OpenAI Planted Its Flag Inside Your Mac’s Security Layer

OpenAI shipped a feature this week that puts Codex inside your Mac's unlock gate. That should worry you.

On May 21, OpenAI pushed an update to Codex, its Mac app, that lets the AI continue working after you lock your screen. The feature is called locked computer use, and the mechanism is not what you'd expect. Rather than capturing your screen or patching an API, Codex installs an Apple authorization plug-in when you enable the feature. The bundle, CodexComputerUseAuthorizationPlugin.bundle, is included inside the Codex app at /Applications/Codex.app/Contents/Resources/plugins/openai-bundled/plugins/computer-use/. It is signed by Developer ID Application: OpenAI OpCo, LLC, with bundle identifier com.openai.sky.CUAService.AuthorizationPlugin, and uses the macOS authorization plug-in runtime. When installed, it registers with the operating system's authorization database and participates in the unlock flow, the same gate that checks your password or biometric before granting access. One user reported the bundle installs to /Library/Security/SecurityAgentPlugins/CodexComputerUseAuthorizationPlugin.bundle on activation, per an open GitHub issue.

That placement matters. Authorization plug-ins in macOS sit inside the trust boundary that governs who gets access to a running machine. A bug in that layer is not an AI assistant misbehaving. It is a privilege escalation problem. There is also a packaging mismatch on the current generation of software: Codex version 26.519.31651 on macOS 26.5 (25F71) fails to enable locked computer use because Apple's SecurityAgentHelper rejects the plug-in at load time with a Library Validation error, per an open GitHub issue. The feature launched May 21 and was broken on the same macOS release current at launch. Whether this authorization plug-in pattern is novel for consumer AI or has precedent in enterprise mobility management tooling is an open question that enterprise IT administrators are beginning to grapple with.

OpenAI's documentation frames locked computer use as a user experience improvement: Codex stays running when you lock your screen, rather than disconnecting. The ChatGPT release notes confirm the May 21 launch date and describe it as letting "eligible Mac Computer Use users keep Codex working remotely and securely after the Mac locks." But the implementation detail is not UX polish. It is an authorization database entry and a plug-in inside a system directory, a structural change to what Codex is allowed to do on your machine.

The feature is also limited in ways that reveal its architectural logic. According to MacRumors, Codex cannot automate Terminal apps, cannot control Codex itself, and cannot respond to system-level admin prompts. These are the same prompts that request root-level changes to the machine. Screen Recording and Accessibility permissions are still required for the Computer Use plugin to see and interact with target applications, per OpenAI's documentation. Those restrictions suggest OpenAI drew a line around what it wanted inside the authorization layer and what it deliberately left out. Enterprise IT tooling from vendors like Jamf and Kandji commonly uses authorization plug-ins to manage device access policies. Whether a consumer AI product installing to the same layer is a new trust boundary or a well-established pattern applied to a new context is a question the security community has not yet settled.

The feature is unavailable at launch in the European Economic Area, the United Kingdom, and Switzerland, according to OpenAI's developer documentation, likely due to regulatory requirements around operating system-level software installation that differ from US practice.

Locked computer use is a real capability with a real implementation problem. The question is not whether Codex can keep running when your screen locks. It can, on older macOS versions where the Library Validation error does not fire. The question is what OpenAI's placement of itself inside the macOS authorization flow means for the trust model of personal computing, and whether the current version failure is a packaging error or a sign that Apple and OpenAI have not yet resolved how this integration is supposed to work at the system level.

Watch for whether macOS 26.6 or a future Codex update resolves the Library Validation error. If the integration stabilizes, it establishes a precedent for AI assistants as operating system-level authorized agents rather than application-layer tools. That shift, from app to gatekeeper, is larger than any single feature.