OpenAI Agents SDK improves governance with sandbox execution

Introduction

In this tutorial, you'll learn how to implement sandbox execution using OpenAI's Agents SDK to create secure, governed automated workflows. This approach allows enterprise teams to deploy AI-powered systems with controlled risk while maintaining the flexibility to leverage frontier model capabilities. We'll walk through creating a sandboxed agent that can execute tasks while being constrained by governance rules.

Prerequisites

• Python 3.8 or higher
• OpenAI API key with appropriate permissions
• Basic understanding of Python and AI concepts
• OpenAI Python SDK installed: pip install openai
• Access to OpenAI Agents SDK (install with: pip install openai-agents)

Step-by-Step Instructions

1. Set Up Your Environment

First, create a new Python file and import the necessary libraries:

import os
from openai import OpenAI
from openai_agents import Agent, Sandbox, Workflow

# Initialize OpenAI client
client = OpenAI(api_key=os.getenv('OPENAI_API_KEY'))

This initializes the OpenAI client and imports the necessary components from the Agents SDK. The sandbox execution environment will be our secure container for agent operations.

2. Create a Basic Sandbox Configuration

Define your sandbox parameters to control execution environment:

sandbox_config = {
    "max_execution_time": 30,  # seconds
    "memory_limit": "100MB",
    "network_access": False,
    "file_system_access": "read_only",
    "allowed_functions": ["get_weather", "calculate", "format_response"]
}

sandbox = Sandbox(config=sandbox_config)

The sandbox configuration limits execution time, memory usage, and restricts file system access to prevent unauthorized operations. This is crucial for enterprise governance.

3. Define Your Agent's Capabilities

Create an agent that operates within the sandboxed environment:

def get_weather(location):
    # Mock weather function
    return f"Weather in {location}: Sunny, 22°C"

def calculate(operation, a, b):
    if operation == "add":
        return a + b
    elif operation == "multiply":
        return a * b
    return "Invalid operation"

def format_response(data):
    return f"Processed data: {data}"

# Create agent with limited capabilities
agent = Agent(
    name="GovernedAssistant",
    functions=[get_weather, calculate, format_response],
    sandbox=sandbox
)

This agent can only execute the functions explicitly allowed in the sandbox configuration, ensuring controlled operation.

4. Implement Workflow with Governance Rules

Define a workflow that demonstrates the sandboxed execution:

def governance_workflow(agent, task):
    # Pre-execution checks
    if "unauthorized" in task.lower():
        raise ValueError("Task violates governance rules")
    
    # Execute in sandboxed environment
    result = agent.run(task)
    return result

# Example workflow execution
try:
    workflow_result = governance_workflow(agent, "Get weather in London")
    print(workflow_result)
except Exception as e:
    print(f"Governance violation: {e}")

This workflow includes governance checks before execution, ensuring only approved tasks are processed.

5. Test the Sandboxed Execution

Run your sandboxed agent with various tasks to verify governance:

# Test 1: Valid task
valid_task = "Calculate 5 plus 3"
result1 = agent.run(valid_task)
print(f"Valid task result: {result1}")

# Test 2: Invalid task (should be blocked)
invalid_task = "Access system files and modify database"
try:
    result2 = agent.run(invalid_task)
    print(f"Invalid task result: {result2}")
except Exception as e:
    print(f"Blocked invalid task: {e}")

This demonstrates how the sandbox blocks unauthorized operations while allowing legitimate tasks to proceed.

6. Monitor and Log Execution

Implement logging for governance compliance:

import logging

# Configure logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)

class GovernedAgent:
    def __init__(self, agent, sandbox):
        self.agent = agent
        self.sandbox = sandbox
        
    def execute_with_logging(self, task):
        logger.info(f"Executing task: {task}")
        
        # Check task against governance rules
        if self._is_governed_task(task):
            result = self.agent.run(task)
            logger.info(f"Task completed successfully: {result}")
            return result
        else:
            logger.warning(f"Task blocked by governance: {task}")
            raise ValueError("Task violates governance policies")
            
    def _is_governed_task(self, task):
        # Simple governance rules
        forbidden_words = ["delete", "modify", "system"]
        return not any(word in task.lower() for word in forbidden_words)

# Use the governed agent
governed_agent = GovernedAgent(agent, sandbox)
result = governed_agent.execute_with_logging("Get weather in Paris")
print(result)

This logging implementation provides audit trails for governance compliance, tracking all agent activities.

Summary

This tutorial demonstrated how to implement sandbox execution using OpenAI's Agents SDK for enterprise governance. By creating a controlled execution environment with limited capabilities and governance rules, you can deploy AI workflows with reduced risk while maintaining flexibility. The key components include:

• Sandbox configuration with resource limits
• Function-level access control
• Governance rule enforcement
• Execution logging and monitoring

This approach allows enterprise teams to transition from prototype to production without architectural compromises, leveraging frontier model capabilities while maintaining security and compliance.