Product Manager, Codex Security Controls & Partner Interfaces
Tech Stack
Tag name is followed by "@" symbol and proficiency level value.
About proficiency levels:
- 1-2 — basic awareness. Minimal hands-on experience, and a rudimentary understanding of the technology's purpose;
- 3-6 — daily use. Comfortable and regular usage, capable of handling common tasks and challenges related to the technology;
- 7-9 — you are an expert, you can teach others, you know all the pitfalls and tricks;
- 10 — exceptional knowledge, comprehensive understanding, and adeptness in all aspects of the technology, including advanced problem-solving. Think twice before claiming or demanding such level.
AI @ 3
API @ 3
Audit @ 3
CI/CD @ 3
Codex @ 3
OAuth @ 2
Security @ 3
- 1-2 — basic awareness. Minimal hands-on experience, and a rudimentary understanding of the technology's purpose;
- 3-6 — daily use. Comfortable and regular usage, capable of handling common tasks and challenges related to the technology;
- 7-9 — you are an expert, you can teach others, you know all the pitfalls and tricks;
- 10 — exceptional knowledge, comprehensive understanding, and adeptness in all aspects of the technology, including advanced problem-solving. Think twice before claiming or demanding such level.
Details
About the Team
OpenAI’s Cyber team works to make frontier AI safe, trusted, and transformative for developers and enterprises.
This team is building the security foundation for Codex: the native controls that govern what Codex can access and do, and the interfaces that allow customers and security partners to inspect, constrain, approve, and respond to Codex activity.
Our goal is to make Codex secure by default, governable by enterprises, and interoperable with the security products customers already trust. This extends the existing product direction around tenant-scoped tools, guarded actions, approval systems, and scalable partner interfaces.
About the Role
We are looking for a deeply technical Product Manager to help build Codex security controls and the partner ecosystem around them.
This role focuses on securing Codex itself: how identity, permissions, tools, MCP servers, repositories, secrets, networks, and high-impact actions are governed across Codex products.
You will also help define standard interfaces through which authorized customer and partner systems can provide security context, inspect activity, return policy decisions, receive telemetry, and initiate bounded responses.
You will work closely with Codex product and engineering, OpenAI Security and Safety, enterprise customers, and partners across application security, identity, cloud security, data security, infrastructure, and security operations.
Responsibilities
Build native security controls for Codex
- Partner with engineering, design, security, and safety teams to develop controls for:
- Identity, roles, permissions, and tenant isolation.
- Access to repositories, files, tools, MCP servers, secrets, networks, and infrastructure.
- Read, write, execute, and deployment authority.
- Human and policy-based approvals.
- Prompt-injection and untrusted-content defenses.
- Audit trails, provenance, stop conditions, revocation, and rollback.
- Help establish a graduated authority model in which local, read-only, and reversible actions require less friction than actions involving production systems, credentials, sensitive data, or irreversible changes.
Define partner interfaces
- Develop common, versioned interfaces that allow customer-selected security products to participate in Codex workflows.
- Interfaces may support:
- Sharing trusted identity, task, resource, and environment context.
- Inspecting code, commands, artifacts, tool calls, or planned actions.
- Returning allow, deny, constrain, or require-approval decisions.
- Exporting normalized execution and security telemetry.
- Pausing activity, revoking access, or requiring reauthorization.
- Define requirements for authentication, authorization, customer consent, data minimization, latency, retries, failure behavior, auditability, and backwards compatibility.
- Ensure integrations use shared platform contracts rather than creating different Codex architectures for every partner.
Build the partner ecosystem
- Work directly with security vendors and enterprise design partners to turn the interfaces into production integrations.
- Create partner SDKs, reference implementations, technical documentation, test environments, conformance suites, and certification requirements.
- Prioritize partners based on customer value, technical relevance, deployment readiness, and their ability to improve the shared platform.
- Turn lessons from individual partner engagements into reusable product capabilities.
Shape the customer experience
- Define how enterprise administrators configure and understand Codex security controls, including policies by user, workspace, repository, environment, tool, or action; approved security providers and permitted data sharing; approval requirements and time-limited exceptions; policy inheritance and conflict resolution; audit, investigation, and incident-response workflows.
- Ensure developers receive clear, actionable explanations when an action is blocked or requires approval.
Establish evaluation and launch gates
- Work with security, safety, research, and engineering teams to test whether controls work under realistic and adversarial conditions.
- Evaluate risks such as permission bypass, prompt injection, malicious tools, secret exposure, cross-tenant access, stale authorization, partner outages, conflicting decisions, and incomplete audit evidence.
- Help determine when new Codex capabilities have sufficient controls, reliability, and usability for broader deployment.
Requirements
You might thrive in this role if you:
- Have built enterprise security, developer-platform, infrastructure, or control-plane products.
- Understand identity, authorization, sandboxing, secrets, tool use, APIs, and audit systems.
- Think in terms of trust boundaries, failure modes, and abuse paths.
- Can balance security, developer productivity, latency, reliability, and customer control.
- Have experience building integrations across complex enterprise systems or partner ecosystems.
- Can turn conflicting partner requirements into a coherent platform.
- Communicate credibly with developers, security architects, CISOs, researchers, and partner product teams.
- Prefer measurable security outcomes and real adoption over demonstrations or integration announcements.
Nice to Have
- Experience in application security, identity, cloud security, data security, source control, CI/CD, SIEM, or enterprise governance.
- Familiarity with RBAC, ABAC, policy-as-code, OAuth, OIDC, workload identity, or secrets management.
- Experience with AI agents, MCP, sandboxed execution, prompt-injection defenses, or agent-security evaluations.
- Experience building SDKs, developer platforms, integration marketplaces, or certification programs.
What Success Looks Like
- First six months: help establish a clear roadmap for native Codex controls and partner-extensible controls; a common architecture for security context, policy decisions, inspection, telemetry, and response; initial reference integrations with a focused group of partners; evaluation and launch criteria for high-risk Codex capabilities; baseline measures for control coverage, bypass resistance, latency, reliability, and developer experience.
- First year: help ship meaningful controls across sensitive Codex workflows, bring standardized partner interfaces into production use, and demonstrate enterprises can grant Codex greater authority without sacrificing visibility, control, or accountability.
About OpenAI
OpenAI is an AI research and deployment company dedicated to ensuring that general-purpose artificial intelligence benefits all of humanity. We push the boundaries of AI capabilities and seek to safely deploy them through our products. We are an equal opportunity employer and commit to providing reasonable accommodations to applicants with disabilities. Background checks will be administered in accordance with applicable law for US-based candidates.
Compensation & Benefits
- Base pay range: $293K - $385K (may vary by location, experience, and other factors).
- In addition to base salary: generous equity, performance-related bonuses (for eligible employees), and benefits including medical, dental, and vision insurance; employer contributions to Health Savings Accounts; pre-tax accounts for Health FSA, Dependent Care FSA, commuter expenses; 401(k) with employer match; paid parental leave and medical/caregiver leave; paid time off; 13+ paid company holidays and office closures; mental health and wellness support; employer-paid life and disability coverage; annual learning and development stipend; daily meals in offices and meal credits as eligible; relocation support for eligible employees.