Six characters unlocked a new capability class. The @computer command, now available in the Codex app, gives OpenAI’s coding agent the ability to see and operate graphical user interfaces on Windows and macOS. Per OpenAI’s developer documentation, the agent can observe screen state, navigate menus, click interface elements, and execute actions across the full GUI layer of the operating system. That’s not code generation. That’s autonomous operation.
To understand what this week’s announcement means, you need the trajectory.
Codex began as a code generation model, text in, code out. The integration into GitHub Copilot made it a developer productivity layer. Goal Mode, which reached general availability in late May 2026, extended the capability to multi-step plan execution: break a high-level objective into subtasks, execute them in sequence, handle errors, and report back. The Goal Mode GA launch marked the shift from code generation to autonomous task execution. The Dell on-premises partnership then moved that capability into air-gapped enterprise environments, Codex running inside a private infrastructure perimeter, not on OpenAI’s cloud.
Windows computer use is the next layer. The agent no longer operates only in the terminal or through API calls. It operates at the graphical interface layer, the same layer a human operator uses. That’s a meaningful expansion of the action space. A terminal agent can run shell commands and call APIs. A GUI agent can interact with any application that has a visual interface, including applications that don’t expose APIs, legacy internal tools, browser-based enterprise software, and anything else a human would operate by clicking and typing.
The mobile remote layer is architecturally distinct from the computer use feature itself. ChatGPT for iOS and Android now lets developers monitor running Codex tasks on a host machine, issue mid-task steering instructions, and approve or halt actions before they execute. Per The Verge’s reporting, the connection allows a developer to “start Codex work on a Windows device from ChatGPT on iOS or Android.” That’s asynchronous human-in-the-loop oversight at the OS level. The practical value: a developer running a long Codex task doesn’t need to stay at the machine. They can check status, redirect, and approve from wherever they are.
This is also where the trust model gets complicated.
What the Capability Expansion Actually Requires
Each layer of Codex’s agentic surface expansion has increased the trust requirement. Code generation requires trusting the model’s output. Goal Mode requires trusting its planning and sequencing logic. Computer use requires trusting its action selection at the OS level, which means trusting it not to interact with systems it wasn’t intended to reach.
Agentic Action Model: API Tool Use vs. GUI Computer Use
Unanswered Questions
- Can @computer be scoped to specific applications, or does it have full desktop access?
- Does Codex computer use generate a complete action log suitable for enterprise audit requirements?
- What happens to a pending mobile approval action if the approving developer goes offline?
The permission architecture OpenAI has built around this matters more than the capability itself. The opt-in design (users must enable computer use explicitly in settings) and the mobile approval layer suggest OpenAI is structuring this as a supervised autonomous feature rather than a fully autonomous one. That’s the right architecture for the current capability level. The question for enterprise teams is whether the supervision mechanisms are sufficient for their environment.
Specific concerns worth evaluating before enabling @computer in production-adjacent environments:
Application scope. Can the agent be constrained to interact only with specified applications, or does it have access to the full desktop? A developer machine running Codex on a feature branch probably has access to the same credential stores, VPN clients, and internal tools as the developer. If the agent can interact with all of them, the risk surface is the full machine, not just the development environment.
Action logging. Enterprise audit requirements typically demand a record of what systems accessed what resources and when. If Codex computer use generates a complete action log, screenshots, actions taken, timestamps, that’s auditable. If it doesn’t, it’s invisible to the compliance layer.
Mobile approval latency. The mobile steering feature requires a responsive human. A developer who approves a Codex action from their phone during a meeting has probably spent fewer than ten seconds evaluating it. That’s a very short review window for an action that might involve writing to a database or modifying a configuration file. The approval mechanism is valuable. The quality of the approval depends entirely on the human using it.
The Competitive Context
OpenAI isn’t alone in expanding agentic surface area. Google’s agentic era positioning, the Project Astra and Gemini Live directions, includes real-world environment interaction as a stated capability direction. Anthropic’s Claude, now deployed in GitHub Copilot and Cursor, focuses on agentic coding tasks through tool-use APIs rather than GUI-level control. The architectural difference matters: API-mediated tool use is explicit and auditable by design. GUI-level computer use is implicit, the agent infers what actions are appropriate from what it sees on screen, which is a harder verification problem.
That difference has an enterprise evaluation implication. An agent that calls a defined API function is doing something you can log and constrain at the API layer. An agent that clicks through a GUI is doing something that looks, from a logging perspective, like a human operating the machine. Enterprise security teams evaluating these tools will need to decide which model they’re more comfortable supervising.
Codex Computer Use: Enterprise Deployment Risk
What to Watch
What to Watch
The model retirement timeline running in parallel is worth tracking alongside the computer use announcement. Multiple reports indicate GPT-4.5 retires from ChatGPT’s consumer interface on June 27, 2026, with o3 following on August 26. Both remain available via API. Teams accessing these models through API integrations don’t face a forced migration on these dates. Teams accessing them through ChatGPT directly do. The developer migration brief from May 29 has full migration planning context.
The more significant forward-looking signal is what comes after computer use. Codex’s trajectory, code generation, goal mode, OS control, mobile remote steering, follows a consistent pattern: each new capability layer increases autonomy and decreases the required physical presence of the developer. The logical next step in that pattern is a Codex that operates across multiple machines or cloud environments, not just a single desktop. That capability would require a fundamentally different access control model than what’s currently in place.
TJS Synthesis
Codex’s evolution from May 2024 to May 2026 is a case study in how agentic surface area expands incrementally until the aggregate capability is substantially different from what teams originally evaluated and approved. Enterprise teams that evaluated Codex as a code generation tool may not have built the permission architecture needed for an agent that can operate their Windows desktop.
Review your Codex deployment permissions before enabling computer use in any environment where the agent can reach production systems, credential stores, or internal tooling. The mobile approval layer is a useful oversight mechanism, but it shifts the quality-of-control problem to the human approver, not away from them. Run computer use in an isolated development environment with full action logging enabled, establish what an acceptable action scope looks like for your context, and verify that your team’s approval workflow actually produces the review quality the feature assumes. Independent security evaluation of the permission model should precede broad enterprise rollout.