Skip to content
Back to Magazine
automation-aiops 4 min read

Codex on-prem: when software agents leave the public cloud

Does this apply to your company?

Free 30-min AI diagnostic →

Key Takeaways

  • - Proximity to code: large repos, history, dependencies, and conventions.
  • - Proximity to data: documentation, tickets, runbooks, analytics, and internal systems.
  • - Proximity to permissions: credentials, roles, approvals, and limits.
  • - Proximity to execution: tests, CI, staging, deployments, and observability.

Decision

Separate reliable automation from fragile demo before granting it autonomy.

Room

Operations review, architecture, security or platform.

Risk

Adding speed with no observability, rollback, ownership or stop criterion.

Agent prompt: identify guardrails, control points, likely failures and autonomy criteria

Problem

Many companies want software agents, but they don’t want to move all their sensitive context to a public cloud without fine-grained control. Code, credentials, internal systems, logs, documentation, operational data, and regulated environments are not accessories. They are the ground where the agent has to work.

The announced collaboration between OpenAI and Dell in May 2026 points to this bottleneck: Codex needs to get closer to the hybrid and on-prem environments where critical data and workflows already live.

Thesis

The next enterprise leap of agents won’t be just more intelligence. It will be operational proximity: agents that work close to data, repositories, registration systems, security policies, and internal controls.

Codex on-prem is not an infrastructure note. It’s a maturity signal: agents are leaving the playground and entering enterprise architecture.

Framework

An enterprise agent needs five proximities:

  • Proximity to code: large repos, history, dependencies, and conventions.
  • Proximity to data: documentation, tickets, runbooks, analytics, and internal systems.
  • Proximity to permissions: credentials, roles, approvals, and limits.
  • Proximity to execution: tests, CI, staging, deployments, and observability.
  • Proximity to audit: logs, diffs, tool calls, and reviewable decisions.

Mini-case: a healthcare company wants to use Codex to maintain internal software. The agent needs to read repositories, run tests, review incidents, generate changes, and prepare reports. But the environment’s data is regulated. Bringing the agent close to the governed infrastructure reduces friction and increases control.

Measurable signal: percentage of agent tasks that can be executed within approved environments without copying sensitive context outside.

Posture: the enterprise agent doesn’t win by being everywhere. It wins by being where the controls are.

Breathing: without internal context, the agent seems ready. With internal context, it starts to be useful.

What changes for medium-sized companies

Not all need on-prem. But all need to think about architecture:

  • what data can the agent see
  • where it runs
  • what commands it can execute
  • what logs it leaves
  • what environments it touches
  • what happens if it produces an incorrect change

The question is not “cloud or on-prem”. It’s what degree of control each workflow requires.

Common mistake

The anti-example is treating software agents like generic SaaS. If the agent doesn’t understand repositories, internal systems, security, deployment, and ownership, it only produces loose patches.

The challenge is not giving it access to more things. It’s giving it the right access to the right things.

Protocol (3 steps)

  1. Classify workflows by sensitivity. Public code, internal repos, customer data, regulated environments.
  2. Define runtime and permissions by level. Local, remotely managed, hybrid, or on-prem according to risk.
  3. Demand full traceability. Diffs, commands, approvals, tests, and rollback.
LevelWhere it runsTypical use
Localuser’s machineindividual tasks
Remotely manageddevbox or approved environmentdistributed teams
Hybridinternal data + connected agententerprise workflows
On-premown infrastructuresensitive or regulated data

Consulted sources

Next step

If your software agents need to touch repos, data, and internal systems, first define where they should live. We can map it out in a diagnostic.


Translated from the Spanish original with AI assistance and reviewed for accuracy. Read the original in Spanish.

codex on-prem enterprise-agents
Cite this article

Berthelius, V. (2026). “Codex on-prem: when software agents leave the public cloud”. BRTHLS Magazine. https://www.brthls.com/magazine/codex-on-prem-software-agents-public-cloud-en

Fractional CAIO · Free diagnostic

Is your company ready to operate with AI?

30 minutes. No pitch. An honest read on where you are and what to move first.

Book free diagnostic