OpenAI has released ChatGPT Lockdown Mode, a new security feature designed to limit outbound network access and reduce the risk of data exfiltration from prompt-injection attacks. The feature is now available to eligible personal accounts, self-serve ChatGPT Business users, and managed enterprise workspaces.
Prompt injection, where malicious instructions are embedded in content processed by an AI model, remains a frontier security challenge. Lockdown Mode is specifically engineered to disrupt the final stage of a prompt injection attack: the unauthorized transfer of sensitive data to an attacker-controlled destination via outbound network requests.
Importantly, Lockdown Mode does not prevent prompt injections from entering the model’s context. A malicious payload embedded in a cached webpage, an uploaded PDF, or any other ingested content can still influence model behavior and response accuracy. The feature focuses exclusively on blocking the exfiltration pathway, not the injection vector itself.
ChatGPT Lockdown Mode
When Lockdown Mode is active, the following ChatGPT capabilities are restricted:
- Live web browsing — Limited to cached content only; results may be stale or unavailable
- Image retrieval — ChatGPT cannot fetch or display web-derived images in responses
- Deep research — Fully disabled
- Agent mode — Fully disabled
- Canvas networking — Users cannot approve Canvas-generated code to make network requests
- File downloads — ChatGPT cannot download external files for data analysis; manually uploaded files remain accessible
Memory, file uploads, conversation sharing, and model training settings are not affected by Lockdown Mode and remain independently configurable.
OpenAI classifies app and connector configurations into risk tiers for Lockdown Mode environments:
- High risk: Read or write actions for untrusted apps; write actions for trusted apps with broad or uncertain visibility; both are explicitly not recommended.
- Medium risk: Sync connectors and read actions for trusted apps carry lower exfiltration sink risk but can still expose sensitive source data.
- Lower risk: Write actions for trusted apps are only permissible when side effects are confirmed to be visible only to trusted parties.
For managed workspaces, Lockdown Mode does not automatically disable all connected apps. Administrators must manually configure role-based access controls (RBAC), assign trusted apps, and audit connector permissions to achieve meaningful protection.
Enterprise workspace admins can enforce Lockdown Mode by creating a custom role designated as a “Lockdown Mode” role and assigning members or groups to it.
The Compliance API Logs Platform provides persistent audit visibility into app usage, shared data, and connected sources independent of Lockdown Mode status.
Notably, Lockdown Mode and Developer Mode are mutually exclusive; enabling one automatically disables the other. Additionally, Lockdown Mode has no effect on Codex network access.
OpenAI acknowledges that Lockdown Mode does not guarantee complete protection. Residual risk exists through enabled third-party apps, unforeseen capability combinations, and novel exploitation techniques. Prompt injections hidden in uploaded files can still cause incorrect or manipulated AI responses even with Lockdown Mode active.
Personal and self-serve Business users can enable the feature via Settings → Security → Advanced Security → Lockdown Mode. Enterprise admins should consult OpenAI’s RBAC documentation and Compliance API guidance for workspace-wide deployment.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
