OpenAI Agents SDK improves governance with sandbox execution

OpenAI has unveiled a significant iteration of its Agents SDK, introducing sandboxed execution as a first-class primitive and reframing the control harness around the way frontier models actually want to work. For enterprise governance, risk and platform teams, this is one of the more consequential agent-infrastructure releases of the year.

Why enterprises got stuck between three bad options

Teams moving agents from prototype to production have been forced into uncomfortable architectural trade-offs:

• Model-agnostic frameworks offered portability but left the best capabilities of frontier models on the table.
• Model-provider SDKs hugged the underlying model closely, but gave limited visibility into the control harness.
• Managed agent APIs simplified deployment but locked workloads into a narrow execution environment and constrained access to sensitive corporate data.

The updated Agents SDK is OpenAI's attempt to collapse this trilemma by shipping standardised infrastructure with a model-native harness and native sandbox execution.

A model-native harness, not yet another framework

The new harness aligns execution with the natural operating pattern of OpenAI's models. That matters most when a task requires coordination across systems � retrieval, tools, filesystems, memory � and reliability is the deciding factor between a demo and a production rollout.

Oscar Health offered an early example. The health insurer tested the updated infrastructure on a clinical-records workflow that previous approaches could not handle reliably. Beyond extracting metadata, the system had to understand the boundaries of individual patient encounters inside long, messy medical files.

"The updated Agents SDK made it production-viable for us to automate a critical clinical records workflow that previous approaches couldn't handle reliably enough," said Rachael Burns, Staff Engineer and AI Tech Lead at Oscar Health. "The difference was not just extracting the right metadata, but correctly understanding the boundaries of each encounter in long, complex records."

On the developer side, the harness bundles what used to be bespoke plumbing:

• Configurable memory and sandbox-aware orchestration
• Codex-like filesystem tools, including an apply_patch tool for file edits
• Tool use via MCP (Model Context Protocol)
• Custom instructions via AGENTS.md
• Progressive disclosure via skills, and code execution via a shell tool

The pitch is familiar: stop rebuilding brittle custom connectors and focus engineering effort on domain logic.

The Manifest: a predictable workspace for autonomous code

Legacy stacks rarely welcome autonomous programs politely. Retrieval has to be precise; vector stores need to stay in sync; hallucinations have to be contained; and compute has to be kept under control. Without a standard surface, teams end up gluing it all together by hand.

The SDK introduces a Manifest abstraction to describe the agent's workspace: which local files are mounted, where outputs go, and how the environment is organised. Manifests connect directly to the major enterprise object stores � AWS S3, Azure Blob Storage, Google Cloud Storage, and Cloudflare R2 � so the model sees a predictable view of where to read inputs, write outputs, and keep state during long runs.

Two governance wins fall out of this:

1. The agent is steered away from unfiltered data lakes and into specific, validated context windows.
2. Data-governance teams can trace the provenance of every automated decision, from local prototyping all the way through to production.

Native sandbox execution: the security argument

The SDK now natively supports sandbox execution, giving teams an out-of-the-box layer for running agent code inside controlled environments that already contain the required files and dependencies. Engineering teams can bring their own sandbox � or use built-in integrations with Blaxel, Cloudflare, Daytona, E2B, Modal, Runloop, and Vercel.

Risk mitigation is the headline. Any system that reads external data or executes generated code must be assumed to face prompt injection and exfiltration attempts. OpenAI's architectural answer is to separate the control harness from the compute layer: credentials live with the harness, never in the environment where model-generated code actually runs. An injected malicious command in the sandbox cannot reach the control plane or steal primary API keys, blunting the lateral-movement path that keeps security teams up at night.

Snapshotting: why this is also a cost story

Security is not the only reason to care about the separation. Long-running agents fail � containers crash, networks drop, API limits hit. If a twenty-step agent compiling a financial report dies on step nineteen, re-running the whole sequence burns expensive compute.

Because state is externalised, the SDK supports snapshotting and rehydration: if a sandbox container is lost, the infrastructure restores state in a fresh container and resumes from the last checkpoint. Finance teams, meet your new favourite feature.

The same separation also unlocks dynamic scaling:

• Runs can invoke one or many sandboxes depending on load
• Specific subagents can be routed into isolated environments
• Tasks can be parallelised across containers for faster wall-clock times

Availability and what's next

The new harness and sandbox capabilities are generally available via the API, priced on standard tokens-and-tool-use � no custom procurement contract required. They launch first for Python, with TypeScript support slated for a future release.

OpenAI says additional capabilities, including code mode and subagents, will land in both the Python and TypeScript libraries. The ecosystem is also expected to widen, with more sandbox providers and more ways to plug the SDK into existing internal systems.

What to take away

For platform and governance leads, three things are worth flagging to your teams:

1. Separation of harness and compute is the new baseline. If your internal agent framework still executes model-generated code inside the same environment that holds your credentials, you now have a visible reference architecture arguing against it.
2. Manifests are an opportunity to tidy up data access. Even if you don't adopt OpenAI's SDK, the pattern � declare the workspace, point at governed storage, restrict the context window � is a pragmatic control you can copy.
3. Sandbox portability matters. Built-in support for multiple sandbox providers means this is less of a lock-in story than earlier agent platforms, which makes it easier to justify internally.

Whether the Agents SDK becomes the default substrate for enterprise agents or simply raises the bar that every other framework must clear, the direction of travel is clear: production agents are becoming a governance problem first, and a model-quality problem second.