AIToday

OpenAI's Codex encrypts agent instructions, blocking developer visibility

THE DECODER1h ago
OpenAI's Codex encrypts agent instructions, blocking developer visibility

Key takeaway

OpenAI's Codex has encrypted agent-to-agent communications since early June, preventing developers from seeing how tasks are delegated internally. The change affects the larger GPT-5.6 model variants (Sol and Terra), though GPT-5.5 has been reverted to show readable instructions. OpenAI has not explained whether the encryption aims to block competitors from training on agent communication or to protect user data privacy. Developers report that the encrypted handoffs sometimes fail to decrypt, creating reliability issues alongside lost visibility into how their AI agents divide work.

Summaries like this, in your inbox every morning.

Sign up free →

3 Key Points

  • What happened

    Since early June, OpenAI's Codex coding tool has encrypted the instructions that main AI agents pass to subagents. Developers can no longer see readable task descriptions in session history—only an unreadable encrypted string. GPT-5.5 initially blocked the ability to turn off encryption entirely; OpenAI has since re-enabled the toggle for GPT-5.5, but the larger GPT-5.6 variants (Sol and Terra) remain encrypted. Only the smallest variant, Luna, still displays readable agent communication.

  • Why it matters

    As coding tools become agentic systems that autonomously break down and delegate tasks, the ability to track internal processes is critical for developers managing and debugging their workflows. The encryption also appears unreliable—several developers report that encrypted handoffs between agents fail because the content cannot be decrypted, even when both agents use the same model. OpenAI has not confirmed whether the change aims to prevent competitors from training on agent communication (a suspected concern after Zhipu AI's GLM-5.2 was suspected of distillation from GPT-5.5 and Opus 4.8), to protect user privacy in API data handling, or both.

  • What to watch

    A GitHub bug report requests that OpenAI store a readable copy of encrypted tasks locally alongside the encrypted version, offering a path to restore developer visibility. OpenAI's eventual clarification of the encryption's purpose—distillation prevention, privacy, or both—and any decision to address the decryption failures will shape how developers adopt these agentic features.

In Depth

Since early June, OpenAI's Codex coding tool has begun encrypting the instructions that main AI agents send to their subagents, fundamentally changing how developers interact with agentic workflows. The change manifests as an unreadable encrypted string in session history where developers previously saw a plain-text task description. This encryption was initially applied across the board: GPT-5.5 initially had no option to disable it, cutting off visibility entirely. OpenAI has since re-enabled a toggle for GPT-5.5 to restore readable communication, but the larger GPT-5.6 variants—Sol and Terra—remain encrypted. Only Luna, the smallest variant, continues to display readable agent-to-agent instructions.

The practical impact on developers has been twofold. First, they can no longer inspect how tasks get broken down and delegated across the agent system, complicating debugging and auditing of autonomous decision-making. Second, the encrypted system appears unreliable. Several developers report that the encrypted handoff to a subagent fails because the content cannot be decrypted—sometimes even when both the main agent and subagent use the same model. A GitHub bug report explicitly calls on OpenAI to store a readable copy of the task locally alongside the encrypted version, offering a path to restore developer transparency.

OpenAI has not disclosed why it implemented the encryption. Community suspicion centers on two theories. One is distillation prevention: agent-to-agent communication is rich training data that rivals can use to lift a weaker model toward a stronger one's performance level. This concern is not hypothetical—Zhipu AI's open GLM-5.2 model was recently suspected of having been distilled from GPT-5.5 and Opus 4.8. By encrypting these internal communications, OpenAI would block competitors from harvesting this valuable material. A second, simpler explanation is data privacy: OpenAI's API already encrypts intermediate states so they can be forwarded in follow-up requests without storing plaintext on its servers, and the agent-encryption may follow the same logic. Until OpenAI confirms which concern (or both) prompted the change, and addresses the reported decryption failures, developers adopting agentic Codex workflows will face both reduced visibility and potential reliability gaps.

Context & Analysis

OpenAI's move to encrypt agent-to-agent communication reflects a critical tension in the evolution of agentic AI systems. As coding tools increasingly adopt the ability to autonomously break down tasks, delegate them to subagents, and operate without direct human supervision, the question of transparency becomes both a technical and competitive concern. The body notes that agent-to-agent communication is valuable training data—a suspected reason that Zhipu AI's open GLM-5.2 model drew suspicion of distillation from GPT-5.5 and Opus 4.8. By encrypting these internal handoffs, OpenAI may be attempting to protect intellectual property embedded in reasoning traces and task delegation patterns from competitors seeking to train weaker models toward stronger performance levels.

However, the immediate cost is substantial. Developers lose visibility into how their own agents delegate work, making debugging and auditing of agentic behavior harder at precisely the moment when autonomous decision-making is becoming more common. The fact that the encryption appears unreliable—failing to decrypt even within matched model pairs—suggests the feature may not yet be mature. OpenAI's decision to restore the toggle for GPT-5.5 while keeping Sol and Terra encrypted hints at ongoing internal debate about the trade-off between competitive protection and developer usability. Until OpenAI clarifies its intent and addresses the decryption failures, developers will face both a visibility problem and a reliability risk.

FAQ

Which OpenAI models are affected by the encryption?
GPT-5.6 variants (Sol and Terra) now use encrypted agent communication. GPT-5.5 initially had no toggle to disable encryption, but OpenAI has since restored the ability to turn it off. Only Luna, the smallest variant, still displays readable instructions.
What problems are developers experiencing with the encryption?
Several developers report that encrypted handoffs to subagents fail to decrypt, sometimes even when the main agent and subagent use the same model. Session history now shows an unreadable string instead of a readable task description, blocking visibility into internal delegation.
Why might OpenAI have added this encryption?
OpenAI has not confirmed the reason. Community members suspect it prevents competitors from training on agent communication (given concerns about distillation—such as Zhipu AI's GLM-5.2 being suspected of distillation from GPT-5.5 and Opus 4.8). A simpler explanation is that OpenAI's API already encrypts intermediate states for secure forwarding in follow-up requests without storing plaintext on servers.

Discussion

No comments yet. Be the first to share your thoughts!

Log in to join the discussion

Related Articles

Stay ahead with AI news

Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.

Get Started Free

Free · takes 30 seconds · unsubscribe anytime

1 minute a day. The AI essentials.

200+ sources · Email / LINE / Slack

Get it free →