AI Geopolitics & Codex Sandboxing

Anthropic

2028: Two scenarios for global AI leadership

• Anthropic Policy team essay framing the US-China AI competition as a four-front contest over (1) intelligence — which countries build the most capable models; (2) domestic adoption — how effectively a country integrates AI across commercial and public sectors; (3) global distribution — whose hardware and models the world economy runs on; (4) resilience — sustaining political stability through the economic transition. The essay explicitly names intelligence as the most consequential of the four because it drives the other three, but argues that intelligence alone is insufficient if the CCP integrates near-frontier AI faster.
• Two named 2028 scenarios as the rhetorical structure. The essay’s “contributions” are the two outcome states it asks readers to choose between, each of which is reverse-engineered from a specific policy posture.
  • Scenario 1 — commanding democratic lead. US frontier models are 12–24 months ahead on intelligence by 2028; PRC labs do not reach Mythos-Preview-class capability until 2029–2030; democracies set the global AI norms. The policy posture that produces this scenario: tightened compute export controls (chips and SME), enforcement against smuggling and offshore-data-center access, criminalization of distillation attacks, and active export of the US AI technology stack.
  • Scenario 2 — CCP at near-parity. PRC labs sit a few months behind US frontiers, sustained by ongoing distillation attacks, smuggled and remotely-accessed US compute, weak SME export enforcement, and a loosening of controls. Huawei and Alibaba data centers fill the Global South on second-tier chips and “good-enough” PRC near-frontier models; CCP cyber operators close the AI-augmented offensive cyber gap.
• Compute as the single binding input. The essay’s core analytical claim is that compute is the only AI input where democracies hold a structural lead. It cites an analysis of Huawei vs. NVIDIA roadmaps projecting Huawei at 4% of NVIDIA’s aggregate processing performance in 2026 and 2% in 2027; a study estimate that closing remaining loopholes would give the US roughly 11× China’s sector compute; and the structural inability of China’s chipmakers to manufacture EUV-class chips or high-bandwidth memory at scale. Talent, data, and algorithms are positioned as compute-multipliers, not compute-substitutes — the essay argues algorithmic progress is itself a function of compute because experiments-per-day scales with compute.
• Two specific PRC catch-up channels named. (1) Illicit/evasive compute access: smuggling export-controlled chips into China (referenced via the March 2026 prosecution of a Supermicro co-founder over $2.5B in diverted servers) and remote use of US chips in Southeast Asian data centers by Alibaba and ByteDance (US export law covers sale, not remote access). (2) Illicit model access: large-scale distillation attacks creating thousands of fraudulent accounts to harvest US frontier-model outputs and replicate capabilities; this is described as “systematic industrial espionage,” with public condemnations from OpenAI, Google, Anthropic, and the Frontier Model Forum cited.
• Safety-evaluation contrast as evidence of misalignment risk. Cites the “State of AI Safety in China 2025” finding that only 3 of 13 top Chinese AI labs published any safety-evaluation results and none disclosed CBRN evaluations; CAISI’s September 2025 finding that DeepSeek-R1-0528 complied with 94% of overtly malicious requests under a common jailbreak versus 8% for US reference models; and an April 2026 independent arXiv assessment of Moonshot Kimi K2.5 showing far higher CBRN-refusal failure rates than US frontiers. The essay argues open-weights releases compound the problem because post-hoc safeguards can be removed.
• “Mythos Preview wake-up call.” The essay anchors policy urgency on Claude Mythos Preview — the gated April 2026 release under Project Glasswing — citing that Firefox fixed more security bugs with Mythos Preview access in one month than in all of 2025 (~20× its monthly average), and quoting a PRC cybersecurity analyst describing China as “sharpening swords while the other side has mounted a Gatling gun.” The argument: capability acceleration is now compounding faster than policy, so the window to lock in a 12–24 month lead is finite.
• Three concrete policy asks. (1) Close loopholes — smuggled chips, foreign-data-center remote access, and SME (Semiconductor Manufacturing Equipment) controls, with explicit reference to the FY2027 BIS enforcement budget. (2) Defend innovations — legislative clarification that distillation attacks are illegal, threat-intel sharing between US labs and with USG. (3) Champion American AI export — continued promotion of the US AI technology stack abroad to deny CCP foothold in Global South distribution.
• The essay also flags “resilience” (sustaining political stability through the economic transition) as the fourth front, but does not develop it in this piece, signaling a likely follow-up.
• Authorship: Anthropic Policy team (no individual byline). The essay sits inside the broader Anthropic narrative previously developed in Dario Amodei’s Machines of Loving Grace and The Adolescence of Technology, both of which it cites for the “country of geniuses in a datacenter” framing of transformative AI. Footnote 1 references a January 2026 bipartisan House bill (369–22) to close the remote-access loophole, pending Senate action — the legislative hook the essay is aligned with.

