OpenAI’s acquisition of Ona isn’t the kind of deal that makes headlines for its price tag — nobody’s disclosed one — but it might be the one that actually matters for where AI is heading next.

Announced June 11, the deal folds a German startup that began life as Gitpod into OpenAI‘s fast-growing Codex platform. On paper, it’s infrastructure: cloud environments, orchestration, security guardrails. In practice, it’s the missing piece that lets an AI agent keep working after you close your laptop.

Codex has been on a tear. Five million weekly active users, up 400 percent since January. What started as a coding assistant has quietly become something broader — roughly one in five users now are knowledge workers, not developers, and that segment is growing faster. People are asking Codex to modernize legacy codebases, hunt down vulnerability classes, and carry out multi-day investigations. The model intelligence is there. The problem was always where the work actually lives.

That’s where Ona enters the picture.

The company, based in Kiel, spent years solving a different problem: getting developers off local machines and into reproducible cloud environments. Two million developers used Gitpod. Then, late last year, they rebranded to Ona and rebuilt around a new thesis — that AI agents need the same thing human developers do: a persistent, secure workspace with access to the right tools, systems, and context, all under the organization’s control.

Johannes Landgraf, Ona’s co-founder and CEO, puts it simply: agents need more than intelligence. They need a trusted workspace. The platform they built delivers three things — sandboxed environments defined in code that spin up identically every time, background agents that accept tasks and return results reachable from any device, and the governance layer enterprises actually care about: audit trails, scoped credentials, role-based access, and deployment inside the customer’s own virtual private cloud.

OpenAI calls this “customer-controlled execution.” The agent runs in your cloud, on your infrastructure, with your data and your credentials. OpenAI provides the model and orchestration. For a bank or a hospital or a sovereign wealth fund — all existing Ona customers — that distinction is the difference between a pilot and a production deployment.

The numbers back up the urgency. Ona’s weekly agent sessions in production have grown 13x since January across what Landgraf describes as “the oldest bank in the US, one of Europe’s largest pharma companies, one of Asia’s largest sovereign wealth funds.” These aren’t experimental workloads. They’re the kind of environments where a wrong change breaks customer workflows, exposes sensitive data, or violates regulations.

The competitive context sharpens the picture. Anthropic‘s Claude Code has been gaining ground inside engineering teams for a year. Both companies have filed confidential S-1s with the SEC. OpenAI carries a reported $852 billion valuation. The pressure to convert coding-agent enthusiasm into enterprise revenue is real, and the battleground has shifted from model benchmarks to execution infrastructure.

OpenAI has been quietly building this layer for months. Promptfoo in March for security testing. Torch in January for healthcare technology. Ona is the biggest piece yet — not raw model capability, but the enterprise plumbing that makes models usable in regulated environments.

There are open questions. The deal still needs regulatory approval on both sides of the Atlantic, which isn’t trivial for a US giant absorbing a German agent-infrastructure company. Model neutrality is another one. As an independent vendor, Ona let customers bring their own models via Bedrock, Vertex AI, and others. Under OpenAI, that openness bears watching. Any organization that chose Ona specifically for multi-model flexibility has reason to ask how long it lasts.

The deeper limitation sits beneath all of it. Customer-controlled execution solves where an agent runs. It doesn’t solve whether the agent stays correct over a two-day job. An autonomous agent that grinds away for 48 hours can also be wrong for 48 hours. The tooling for reviewing long, unattended runs is far less mature than the environments that host them. Running agents in your own VPC also moves real operational burden onto your platform team — they now own the infrastructure the agents live on.

For a CIO weighing this, the questions are concrete. Will Ona stay model-neutral or quietly favor Codex? Which guardrails are genuinely Ona’s and which are thin wrappers around AWS or Azure controls you already pay for? How does review and rollback work when an agent has been running for a day inside production systems?

What’s clear is that the contest among coding agents has moved from the model layer to the execution layer. That layer decides whether a regulated enterprise will let an agent touch its systems at all. OpenAI is buying its way into that layer rather than building it from scratch — a calculated move, given how far ahead Ona already sits on enterprise controls.

Plenty of companies wanted the productivity of autonomous agents but balked at handing their code to a vendor’s cloud. For them, customer-controlled execution opens a credible path to production on their own terms. The acquisition doesn’t close the case on AI agents in the enterprise. But it might be the moment the case becomes winnable.