AI News

OpenAI has changed how Codex handles communication between its internal AI agents, making a previously visible part of the system unreadable to developers. According to reporting from The Decoder, Codex has encrypted the instructions a main agent sends to subagents since early June, so users now see opaque strings in session history instead of readable task descriptions.

The change matters because coding assistants are moving beyond single-turn autocomplete into multi-step systems that split work across specialized agents. In that setup, the handoff instructions are often the clearest window into what the system is actually doing. If developers cannot inspect those internal delegations, debugging, auditing, and trust become harder just as teams consider using tools like Codex for larger software tasks.

What changed in Codex

The core reported change is straightforward: internal instructions between agents in Codex are now encrypted. The Decoder says developers can no longer read how a primary agent assigns work to subagents, because the session log now shows unreadable text in place of plain-language task descriptions.

The publication reports that the behavior began in early June. It also says the enforcement varies by model. For the larger GPT-5.6 variants, Sol and Terra, encryption is described as mandatory. The smallest GPT-5.6 variant, Luna, reportedly still uses a readable path. The Decoder further reports that GPT-5.5 briefly prevented developers from disabling encryption through a toggle, but has since been switched back to a readable path.

Those details, if accurate, suggest OpenAI is not applying one uniform policy across all model tiers. Instead, the company appears to be testing or enforcing different observability rules depending on model size or deployment path. OpenAI had not publicly explained the reason for the change in the source material provided.

Why developers care about internal delegation

For users of agentic coding systems, internal messages are not a cosmetic detail. They are often the only practical way to understand whether a model decomposed a task correctly, sent the right instructions to a tool-using subagent, or went off track before producing code.

That matters especially in Codex-like workflows where an AI system may plan, call tools, inspect files, propose edits, and hand specialized steps to internal workers. When those steps are visible, developers can often catch obvious failure modes early: a subagent was asked the wrong question, was given stale context, or was told to operate on the wrong repository path. Once those instructions are hidden, users are left evaluating only the final output and whatever surface-level logs remain.

The Decoder points to a GitHub bug report asking OpenAI to store a readable local copy of the delegated task alongside the encrypted version. That request reflects a common enterprise need: companies may accept secure transport or backend privacy controls, but still want local auditability for engineering and compliance workflows. Without it, observability degrades at the exact moment AI coding products are asking to be trusted with more autonomy.

Reliability concerns are surfacing alongside the privacy shift

The reporting does not stop at transparency. The Decoder says several developers have reported failed handoffs where encrypted content could not be decrypted by a subagent. In some cases, the issue allegedly appeared even when the main agent and subagent were using the same model.

If that pattern holds beyond anecdotal reports, it would turn a visibility problem into an operational one. Hidden delegation is one thing; hidden delegation that can also silently break is more consequential for teams using AI coding tools in production or near-production workflows.

The available evidence here is limited. The source describes developer reports, not a formal OpenAI incident notice or a verified error-rate disclosure. There is no published number on how often these failures occur, which users are affected, or whether the issue is isolated to specific configurations in GPT-5.6. Still, even unquantified complaints matter because agentic systems depend on reliable context transfer. A brittle handoff layer can undermine the value of the higher-level automation.

For builders evaluating Codex against other coding assistant products, this creates a practical question: how much opacity are they willing to accept in exchange for convenience or model quality? In AI agents, reliability and inspectability often matter as much as raw benchmark performance.

What OpenAI has confirmed — and what remains speculation

The strongest confirmed fact in the source set is the product behavior itself: developers are seeing encrypted agent-to-agent instructions in Codex. The Decoder says OpenAI has not explained why.

The rest of the interpretation is still unconfirmed. One theory circulating in the community, cited by The Decoder, is that OpenAI may want to protect valuable internal traces from competitors. The idea is that agent handoffs contain rich training data about decomposition, planning, and execution, and exposing them could make it easier for rival model makers to distill similar behavior.

The report links that suspicion to broader industry concerns about model distillation, including recent discussion around Zhipu AI and the open model GLM-5.2. But that remains inference, not evidence that this specific Codex change was driven by competitive defense. There is no direct statement from OpenAI in the supplied sources tying encrypted delegation to anti-distillation efforts.

