Lockdown Mode in ChatGPT is a new optional security setting that essentially “shrinks” what ChatGPT is allowed to do on the internet, so it’s much harder for attackers to trick it into leaking sensitive data.

Why Lockdown Mode exists

Lockdown Mode is designed to protect against a specific kind of attack called prompt‑injection‑based data exfiltration, where malicious text tries to convince an AI to ignore its instructions and secretly send data out to an attacker. Think of it as a hardened mode for people and organizations who are genuinely high‑risk targets: executives, security teams, regulated industries, or anyone wiring AI into sensitive internal systems.

OpenAI is clear that this isn’t meant for everyone; regular users and even many business users don’t need it turned on all the time. Instead, it’s aimed at those who want deterministic guarantees that certain risky behaviors—especially outbound network calls—simply cannot happen.

What exactly Lockdown Mode does

Under the hood, Lockdown Mode works by aggressively limiting or disabling tools and features that can talk to the outside world, especially in ways that could smuggle data out.

When a user is in Lockdown Mode, several key capabilities change:

• Web browsing is restricted to cached content only; ChatGPT no longer makes live network requests to arbitrary websites. That dramatically reduces the chance that an attacker can get the model to embed secrets in a URL or send information to a hostile site.
• Image support in responses is turned off, so ChatGPT won’t send back images, though users can still upload images or generate new ones.​
• Deep Research is disabled, cutting off a powerful, multi‑step, web‑heavy tool that could otherwise be misused in exfiltration chains.​
• Agent Mode is disabled, so autonomous, multi‑step “agentic” behavior that chains tools and services together is no longer available to those users.
• Canvas networking is blocked; any code generated in Canvas cannot be approved to access the network.​
• File downloads initiated by ChatGPT are disabled, although the model can still analyze files that users upload manually.​

All of these constraints are designed around one core rule: in Lockdown Mode, the system deterministically prevents outbound network requests that could be used to send sensitive data to an attacker. The model may still see untrusted content (for example, cached pages that contain prompt injections), but the last step—getting data out of OpenAI’s environment—is tightly locked down.

Importantly, Lockdown Mode does not change everything: memory, file uploads, and conversation sharing still work, and many of those can be independently controlled by workspace admins via existing enterprise settings.

How it works with apps and connectors

Lockdown Mode gets trickier when you add apps, connectors, and the broader AI “stack” on top of ChatGPT. Apps (including MCPs and various connectors) can talk to the internet or internal company systems, which makes them powerful—but also potential exfiltration paths if misused via prompt injection.

OpenAI’s approach is to keep apps available, but shift responsibility and fine‑grained control to admins:

• Apps are not blanket‑disabled in Lockdown Mode, because many enterprises depend on them for core workflows (think: internal knowledge bases, ticketing tools, CRMs).
• Instead, admins are encouraged to allow only a minimal, highly curated set of apps, and to be precise about which actions within those apps are enabled.

OpenAI’s guidance effectively introduces a risk ladder for apps in Lockdown Mode:​

• Medium‑risk (use with caution):
  • Sync connectors that bring data into OpenAI for querying without making fresh external calls.
  • Read actions of trusted apps that fetch information but don’t create visible side effects.​
  • Write actions where the result is guaranteed to only be visible to trusted parties.
• High‑risk (not recommended):
  • Any read or write actions to untrusted apps.
  • Write actions—even in trusted apps—if their effects might be visible to a broader audience and could therefore act as a covert channel for data exfiltration.​

Parallel to Lockdown Mode, the Compliance API Logs Platform gives enterprise admins detailed visibility into app usage, shared data, and connected sources so they can audit how AI is interacting with their environment over time.

What Lockdown Mode does not do

Lockdown Mode isn’t a magic shield that makes prompt injection disappear, and OpenAI is explicit about its limits.

• It does not stop prompt injections from ever reaching the model; for example, an attacker could still hide malicious instructions in a cached web page or an uploaded file.
• It focuses on one specific problem: preventing the model from using tools and network‑enabled features to send data out of OpenAI’s environment in response to those injections.
• It doesn’t apply to all products: network access in Codex is not affected, and Lockdown Mode currently targets ChatGPT and Atlas.
• It also doesn’t fix every side effect of prompt injection. A malicious file or page could still get the model to respond incorrectly, even if it can’t send data to an attacker’s server.

OpenAI has been candid that prompt injection is an ongoing, unsolved research challenge, and Lockdown Mode should be seen as one strong layer in a broader, multi‑layered defense, not a final cure.

Who gets Lockdown Mode and how to enable it

Right now, Lockdown Mode is aimed squarely at organizations rather than individual hobbyists.

• It’s available for ChatGPT Enterprise, ChatGPT Edu, ChatGPT for Healthcare, and ChatGPT for Teachers.
• OpenAI says it plans to roll this out to consumer and team plans in the coming months, signalling that more typical business users will eventually get the option too.
• Workspace admins—not end users—control Lockdown Mode. They can create a custom role in Workspace Settings, mark it as a “Lockdown Mode” role, and assign specific users or groups (for example, “Security Team” or “Executive Suite”) to that role.
• Lockdown Mode then layers its restrictions on top of whatever admin controls are already configured, such as role‑based access, audit logs, and app governance.

Put differently: if you’re an individual ChatGPT Plus user today, you can’t just flip a switch for Lockdown Mode yet. If you’re an enterprise admin, you can already carve out a high‑security cohort and lock their AI environment down much more tightly.

Where this fits in OpenAI’s broader security push

Lockdown Mode doesn’t arrive in a vacuum; it sits atop a growing stack of mitigations OpenAI has been rolling out against data exfiltration and prompt injection.

Some of the key building blocks underneath:

• URL‑based data exfiltration defenses: OpenAI runs an independent web index and only lets agents automatically fetch URLs that the crawler has already seen in the wild, reducing the chance that secret‑laden, user‑specific URLs leak out in the first place.
• Sandboxing and monitoring: the company has invested in sandboxed environments, enforcement systems, and enterprise controls like role‑based access control and detailed audit logs.
• New “Elevated Risk” labels: introduced alongside Lockdown Mode, these labels call out tools and capabilities that may pose extra risk, helping security teams and end users make more informed decisions.

In that sense, Lockdown Mode is the “hard stop” option: for the slice of users who really can’t afford surprises, it trades some of ChatGPT’s flexibility and convenience for stronger, deterministic protection against one of the most worrying attack vectors in modern AI systems.