OpenAI's Lockdown Mode Locks Down ChatGPT Against Prompt Injection Attacks

OpenAI is expanding its Lockdown Mode security feature to all ChatGPT users, including Free, Go, Plus, and Pro accounts, as well as self‑serve Business accounts, according to Neowin. The feature was first introduced in February for enterprise plans but is now reaching a much wider audience.

When Lockdown Mode is enabled, it places hard limits on how ChatGPT interacts with external systems. Live web browsing is restricted to cached content only — no new network requests leave OpenAI's network. Deep Research is disabled entirely. Agent Mode, which can autonomously take actions, is turned off. Canvas‑generated code cannot access the network. ChatGPT also stops downloading files for data analysis, though manually uploaded files continue to work, TechCrunch reported.

"Lockdown Mode is not intended for everyone," OpenAI stated. "It is designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection."

Prompt injection is essentially social engineering for AI. An attacker hides malicious instructions inside a webpage, document, or tool output that the AI reads, tricking it into leaking sensitive conversation data to an external server. As AI agents gain the ability to browse the web, read emails, and execute code, the attack surface expands dramatically.

Lockdown Mode does not block prompt injections from entering ChatGPT's context. A malicious instruction could still appear in cached browsing content or an uploaded file, OpenAI acknowledged. Instead, the mode focuses on the exfiltration side — it blocks the outbound network requests that would allow an attacker to actually receive the stolen data.

This is part of a "defense‑in‑depth approach," OpenAI said. "As ChatGPT becomes more capable and connected, we're continuing to add practical protections that give users more choice over how ChatGPT works with sensitive information and connected features."

The feature disables or constrains several key ChatGPT capabilities:

>The rollout to personal accounts marks a significant expansion. Previously, Lockdown Mode was only available to enterprise customers through workspace admin controls. Now individual users can toggle it on from Settings Security, according to Neowin.

Enterprise admins retain role‑based access controls — they can create custom roles and assign Lockdown Mode to specific users, such as executives or security team members who face elevated targeting risk. Alongside Lockdown Mode, OpenAI is also rolling out an Active Sessions feature that lets users see where their account is signed in across devices, adding another layer of visibility per OpenAI's help center.

The protection is deliberately narrow. "Lockdown Mode does not affect memory, file uploads, or the ability to share conversations," SecurityBrief Australia noted. It also does not restrict network access in Codex, OpenAI's coding agent, which operates under a different set of controls.

Connected apps — including MCP servers and third‑party connectors — present a separate exposure surface that Lockdown Mode doesn't directly address. Instead, OpenAI groups app actions by risk level: read actions in trusted apps are categorized as "Medium risk," while write actions are classified as higher risk because they create observable side effects. OpenAI does not recommend read or write actions to untrusted apps for Lockdown Mode users.

For builders working with sensitive data, this means Lockdown Mode is a useful layer — but it's not a complete security solution. Prompt injections can still alter model behavior. The mode is about containment, not prevention.

The Lockdown Mode rollout arrives as AI agents are becoming more autonomous and more dangerous when compromised. OpenAI's own Codex can browse the web and execute code. Anthropic's Claude has an agent mode that operates across files and terminals. As these tools gain network access and the ability to take irreversible actions, prompt injection stops being an academic concern and becomes a real attack vector.

OpenAI is also standardizing "Elevated Risk" labels across ChatGPT, ChatGPT Atlas, and Codex, flagging features that carry additional security exposure. In Codex, for example, granting network access now comes with an explicit risk label and explanation of what changes, SecurityBrief reported.

The tension is clear: the most powerful AI features — web browsing, agent autonomy, tool use — are also the most dangerous when exploited. Lockdown Mode is OpenAI's acknowledgment that security can't just be added at the model level. It needs to live at the product level too.