Enterprise Governance and Compliance

Your security team wants to know: who ran what, when, against which repository, and what model was used. Your compliance team needs audit logs exportable to your SIEM. Your CTO wants adoption dashboards. And your developers want all of this to happen without slowing them down. This article covers the governance layer that makes Codex enterprise-ready.

What You’ll Walk Away With

A complete enterprise setup checklist: enabling local and cloud Codex, configuring GitHub connectors, and managing environments
RBAC configuration using ChatGPT workspace roles and groups
Three approaches to usage monitoring: Analytics Dashboard, Analytics API, and Compliance API
Security controls including requirements.toml, MCP allowlisting, and zero data retention

Enterprise Setup Checklist

Enable Codex local in Workspace Settings > Settings and Permissions. Turn on “Allow members to use Codex Local.”
Enable Codex cloud by turning on the ChatGPT GitHub Connector and “Allow members to use Codex cloud.”
Configure the GitHub Connector IP allowlist with the ChatGPT egress ranges and Codex container egress ranges.
Create your first environment by connecting a repository and adding collaborator email addresses.
Configure RBAC to control who can access local, cloud, and admin features.
Set up the Slack integration if your team uses Slack, and configure answer posting policies.
Enable code review in Settings > Code review.
Deploy Team Config with shared config.toml, rules, and skills across your organization.

Role-Based Access Control (RBAC)

Codex integrates with ChatGPT’s RBAC system. Navigate to Settings & Permissions > Custom Roles in the admin page.

Create roles for different access levels:

Role	Local Access	Cloud Access	Admin Access
Developer	Yes	Yes	No
Senior Engineer	Yes	Yes	Environment edit
Platform Team	Yes	Yes	Full admin
Security Auditor	No	No	Analytics + Compliance API

Assign roles to groups created in the Groups tab. This controls who can use Codex locally, who can run cloud tasks, and who can administer environments and view analytics.

Team Config

Standardize Codex across your organization with Team Config, which ships shared defaults without duplicating setup:

Type	Path	Purpose
Config	`config.toml`	Sandbox mode, approval policy, model, reasoning effort
Rules	`rules/`	Which commands Codex can run outside the sandbox
Skills	`skills/`	Shared skills available to all team members

Deploy Team Config through your existing configuration management (Chef, Puppet, Ansible) or include it in your developer environment setup.

Admin-Enforced Requirements

requirements.toml constrains security-sensitive settings that users cannot override:

# Only allow these sandbox modes
allowed_sandbox_modes = ["read-only", "workspace-write"]

# Only allow these approval policies
allowed_approval_policies = ["untrusted", "on-failure", "on-request"]

# Restrict MCP servers to approved list
[mcp_servers.linear]
identity = { url = "https://mcp.linear.app/mcp" }

# Enforce command rules
[[rules.prefix_rules]]
pattern = [{ token = "rm" }, { token = "-rf" }]
decision = "forbidden"
justification = "Recursive force delete is not allowed"

Governance and Observability

Analytics Dashboard

The analytics dashboard provides real-time visibility:

Daily users by surface (CLI, IDE, Cloud, Code Review)
Daily code reviews and findings by priority
Cloud task volume and completion rates
Session and message counts per user

Export data in CSV or JSON for integration with your BI tools.

Analytics API

Automate reporting with the Analytics API:

Daily time-series metrics with optional per-user breakdowns
Code review activity: PRs reviewed, comments generated, severity breakdown
User engagement: replies, reactions, and feedback on Codex comments

Compliance API

The Compliance API provides audit-grade logs:

Prompt text sent to Codex
Responses generated
Identifiers: workspace, user, timestamp, model
Token usage and request metadata

Route these into your SIEM, eDiscovery, or DLP pipeline.

Security Controls

Zero Data Retention (ZDR)

Codex supports organizations with ZDR enabled. The CLI and IDE Extension have zero data retention by default. Cloud features follow your ChatGPT Enterprise retention policies.

Internet Access Controls

As an admin, you control whether users can enable agent internet access in cloud environments. Turn on Allow Codex agent to access the internet in workspace settings. Users then configure domain allowlists and HTTP method restrictions per environment.

Data Encryption

At rest: AES 256
In transit: TLS 1.2+
Secrets in cloud environments: additional encryption layer, removed before agent phase

When This Breaks

Users get “403 Unauthorized”: The admin has not enabled “Allow members to use Codex Local” or “Allow members to use Codex cloud” for their group.
Codex does not appear in ChatGPT: After enabling in workspace settings, allow up to 10 minutes for Codex to appear.
RBAC changes not taking effect: Role changes propagate within minutes but may require users to log out and back in.
Compliance API returns empty results: Verify the API token has the correct scopes and that the time window includes active sessions.
requirements.toml not enforced: The file must be at the correct system path. Check precedence: cloud-fetched requirements override local files for Business and Enterprise users.

What’s Next

Cost Management — Budget and optimize across your enterprise
Slack and Linear Integration — Configure enterprise data controls for integrations
Cloud Environments — Environment management and caching for teams