OpenAI

Building a safe, effective sandbox to enable Codex on Windows

• OpenAI engineering note on the Windows-native Codex sandbox shipped after the March 5, 2026 native-Windows Codex launch and following the April 17, 2026 Agents SDK native-sandboxing release. Codex CLI is at version 0.130.0 as of April 14, 2026. The agent runs locally with three constraints by design: write access scoped to the active workspace; outbound network blocked by default with an explicit allow-list; agent must request approval to act outside those boundaries.
• Mechanism — why AppContainer and Windows Sandbox were both rejected.
  • Problem. Codex needs to invoke arbitrary developer tools — shells, Git, Python, package managers, build systems, test runners — against the user’s real working tree, with no elevation prompt and no host-guest file bridging. The set of binaries it will spawn is open-ended, and those binaries can themselves spawn children that ignore environment overrides.
  • Mechanism. AppContainer is a capability-based isolation model that requires every accessible resource to be declared up-front in the app manifest. Windows Sandbox is a disposable lightweight VM with a strong isolation boundary but a separate desktop — anything done inside it disappears at session end. Both are wrong shape: AppContainer because Codex’s working set is not known in advance, Windows Sandbox because Codex must act on the user’s actual checkout.
  • Why. The right primitive has to (a) sit inside the user’s real session and act on the real filesystem; (b) survive child-process trees that test runners and build tools spawn; (c) enforce a hard network boundary at the OS level rather than via process-side environment variables (proxy settings, denybin paths) that processes can route around. That ruled out the two off-the-shelf Windows sandboxes and forced a from-scratch design.
• Mechanism — CodexSandboxOffline / CodexSandboxOnline two-user split.
  • Problem. Earlier iterations of Codex on Windows used a synthetic sandbox-write SID, file ACLs, and a write-restricted token to keep writes inside the workspace. That blocked filesystem escapes (writes to .git, .codex, .agents were rejected) but left a network gap: a child process spawned by the agent could open sockets directly and exfiltrate or pull untrusted code, regardless of any environment-level proxy or denybin configuration.
  • Mechanism. The current design provisions two dedicated local Windows users, CodexSandboxOffline (default) and CodexSandboxOnline (only when the user explicitly authorizes broader connectivity). Outbound network access is cut at the OS level for the offline identity via firewall rules — not at the application layer — so a child process cannot escape by opening its own socket. Credentials for the two identities are DPAPI-protected. Before each command handoff, a setup executable creates the sandbox users if needed and checks firewall state.
  • Why. Pinning the boundary to a local Windows account, with firewall rules attached to that account, makes the network boundary follow the command tree rather than the first executable. Package managers, scripts, and test runners can fork as much as they like; every child inherits the offline identity and thus inherits the firewall block. The earlier proxy/denybin approach was application-layer; the user-account-plus-firewall approach is OS-level, which is the standard against which a process running a build tool with unknown subprocesses is the threat model.
• Mechanism — codex-command-runner.exe and the four-layer execution path.
  • Problem. Even with the right sandbox identity, the host Codex agent and the sandboxed child process need to exchange commands and results without either (a) leaking host credentials into the sandbox or (b) letting the sandbox escalate back into the host.
  • Mechanism. Commands flow through a four-layer execution path: the host Codex process → an intermediary that authenticates with DPAPI-protected credentials → codex-command-runner.exe, which performs the firewall and identity check → the final child process running as the appropriate sandbox user. Each layer enforces a different check (credential, firewall state, write-restricted token, command-tree identity) before the child binary is spawned.
  • Why. Defense-in-depth: a bypass at any one layer fails the next. A compromised child process running as CodexSandboxOffline still cannot open outbound sockets (firewall layer). A subverted runner binary still cannot read host credentials (DPAPI layer). The pipeline is what lets OpenAI ship the agent unelevated on a normal developer PC and still claim that “Codex can write inside the active workspace, read broadly across the system, and operate offline-by-default unless the user explicitly allows more connectivity.”
• The post positions Codex against three competitors on the local-agent governance axis: Anthropic Claude Code, GitHub Copilot Workspace, and Cursor. The argument is that enterprise buyers are increasingly judging coding agents on sandboxing, approval rules, and centralized policy controls — not just autocomplete or code-generation benchmarks — and the Windows-native sandbox closes the largest remaining gap in OpenAI’s enterprise governance story.
• Two operational benchmarks set in the post for the new design: keep CodexSandboxOffline cut off from outbound traffic in production while Git, Python, package managers, and build tools still complete daily-development tasks fast enough that developers don’t disable the sandbox; and integrate cleanly with the wider Codex Security stack (threat modeling, isolated validation, patch proposals, dependency-risk analysis) that OpenAI is building alongside the agent.
• No new model weights, no API changes, no benchmark numbers in this post — it is a security-architecture explanation aimed at enterprise administrators. The mechanism details (two-user split, DPAPI, firewall, four-layer execution) are the substantive content; the rest of the post is product framing.