OpenAI is pushing Codex beyond coding and toward a broader desktop workflow tool, raising a familiar enterprise question: How much control should an AI agent have over live business apps?
The company is reportedly working on a desktop “superapp” that would merge ChatGPT, Codex, and Atlas. Separately, OpenAI’s April 16 Codex update added background computer use, more than 90 plugins, browser access, memory features, and automations that can resume work over time. That makes Codex more useful for enterprise workflows, but harder for IT and security teams to govern.
How Codex moves from coding to workflow control
OpenAI is working on a desktop “superapp” that would merge ChatGPT, Codex, and its AI-powered Atlas browser into one app, The Verge reported, citing The Wall Street Journal.
The company’s April 16 Codex update moved Codex toward a broader agent workspace. OpenAI said Codex can use apps with its own cursor while multiple agents run in parallel on a Mac.
The update also added more than 90 plugins, an in-app browser, memory, automations, and SSH connections to remote devboxes in alpha. It can pull context from Slack, Gmail, Notion, Google Docs, and codebases to suggest what needs attention.
That direction mirrors Microsoft’s push toward always-on automation in Microsoft 365, where agents are moving closer to email, calendars, notifications, and daily workflow systems.
Background computer use is initially available on macOS, while personalization features are expected later for Enterprise, Edu, EU, and UK users. OpenAI also said June 2 that Codex had more than 5 million weekly active users, with knowledge workers making up about 20% of its user base.
Microsoft is testing a related idea with Project Solara concept devices, a sign that major vendors are exploring new ways for AI agents to participate in workplace tasks.
Why agent control is the security test
OpenAI has published enterprise controls for Codex, including no training on enterprise data, zero data retention for the App, CLI, and IDE, granular access controls, encryption, and audit logging through the ChatGPT Compliance API.
Those controls help with privacy and identity management, but not the harder question: what happens when software can act across live business systems?
OpenAI’s Codex security documentation warns that network access or web search can expose agents to prompt injection, where untrusted content causes the agent to fetch or follow malicious instructions. That risk grows when an agent can read files, call plugins, use credentials, or trigger actions across connected apps.
A reported npm supply-chain attack used a package posing as a Codex-related tool to steal OpenAI authentication tokens from developers, according to TechRadar. A separate Codex vulnerability reported by BeyondTrust Phantom Labs involved GitHub branch names that could be used for command injection and GitHub token exposure.
OpenAI is also pushing Codex deeper into defensive security work through Daybreak and Codex Security, making governance and approval controls more important as agents move closer to vulnerability detection and remediation.
For enterprise technology teams, the issue is whether agent actions across desktops, browsers, codebases, emails, calendars, documents, spreadsheets, and messaging tools can be governed, logged, approved, and reversed. Until those controls mature, the reported superapp is a promising enterprise workflow bet with a security model still under scrutiny.
Also read: ChatGPhish shows how prompt injection can turn trusted AI summaries into phishing lures.