OpenAI has rolled out Lockdown Mode for ChatGPT, an optional advanced security setting designed to disrupt the final stage of prompt-injection-based data exfiltration attacks by restricting outbound network requests from the AI platform. The feature is now expanding from enterprise environments to eligible personal, Free, Go, Plus, Pro, and self-serve Business accounts.
OpenAI first introduced Lockdown Mode on February 13, 2026, targeting a narrow, high-risk user segment: executives, security teams at prominent organizations, and professionals handling sensitive, classified, or regulated data. As of June 4, 2026, the rollout has significantly widened, extending availability to personal accounts across all tiers.
Lockdown Mode is defined as an optional, deterministic security control that disables specific tools and capabilities in ChatGPT which an adversary could leverage to exfiltrate sensitive data through prompt injection vectors.
It does not introduce new AI hardening at the model level; instead, it cuts off the network pathways that completed attacks rely on to deliver stolen data to attacker-controlled infrastructure.
The feature was also introduced alongside Elevated Risk labels, standardized warning markers applied to higher-risk capabilities across ChatGPT, ChatGPT Atlas, and Codex, giving security teams better operational visibility.
Prompt injection is an attack class where malicious instructions are embedded in content that an AI model processes, including cached web pages, uploaded documents, email threads, or repository files. When the AI processes that content, it may unknowingly execute attacker instructions, such as silently exfiltrating conversation data, system prompts, or connected app credentials to an external endpoint.
OpenAI classifies prompt injection as a frontier, unsolved research problem, acknowledging that no current defense eliminates it entirely.
The attack surface has grown considerably as AI assistants now operate with agent capabilities, external integrations, and live internet access, each expanding the number of untrusted data sources the model ingests in real-time. As attackers develop more sophisticated injection chains, the likelihood of a successful exfiltration increases.
What Lockdown Mode Disables
Lockdown Mode operates as a deterministic kill-switch for outbound network capabilities. When enabled, the following ChatGPT features are restricted or fully disabled:
- Live web browsing — Restricted to cached content only; live internet requests are blocked, and search results may be stale or entirely unavailable
- Deep Research — Fully disabled; the feature’s multi-step internet retrieval pipeline is shut down entirely
- Agent Mode — Fully disabled; autonomous task execution with external tool calls is unavailable
- Web-derived image retrieval — ChatGPT cannot fetch or display images from the internet, though user-uploaded images and image generation remain functional
- Canvas networking — Users cannot authorize Canvas-generated code to make outbound network requests
- File downloads — ChatGPT cannot download external files for data analysis, though manually uploaded files remain accessible
Memory, file uploads, conversation sharing, and model training preferences are not altered by Lockdown Mode and remain independently configurable. Importantly, Lockdown Mode has zero effect on Codex and its network access.
Security teams should understand one critical architectural constraint: Lockdown Mode does not prevent prompt injections from entering the model’s context. A malicious payload embedded in a cached webpage, an uploaded PDF, or any other ingested file can still influence model behavior, cause incorrect outputs, and manipulate the AI’s logic.
The feature addresses only the exfiltration stage, the moment when extracted data is transmitted outbound to an attacker. It does not sanitize, detect, or block injected instructions at the input layer. This distinction is vital for incident response planning: organizations using Lockdown Mode still face the risk of adversarial manipulation, even if data cannot leave the system.
For personal accounts and self-serve Business users, enabling Lockdown Mode is straightforward: navigate to Settings → Security → Advanced Security → Turn on Lockdown Mode. Note that Lockdown Mode and Developer Mode are mutually exclusive enabling one automatically disables the other.
For managed enterprise workspaces, the model is more granular. Workspace administrators create a custom role designated as a “Lockdown Mode role” and assign users or groups accordingly. Apps, MCPs, and connectors in managed environments remain under role-based access control (RBAC) rather than being automatically disabled.
OpenAI provides a risk tiering framework for enterprise app configuration in Lockdown Mode:
| Risk Level | App/Action Type | Recommendation |
|---|---|---|
| High | Untrusted apps (read/write), trusted apps with broad write visibility | Not recommended |
| Medium | Sync connectors, read actions for trusted apps | Use with caution |
| Lower | Write actions for trusted apps with limited, auditable visibility | Enable only with confirmed trust scope |
The Compliance API Logs Platform provides persistent audit visibility into app usage, connected sources, and shared data, independent of Lockdown Mode status.
For organizations operating under HIPAA, SOC 2, or ISO 27001 frameworks, Lockdown Mode represents a meaningful layered control against AI-facilitated insider threats and supply-chain prompt-injection scenarios.
Security architects should treat it as a single layer in a defense-in-depth model, not as a comprehensive prompt injection solution. It pairs with existing enterprise protections, including sandboxing, URL-based exfiltration safeguards, model-level safety filters, and audit logging.
Security teams are advised to document Lockdown Mode as a compensating control in their AI risk registers, noting the residual risk of in-context manipulation attacks that the feature does not address.
FAQ
Q1: Who can enable Lockdown Mode in ChatGPT? Any logged-in user on an eligible personal, Free, Go, Plus, Pro, or self-serve Business account can enable it in Settings → Security; enterprise workspace admins control it via RBAC role assignments.
Q2: Does Lockdown Mode stop all prompt injection attacks? No, it blocks only the data exfiltration stage; instructions injected into files or cached content can still influence model behavior and response accuracy.
Q3: Can I still use image generation with Lockdown Mode enabled? Yes, image generation remains available; only web-fetched image retrieval and display in standard responses are restricted.
Q4: Does enabling Lockdown Mode affect conversation logging or model training? No, Lockdown Mode does not change memory settings, conversation sharing, training data preferences, or Compliance API audit logs, all of which remain independently configurable.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
