather than resolved privately in one session. This is the runtime governance layer.
The 2026 features and what each one means for governance
| Codex 2026 feature | What it adds | Governance implication |
|---|---|---|
| GPT-5.5 (Apr 2026) | A newer frontier coding model behind Codex | Model version is a config fact to read per endpoint, not assume |
| Codex in ChatGPT desktop app (Jul 2026) | Codex and GitHub PR review inside a desktop app on macOS and Windows | A new managed-endpoint surface to discover and classify |
| Codex Remote GA (Jun 2026) | A phone drives a connected Mac or Windows host via QR pairing | A remote-execution trigger that bypasses the keyboard |
| Skills and plugins (agentskills.io) | Reusable instruction bundles; plugins package skills, app integrations, MCP config | A supply-chain surface shared with Claude Code; skill risk is cross-tool |
| Record & Replay (Jun 2026, macOS) | Turns a demonstrated workflow into a reusable skill | Skills are now created on the endpoint, not only installed |
| Computer Use on Windows (May 2026) | Codex sees, clicks, and types in desktop apps | OS-level reach beyond the repo and terminal |
| Sites (Jun 2026) | Create and deploy web apps hosted by OpenAI | A new output and deploy path that leaves the endpoint |
| Team Config (Jan 2026) | Shared config.toml, rules/, and skills/ across repositories | Fleet configuration to inventory and enforce as a floor |
| Auto-review | Routes eligible approval prompts through an automatic reviewer agent | Moves the trust boundary; approvals may resolve without a human |
How Anomity governs Codex across the fleet
Every feature above shares one property: it is scoped to a single process on a single endpoint, and nothing centrally records which version, which skills, or which mode is live. Anomity closes that gap at the layer where the artifacts actually sit. A lightweight, unprivileged Endpoint Sensor runs on every managed endpoint - Windows, macOS, and Linux - and discovers and inventories eight AI artifact types: AI agents, MCP servers, extensions, plugins, skills, secrets, hooks, and CLIs. The Codex desktop app, its CLI, the skills a developer records with Record & Replay, and the plugins that bundle MCP configuration all land in one inventory you can query (fleet inventory).
The Sensor sends metadata only over HTTPS to Anomity Cloud - never your source code or prompts - and secrets are redacted on the endpoint before anything leaves it. On agents that expose a hook, Anomity returns allow, deny, or log on each tool call before it runs, which turns an in-session Codex approval, or an Auto-review decision, into an enforced org-wide policy at the trust boundary (allow/deny/log at the hook). Change events are captured as skills, plugins, and CLIs are added or modified, so a newly recorded skill or a freshly paired Codex Remote host is a fact you see, not a surprise.
Every decision lands in a queryable 90-day audit trail and routes to your SIEM, Slack, email, or Jira, so an approved escalation is no longer a private moment in one terminal (audit and outcomes). Anomity is SOC 2 Type II, and it complements - it does not replace - your EDR, XDR, DLP, network, and GRC controls. See how it works for the deployment model, the compare view for where it sits alongside adjacent tooling, and the docs for the artifact schema.
You can't govern what you can't see - and every OpenAI Codex feature that ships widens what you can't see by default.
Codex's 2026 releases are good engineering, and none of this is a knock on the tool. The point is that convenience and reach grew in the same year, and the fleet posture behind them did not grow on its own. Inventory the versions, the skills, the plugins, and the modes; enforce policy at the hook; keep the audit trail. If closing that gap for Codex is yours to own, book a 30-minute demo.
Frequently asked questions
What are the most security-relevant OpenAI Codex features in 2026?
The ones that change where Codex runs or what it can touch. Codex Remote (GA June 25, 2026) lets a phone drive a connected Mac or Windows host through QR pairing. Codex in the ChatGPT desktop app (July 9, 2026) adds a desktop surface with GitHub PR review. Computer Use expanded to Windows (May 29, 2026) gives OS-level reach. Skills and plugins on the agentskills.io standard add a supply-chain surface. Each is a new thing to inventory and govern, not just a productivity gain.
Does Codex Remote let a phone run code on my developers' machines?
Effectively, yes, within the host's controls. Codex Remote lets a developer start or continue work on a connected Mac or Windows host from the ChatGPT mobile apps, paired via an authenticated QR code. The action originates on a phone and lands on a desktop, so it is best treated as a remote-execution trigger. The host's sandbox mode and approval policy still apply, which is why knowing which endpoints have Codex Remote paired matters for fleet visibility.
Are Codex skills and plugins the same as Claude Code's?
They follow the same open standard. Codex adopted skills as reusable bundles of instructions following the agentskills.io specification, the same specification Claude Code uses, and plugins package skills, app integrations, and MCP server configuration together. Because the standard is shared, a poisoned or over-scoped skill is a cross-tool supply-chain risk rather than a single-vendor one. Anomity inventories skills and plugins as first-class artifacts on each endpoint.
What is Codex Auto-review and how does it affect approvals?
Auto-review lets Codex route eligible approval prompts through an automatic reviewer agent before the request runs. Sandbox and approval modes remain the core trust boundary, but Auto-review changes who sits at it: an approval that once paused for a human can now be resolved by an agent. That can improve consistency, but it also means the approval decision should be enforced org-wide and recorded durably rather than resolved privately in one session.
How does Codex in the ChatGPT desktop app change my endpoint inventory?
It adds a new surface. Codex is no longer only a CLI or a cloud IDE session; as of July 9, 2026 it is also a desktop application on macOS and Windows that can review GitHub pull requests. A desktop app that can shape or approve a PR is a real actor in your development flow and belongs in your inventory next to the CLIs and extensions your developers already run. Anomity's Endpoint Sensor discovers it as one of the eight AI artifact types it tracks.
Does Anomity read Codex source code or prompts?
No. Anomity's Endpoint Sensor collects metadata only and sends it over HTTPS to Anomity Cloud; it never transmits your source code or prompts, and secrets are redacted on the endpoint before anything leaves it. What it inventories is the presence and configuration of AI artifacts - agents, MCP servers, extensions, plugins, skills, secrets, hooks, and CLIs - so you can answer which Codex features are live on which endpoints without exposing the work itself.
How does Anomity enforce policy on Codex tool calls?
On agents that expose a hook, Anomity returns allow, deny, or log on each tool call before it runs, which turns an in-session Codex approval or an Auto-review decision into an enforced, org-wide policy at the trust boundary. Every decision is captured in a queryable 90-day audit trail and routed to your SIEM, Slack, email, or Jira. Anomity is SOC 2 Type II and complements your existing EDR, XDR, DLP, network, and GRC controls rather than replacing them.




