Todas las ediciones
skillPublicado 2026-07-14

Below the Ice — Secret Instructions: Inside Codex's Encrypted Sub-Agent Prompts

OpenAI's Codex comenzó a cifrar en silencio los prompts que pasa a sus propios sub-agentes. Esta noche vamos por debajo del titular: qué son esos prompts, por qué su contenido se convirtió en un problema de seguridad y qué significa que los agentes de IA empiecen a ocultar sus instrucciones entre sí.

Below the Ice — Secret Instructions: Inside Codex's Encrypted Sub-Agent Prompts
vistas

Listen to tonight's episode on Below the Ice.


A GitHub issue that opened this week quietly collected 280 upvotes and 173 comments on Hacker News. The headline writes itself: Codex is now encrypting the prompts it passes to its own sub-agents. Not the code, not the output — the instructions one AI is giving another.

We go below it tonight. Because this is not just an OpenAI product changelog item. It is the first widely-noticed moment where a production AI orchestrator started hiding what it tells its own workers — and that changes how we should think about trust in multi-agent systems.


What it is

When you run Codex on a task, Codex is not a single model running alone. It is an orchestrator — a top-level agent that breaks your task into pieces and delegates them to sub-agents: specialized workers that each handle a slice of the problem.

The orchestrator talks to those workers through prompts — plain-text instructions that say, in effect, here is your job, here is the context you need, here is how you should respond. Until recently, if you knew where to look, you could read those prompts. They were strings in memory, logs you could inspect, text you could intercept.

Now Codex encrypts them. The prompt text is ciphered before it leaves the orchestrator and is only decrypted inside the sub-agent at execution time.


How it actually works

Think of the orchestrator as a project manager in an office. Every morning it writes out task cards for its team and slides them under each person's door. Those cards used to be on plain paper — anyone who walked by could read them.

Encrypting the sub-agent prompts is like switching to sealed envelopes. The project manager still writes the same cards, the workers still read them and do the same job — but now only the person whose name is on the envelope can open it.

Technically, this works through a shared session key or asymmetric encryption established between the orchestrator and each sub-agent at initialization. The orchestrator encrypts the prompt context before dispatch. The sub-agent decrypts at runtime. The plaintext instructions never appear unprotected in the message queue, the logs, or the network layer between the two agents.

What this doesn't do: it doesn't stop a compromised sub-agent from acting on the decrypted prompt however it wants. It doesn't prevent the sub-agent from leaking its own output. The encryption lives in transit and at rest in the message channel — not inside the model's reasoning process.


Why it matters now

There are two reasons this matters, and they pull in opposite directions.

The security reason. Multi-agent systems have a well-documented structural weakness called indirect prompt injection. If an attacker can insert text into anything an agent reads — a file, a web page, a database row, a code comment — and if that text ends up in a sub-agent's prompt, the attacker can steer the worker's behavior without ever touching the orchestrator directly.

Encrypting prompts reduces one attack surface: an intermediary can no longer inspect and modify the instruction payload in flight. It also protects intellectual property. The system prompt of a commercial agent product often contains the entire product strategy: persona, constraints, competitive positioning, safety rules. It is the recipe. Plain-text prompts flowing across a network are a leak waiting to happen.

The trust reason. When the humans outside the orchestrator cannot read what one AI told another, the audit trail depends entirely on what the orchestrator chooses to log. If Codex delegates a task to a sub-agent with encrypted instructions, and that sub-agent takes an action you didn't anticipate, tracing what it was asked to do requires trusting the orchestrator's own record-keeping.

That is the genuine tension — security for the product versus auditability for the human. Both are real requirements, and today's implementation favors one.


What is overhyped

The framing that "AI agents are now keeping secrets" is accurate but misleading in one important way. The model itself — the weights, the reasoning, the generation — was always opaque. We never had a window into what an LLM was actually computing. What we did have was access to the text strings flowing into and out of it.

Encrypting prompts reduces the legibility of one more layer. It does not make AI agents fundamentally more hidden than they already were. We have been running on trust and sampling-based inspection for years. Encrypted prompts are a formalization of a boundary that was always there, not the creation of a new one.

The Hacker News reaction swings between "this is a security win" and "this is enshittification." Neither framing is quite right. It is an architectural choice with real tradeoffs, made by a company that has both IP to protect and a developer ecosystem to steward.


What to watch

Three things worth tracking as this pattern spreads — and it will spread:

1. Other orchestrators will follow. If encrypting sub-agent prompts becomes standard practice in Codex, expect the same move from other coding agents within months. Each has system prompts worth protecting.

2. Audit tooling becomes a category. The reaction to prompt encryption is likely to be a wave of observability tooling — log-side capture, structured output contracts, trace-on-request mechanisms — that give operators visibility without requiring full prompt exposure. The demand signal is there.

3. Regulation will catch up to the instruction chain. The EU AI Act and NIST AI RMF both require meaningful audit trails for high-risk AI systems. If sub-agent prompts are encrypted and only the orchestrator decides what gets logged, that is a compliance question with a deadline attached.

The surface headline was a product changelog. The real story is that multi-agent AI systems are beginning to develop their own internal privacy boundaries — and humans are on the outside of them by default.


Sources:

Comentarios