A second explanation in The Decoder is simpler: the encryption may be part of an existing privacy or state-handling architecture. The report notes that OpenAI’s API already encrypts intermediate states so they can be forwarded in later requests without storing plaintext on servers. If Codex has extended that approach to agent handoffs, the move could be more about internal security design than secrecy from end users.

At this stage, both explanations remain plausible. What is missing is OpenAI’s own rationale, along with documentation on whether users can retain readable local traces, whether encrypted handoffs are optional in some deployment modes, and how the company expects developers to debug multi-agent workflows when the internal task graph is obscured.

What this means for AI builders and enterprise buyers

This Codex change lands at an awkward moment for enterprise AI. Buyers increasingly want AI agents that can do more than suggest code; they want systems that can investigate bugs, modify multiple files, run tests, and coordinate subtasks. But the more autonomy a system gets, the more enterprises usually demand traceability.

That tension is now visible in Codex. If OpenAI locks down internal messages in GPT-5.6, Sol, and Terra while leaving Luna more open, product teams may need to choose between higher-capability models and better transparency. That is not just a user-experience issue. It affects root-cause analysis, incident review, compliance signoff, and internal acceptance by security teams.

For builders of AI agents and coding assistant platforms, the episode highlights a wider design tradeoff. Exposing chain-of-thought-like internal traces can improve debugging, trust, and user learning. Hiding them can reduce leakage risk, simplify safety boundaries, or protect proprietary orchestration methods. The challenge is that enterprise customers often want both: strong privacy controls and strong observability.

The Decoder’s reporting suggests OpenAI may currently be prioritizing one side of that balance in parts of Codex. If so, competitors may see an opening. Vendors that can offer agent transparency, local logging, or auditable delegation without exposing sensitive backend reasoning could appeal to buyers who are uneasy about black-box automation.

Evidence and claims

The underlying evidence for this story comes primarily from The Decoder’s reporting on Codex behavior and developer feedback. The article states that encrypted handoffs have appeared since early June and identifies model-specific behavior across GPT-5.5 and GPT-5.6, including Sol, Terra, and Luna. It also cites a GitHub bug report and developer complaints about failed decryption in subagent handoffs.

What is not present in the source material is an OpenAI product note, formal documentation update, benchmark data, support bulletin, or executive statement explaining the policy. That means the mechanism is reported and observed, but the motivation is not confirmed.

Likewise, claims that the move is intended to block distillation or shield raw reasoning traces are community theories relayed by The Decoder, not established fact. References to Zhipu AI, GLM-5.2, GPT-5.5, and Opus 4.8 provide market context for why developers suspect competitive protection, but they do not prove OpenAI’s intent in Codex.

What to watch next

The next important signal is whether OpenAI publishes documentation for Codex explaining the encryption policy and the intended developer workflow for debugging AI agents. A second key issue is whether the company adds an option for readable local logs while keeping encrypted transport or storage on the backend.

Builders should also watch whether reports of decryption failures continue in GPT-5.6, particularly on Sol and Terra, or whether the problem was a short-lived implementation issue. If OpenAI quietly expands readable access again, as The Decoder says it did for GPT-5.5, that would suggest user pushback is influencing product decisions.

More broadly, this is a test case for the next generation of enterprise AI tools. As AI agents become more common inside coding assistant products, buyers will need to decide how much internal opacity they can tolerate. Vendors, in turn, will have to show whether they can protect sensitive system traces without turning critical automation into a black box.

Creati.ai perspective

The significance of this Codex change is not the encryption itself. Secure internal state handling is normal. The real issue is the loss of inspectability in an agentic product category that is asking users to hand over more workflow control. If developers cannot see delegation, they lose one of the few practical tools they have for validating and correcting AI behavior before bad code lands downstream.

For the market, Codex is surfacing a design conflict that many AI agents will face. Model providers want to protect internal traces, reduce leakage, and manage safety. Customers want observability, reproducibility, and operational trust. The winners in enterprise AI may be the platforms that can reconcile those demands rather than forcing users to choose between capability and clarity.

Featured

OpenAI’s Codex is now hiding agent-to-agent instructions, raising transparency and reliability concerns for developers

OpenAI’s Codex now encrypts internal agent handoffs, limiting developer visibility into delegation and raising reliability questions for AI coding workflows.