OpenAI hides Codex agent instructions behind encryption, leaving developers in the dark
Jump to main content
Search
REG AD
AI and ML
OpenAI hides Codex agent instructions behind encryption, leaving developers in the dark
Developers worry encrypted MultiAgentV2 messages will make debugging and auditing harder
Thomas Claburn
Thomas<br>Claburn
AI AND SOFTWARE REPORTER
Published<br>wed 15 Jul 2026 // 00:00 UTC
OpenAI has never been as open as its name suggests and is becoming even less so.<br>The free-spending AI giant recently revised the multi-agent orchestration in its Codex command line interface to encrypt messages passed to subagents.<br>OpenAI's Codex supports multi-agent orchestration, a way to have a parent agent spawn child agents or delegate tasks to other agents that may call out to different models.
REG AD
Codex/GPT-5.6 introduced a protocol called multi-agent v2 that appears to be geared toward letting the runtime allocate work instead of leaving those decisions to user-declared configuration settings.
REG AD
Multi-agent v2 is still under development and OpenAI hasn't formally documented it yet. Developers, however, have observed changes made to Codex to accommodate the new agent plumbing – and some are concerned by the new arrangements.<br>Last month, OpenAI devs merged a pull request (a suggested code change) to encrypt multi-agent v2 message payloads – the text instruction passed between agents. The pull request prefaces its explanatory text with the word "Why" but doesn't actually offer a reason for the change.<br>It states: "Multi-agent v2 currently routes agent instructions through normal tool arguments and inter-agent context. That means the parent model can emit plaintext task text, Codex can persist it in history/rollouts, and the recipient can receive it as ordinary assistant-message JSON.<br>"This changes the v2 path so agent instructions stay encrypted between model calls: Responses [An OpenAI API - Ed] encrypts the message argument returned by the model, Codex forwards only that ciphertext, and Responses decrypts it internally for the recipient model."<br>A desire to enhance privacy and security, or conceal data that would be useful for model distillation, are sound reasons for these changes. Yet OpenAI has not said why it made the change.<br>In the absence of clear communication from OpenAI, developers have urged the company to ensure that its implementation doesn't sacrifice auditability to accommodate other concerns.<br>An issue opened by Ignat Remizov, CTO at payment service Zolvat, says, "The encrypted delivery path is understandable as privacy hardening, but it also removes the human-readable task/message text from local rollout history, trace reduction, and parent-side audit/debug surfaces."
MORE CONTEXT
Patchpocalypse Now: Microsoft tops last month's record with 622 Patch Tuesday CVEs
If you want Claude to speak nicely to you, try Hindi or Arabic
New York becomes first state to halt datacenter buildouts
DeepMind bigbrain calls for America to set AI standards before it's too late
Remizov's concern is that developers and code maintainers will have less information to assess the instructions an agent received and the actions it took.
REG AD
"Guys, we don’t want to build Skynet and then be unable to audit what it’s doing," he quips.<br>Other developers, echoing Remizov's concern about the loss of observability, speculate that OpenAI has locked its agent messaging down to keep competitors from seeing how its multi-agent implementation works.<br>OpenAI did not immediately respond to a request for comment. ®
ai and ml<br>ai<br>agents<br>encryption<br>openai<br>codex
REG AD
networks
NTP server that travelled back in time caused massive Aussie mobile outage
Telstra skipped a patch, didn’t record changes, had no idea it was an accident waiting to happen
AI AND ML
South Korea making its own security-centric AI model
Adapting existing local LLM project for security and sovereignty purposes and hopes to one day match Mythos
Gobi X: Creating more energy for AI, not taking it from society
PARTNER CONTENT: How Envision is reversing the datacenter playbook by making computing chase abundant desert power, not the other way around
Systems
Chinese memory ban would cut off RAMpocalypse relief
Two US lawmakers push tighter curbs on chipmakers from the Middle Kingdom
PaaS + IaaS
Amazon Web Services' most vocal customer now runs EC2
Retail foundation leader Dave Treadwell takes over as senior leader and 19-year vet Dave Brown departs for pastures unknown
AI and ML
OpenAI admits GPT-5.6 occasionally deletes files – but it's an 'honest mistake'
Data purges deemed an example of 'misaligned behavior' that upstart is working to avoid
MOST POPULAR
ai and ml
Linus Torvalds tells AI haters to fork off
AI and ml
Musk promises purge after Grok Build caught sending entire repos to the cloud
DevOps
HTTP gets a QUERY method so complex searches can stop pretending to be POST
DEVOPS
Zig creator calls Bun’s Claude...