OpenAI has agreed to acquire Ona, a German startup that keeps software agents working in a secure cloud after the developer who started the task logs off. The deal was announced Thursday and folds Ona into Codex, OpenAI’s coding agent. It points the company at a problem that better models alone have not solved.
Codex now reaches more than 5 million people each week, OpenAI said, a 400% jump since the start of the year. The work it does has stretched from minutes into hours and sometimes days. Jobs that long need an execution environment to run. For most enterprises the harder question is a governance one. Will a bank or a hospital let an autonomous agent operate inside its own network, reach its data, and keep working while nobody is watching? Ona is OpenAI’s answer to that question.
Inside Ona
To appreciate what Ona adds, it helps to know where it came from. The company began as Gitpod, a Kiel-based developer-tools firm that moved coding off local machines and into the browser. It says it has served 2 million developers. In late 2025 it rebranded to Ona and rebuilt itself around agents.
The Ona platform is built from three building blocks. The first is environments: sandboxed cloud workspaces defined in code that spin up the same way every time. The second is agents, background workers that accept a task and return a pull request, reachable from any device once the work is running. The third is a set of guardrails, the controls a security team cares about. They include audit trails, role-based access, scoped credentials and deployment inside a company’s own virtual private cloud.
What ties these together is an idea Ona calls customer-controlled execution. OpenAI supplies the model and the orchestration. The agent runs inside the customer’s cloud, where the company keeps its data, its credentials and its audit trail. With this, a company can let Codex modernize a legacy codebase or patch a class of vulnerabilities across days of work. The agent operates on infrastructure the company controls rather than on OpenAI’s servers.
Why OpenAI Needs Ona
Codex began as a tool for software developers, and OpenAI has pushed it well past that base. Knowledge workers now account for roughly one in five Codex users and are growing faster than the core developer group, the company said. Plugins have extended it into sales, investment banking and equity investing. As more of that work runs unattended over long stretches, the place it executes stops being a detail and becomes the thing an enterprise buyer has to sign off on.
That is where Ona earns its keep. Its existing customers include banks, pharmaceutical companies and sovereign wealth funds. These are organizations that care less about a leaderboard score and more about where the code runs and who can see it. By bringing that execution layer in-house, OpenAI can tell a regulated buyer that a Codex agent will operate under the buyer’s own security and governance rules.
The Competitive Picture
The acquisition is a trust pitch aimed straight at cautious IT departments, and the timing is no accident. OpenAI is racing Anthropic, whose Claude Code has grown quickly inside engineering teams over the past year. Both companies have filed confidential prospectuses with the SEC. OpenAI carries a valuation around $852 billion, so each is under pressure to turn coding-agent enthusiasm into production revenue.
Ona fits a pattern in OpenAI’s recent buying. The company picked up the security-testing startup Promptfoo in March and the healthcare-technology firm Torch in January. Both deals added enterprise plumbing rather than raw model capability.
The Limits
For all that, the deal does not close the case. It is still subject to regulatory approval. A US giant absorbing a German company that builds agent infrastructure could draw scrutiny on both sides of the Atlantic before the Ona team formally joins OpenAI.
A sharper question hangs over model neutrality. As an independent vendor, Ona enables enterprises to connect their own models via services such as Amazon Bedrock and Google Vertex AI. A customer could run Claude or Gemini inside an Ona environment. Under OpenAI’s ownership, that openness is worth watching, and any buyer that chose Ona for multi-model flexibility has reason to ask how long it will last.
The deeper limit sits below all of this. Customer-controlled execution settles where an agent runs, not whether the agent stays correct over a two-day job. An autonomous agent that grinds away for two days can also be wrong for two days. The tools for reviewing long unattended runs are far less mature than the environments that host them. Running those agents inside your own virtual private cloud also moves real operational work onto your platform team, who now own the infrastructure the agents live on.
The Road Ahead
For a CIO weighing this, the questions are concrete. Ask whether Ona will stay model-neutral under OpenAI or quietly favor Codex. Press on which guardrails are genuinely Ona’s own and which are thin wrappers around AWS or Azure controls you already pay for. And find out how review and rollback work when an agent has been running for a day inside production systems.
The Ona acquisition shows that the contest among coding agents is shifting from the model to the execution layer. That layer decides whether a regulated enterprise will let an agent touch its systems at all. OpenAI is buying its way into that layer rather than building it. That is a calculated move, given how far ahead Ona already sits on enterprise controls. Plenty of companies wanted the productivity of autonomous agents but balked at handing their code to a vendor’s cloud. For them, customer-controlled execution opens a credible path to production on their own terms.
