AI Infrastructure
OpenAI Ona Brings Persistent Codex Agents [Deep Dive]
Published June 12, 2026 by Dillip Chowdary
OpenAI will acquire Ona to bring secure, persistent cloud execution into Codex for long-running software and knowledge-work agents.
Why Builders Should Care
This signal matters because it changes a live production decision: where agents run, how dependencies install, how security queues are triaged, or how teams compose model infrastructure. The practical question is whether the change can be adopted behind existing controls without creating hidden access paths, brittle CI behavior, or unmanaged cost.
Codex Scale
OpenAI says more than 5 million people use Codex each week, up 400% from earlier this year. The engineering consequence is not just adoption; it changes how teams budget rollout, observability, rollback, and policy enforcement.
Customer Control
Ona's model keeps agent execution inside customer cloud boundaries with scoped credentials, logs, and review paths. The engineering consequence is not just adoption; it changes how teams budget rollout, observability, rollback, and policy enforcement.
Long Horizon
The target workload is work that continues for hours or days after the initiating machine is closed. The engineering consequence is not just adoption; it changes how teams budget rollout, observability, rollback, and policy enforcement.
Implementation Checklist
- Inventory: Map affected repositories, runtimes, clouds, agent workspaces, and data stores.
- Guardrails: Add policy checks for credentials, network reachability, audit logs, and approval gates.
- Rollout: Test the change in a representative staging path before enabling it broadly.
- Telemetry: Capture traces, deployment events, and rollback signals so production behavior is reviewable.
The Control Plane Question
Persistent agents turn the workspace into infrastructure. A short-lived local coding session can rely on a developer's shell, browser, and judgment; a cloud agent that runs for hours needs a durable policy layer. That layer should define which repositories can be mounted, which package registries can be contacted, which secrets can be read, and which actions require a reviewer before the result is merged or deployed.
The most important design choice is credential scoping. If an agent inherits broad human permissions, the organization has simply moved an overpowered desktop into a cloud loop. A better pattern is task-scoped identity: create a temporary workspace role for one repository, one ticket, and one bounded class of tools, then expire it after completion or inactivity.
Observability For Work That Outlives The Session
Long-running Codex work also needs a transcript that is useful to engineers, security teams, and auditors. The trace should include prompts, tool calls, file diffs, dependency installs, tests executed, network destinations, and review decisions. Without that record, the team cannot explain why an agent changed a build file, why a package version moved, or why a failing test was ignored.
A practical rollout can start with read-mostly workflows: reproduce a bug, generate a migration plan, summarize a dependency graph, or prepare a pull request that cannot merge itself. As confidence grows, write permissions can expand behind branch protection, mandatory tests, and owner review. The acquisition makes sense because cloud execution is not a convenience feature; it is the missing operating substrate for agent work that has to be reliable after the user walks away.