Your AI Tool Reads Too Much
OpenAI Codex Has an Open Issue: Sensitive Files Are Not Excluded From AI Context
You don’t need a catastrophic breach for an AI coding assistant to become a security problem. You just need one “helpful” context fetch that pulls in a secrets file, an internal config, or a customer-specific document that was never meant to leave a developer’s machine. That’s why a live GitHub issue on the official OpenAI Codex repository matters: developers report they cannot reliably exclude sensitive files from AI context, and the issue remains unresolved. Hacker News noticed too, with strong discussion around the risk and the false sense of control this creates.
This Isn't A Bug. It's A Governance Failure
The uncomfortable truth is that most teams adopting AI coding tools are treating data boundaries as a settings problem. They assume there’s a checkbox somewhere that says “ignore secrets” and that’s good enough. It isn’t.
The issue raised on the OpenAI Codex repo points to a more serious design flaw: if file exclusion is unreliable, then your effective security model is “trust the assistant not to ingest the wrong thing.” That’s not a serious control. It’s wishful thinking dressed up as developer experience. For engineering leaders, that should trigger the same response as any flaky access policy in production: stop and reassess the architecture.
The Real Cost Isn't Just Security
Yes, sensitive context leakage is a security problem. But for a SaaS company with 10 to 100 engineers, it’s also an operating model problem. Once your team loses confidence in what the tool is reading, every prompt becomes a judgment call. Can we use it on this repo? Should we clone a sanitised branch? Do we need a policy exception for this contractor? That friction kills the very thing these tools are supposed to improve: developer flow.
Worse, it pushes teams into a shadow process. Senior engineers start inventing personal workarounds. Security writes rules nobody follows. Onboarding gets messier because now new hires need both repo access and a tribal map of which AI tools are “safe enough” for which codebases. The hidden cost isn’t just risk exposure. It’s slower shipping and a higher cognitive load.
Our View: Security-First AI Has To Be Built, Not Bolted On
Here’s the contrarian take: the problem is not that AI coding tools move too fast. It’s that too many were adopted before anyone asked what data they ingest, retain, or expose across the toolchain. When AI gets you a demo, Mobifilia gets you a product. The model is one unreliable component; the hardened system around it is the product.
That thinking shaped how we built Dev Cockpit. Data governance and zero data retention were core architecture decisions, not procurement-stage paperwork. We work with ISVs and product companies that want the speed benefits of AI-assisted development without gambling on vague vendor assurances. If your developers can’t clearly control context boundaries, you don’t have an enterprise-ready tool. You have a prototype in production.
Why This Openai Codex Issue Deserves Attention
This is not a hypothetical red-team scenario. It is a named, public issue on an official repo, discussed in the open by developers who are trying to use the tool in real workflows. That matters because it cuts through vendor slideware and shows where the edges are under real use.
If you’re evaluating AI coding assistants, use this as a test case. Ask direct questions:
- Can sensitive files be reliably excluded from context?
- What is retained, where, and for how long?
- What controls are enforced technically, not just documented in policy?
- How would this stand up in a customer security review or ISO 27001 audit?
Those are not compliance theatre questions. They’re deployment questions.
What This Means For Your Business
For a VP of Engineering or CTO, this comes down to a choice between ad-hoc AI adoption and an engineered development system. If your team is shipping customer-facing software — especially in regulated or enterprise environments — “probably excluded” is not good enough. You need predictable controls, low-friction onboarding, and tooling that keeps engineers in flow without creating a data governance mess six months later.
That’s the gap Dev Cockpit was built to close. Mobifilia has spent 14 years delivering software systems that survive contact with real business constraints, and our ISO 27001 certification reflects that discipline. Dev Cockpit helps teams onboard faster, reduce context switching, and use AI in a way that respects how modern engineering organisations actually operate — not as a toy layered onto the repo, but as part of a governed development workspace.
If this Codex issue made you uneasy, good. That instinct is worth acting on. We’re happy to walk you through how Dev Cockpit handles context boundaries, data retention, and security controls in a free consultation — no slide deck required, just a direct conversation about how this fits your setup.
- AI code assistant
- AI coding security
- AI development tools
- context management
- Data Governance
- developer security
- DevSecOps
- Enterprise AI
- OpenAI Codex
- secure AI development
Want to know more? Book a free 30-minute consultation
Book a Call29 Jun 2026






















































































































































