ChatGPT Lockdown Mode is OpenAI's deterministic security setting that limits how ChatGPT can move data out of its controlled environment — the control is aimed squarely at the data exfiltration that follows a successful prompt injection, not at stopping the injection itself. OpenAI expanded it from Enterprise plans to personal Free, Go, Plus, Pro and self-serve Business accounts on June 4–6, 2026.
That single distinction — exfiltration versus entry — is the most consequential and most misunderstood thing about this feature. Almost every headline frames Lockdown Mode as protection against prompt injection. OpenAI's own documentation is more precise and more honest: injections can still reach the model; what Lockdown Mode does is close the outbound channels an attacker would otherwise use to ship your data somewhere they control.
This guide explains exactly what Lockdown Mode is, where it sits on the prompt-injection kill chain, what it disables and preserves, what it explicitly does not do, and — the part no vendor publishes — a role-based decision matrix for which teams should run it mandatorily versus optionally. Everything below is sourced from OpenAI's announcement and corroborating security press.
- 01It severs exfiltration, not injection entry.Lockdown Mode limits outbound network requests to prevent the final stage of a prompt injection attack. OpenAI states plainly that it does not prevent injections from appearing in content ChatGPT processes.
- 02It is deterministic, not probabilistic.Rather than trying to detect malicious inputs with a model-based classifier, Lockdown Mode simply disables the tools and capabilities an adversary could exploit. That is a structurally different and more reliable kind of control.
- 03It expanded to everyone on June 4-6, 2026.First introduced for ChatGPT Enterprise and Edu plans earlier in 2026, Lockdown Mode reached personal accounts (Free, Go, Plus, Pro) and self-serve Business accounts in early June 2026.
- 04It is designed for a narrow audience.OpenAI built it for a small set of highly security-conscious users such as executives or security teams at prominent organizations. It explicitly states the feature is not necessary for most users.
- 05Deploy it RBAC-style, not org-wide.Enterprise admins create a role and assign exactly which apps and actions stay available. The right pattern is mandatory for high-sensitivity roles, optional everywhere else, so productivity stays intact where the exfiltration risk is low.
01 — What It IsA deterministic egress control, now for everyone.
Lockdown Mode is an optional, advanced security setting in ChatGPT. When enabled, it tightly constrains how ChatGPT can interact with external systems — the goal being to stop sensitive data from being inadvertently shared with third parties. OpenAI first introduced it for ChatGPT Enterprise and Edu plans earlier in 2026, then expanded it to personal accounts (Free, Go, Plus, Pro) and self-serve ChatGPT Business accounts on June 4–6, 2026.
What makes Lockdown Mode interesting is not the list of features it turns off — we will get to that — but the philosophy behind it. OpenAI describes the feature as one that deterministically disables certain tools and capabilities in ChatGPT that an adversary could attempt to exploit. It is a switch, not a guess. That places it in a different category from the AI-based safety classifiers most enterprises have learned to distrust.
Lockdown Mode
Closes the outbound channels an attacker uses to exfiltrate data after a successful injection. Visible only to users who enable it. Mutually exclusive with Developer Mode.
Elevated Risk labels
Standardized warning labels across ChatGPT, ChatGPT Atlas, and Codex for features that may add risk. Visible to all users, with explanations of what changes and when access is appropriate.
One operational constraint matters up front: Lockdown Mode and Developer Mode are mutually exclusive — enabling one disables the other. That deliberately scopes Lockdown Mode to end-user and enterprise workflows rather than developer tooling, and it means a developer who relies on Developer Mode cannot simultaneously sit behind the Lockdown egress wall in the same session.
02 — The Kill ChainIt cuts stage three of the attack.
To understand what Lockdown Mode protects, you have to see prompt injection as a chain of stages rather than a single event. Security researcher Simon Willison popularised the "lethal trifecta" framing: a prompt injection becomes catastrophic only when three conditions hold at once — the AI has access to private data, it is exposed to untrusted content, and it has the ability to exfiltrate data externally. Remove any one leg and the attack collapses.
Lockdown Mode attacks the third leg. By limiting outbound network requests, it removes the channel an attacker needs to actually transfer data out. The injection can still land, the model can still be manipulated into assembling sensitive data — but the data has nowhere to go. The table below maps each stage of the attack against what Lockdown Mode does and does not cover.
| Stage | What happens | Lockdown Mode coverage | Complementary control |
|---|---|---|---|
| 1 · Injection delivery | Malicious instructions arrive via cached web content or an uploaded file. | No | Content provenance controls, input vetting, source allow-lists. |
| 2 · Instruction override | The model treats injected text as instructions and changes its behaviour. | No | Instruction-hierarchy training, system-prompt isolation, output review. |
| 3 · Data aggregation | The model gathers sensitive data from memory, connectors, or uploaded files. | Partial | Least-privilege connector scoping, data-classification policy. |
| 4 · Exfiltration channel | The model invokes an outbound channel — web request, image fetch, agent action — to send data out. | Yes | Network egress monitoring, DLP at the gateway. |
| 5 · Data receipt | The attacker receives the exfiltrated data at a server they control. | Yes (indirectly) | Threat intelligence, incident response, audit logging. |
"Lockdown Mode is designed to substantially reduce the risk of prompt injection-based data exfiltration in ChatGPT and supported OpenAI products, but it does not guarantee that data exfiltration cannot happen."— OpenAI, official Lockdown Mode announcement, June 2026
03 — DeterministicA switch, not a classifier.
The deterministic-versus-probabilistic distinction is the most under-covered and most important part of this story. Most AI "safety" controls are probabilistic: a model or classifier inspects each input and tries to decide whether it is malicious. Adversarial inputs are explicitly designed to slip past exactly that kind of judgment, which is why detection-based guardrails fail at inconvenient moments.
Lockdown Mode does not try to judge anything. It removes the capability outright. If the outbound web request cannot be made because the feature is disabled, no clever phrasing in an injected payload can re-enable it. That structural property is what makes a deterministic control more trustworthy than a detection model for high-stakes scenarios — there is no false-negative rate on a capability that simply does not exist for the session.
For security-literate buyers who have been burned by "our AI catches that" claims, this reframing matters. The right mental model is not "ChatGPT is now smart enough to spot attacks." It is "the doors an attacker would walk your data out of are bolted shut." That is a weaker but far more reliable promise, and OpenAI is careful to keep it weak: even with the doors shut, it does not guarantee exfiltration cannot happen.
04 — What ChangesWhat it disables and what it keeps.
Lockdown Mode is precise about which capabilities it removes. The common thread is outbound network egress: anything that could send data off ChatGPT's controlled network is disabled, while local and generative capabilities that do not require external network access are preserved. Here is the breakdown.
Outbound channels
Live web browsing (cached content only), internet image retrieval and display, Deep Research including shopping research, Agent Mode, Canvas networking, live connectors, file downloads for data analysis, and Canvas-generated code that needs network access.
Local capabilities
Text generation and reasoning, image generation, manually uploaded file processing, memory, and conversation sharing. Codex is unaffected because it operates under separate controls.
Note one nuance that is easy to get wrong: Lockdown Mode restricts ChatGPT's Agent Mode, but Codex operates under its own separate controls and is not blanket-disabled by Lockdown Mode. If your team conflates "all OpenAI agents are off" with "ChatGPT's Agent Mode is off," you will misstate the policy. The restriction is specific to ChatGPT's in-product agent and the web-egress features above.
Limited to cached content
ChatGPT can reference cached pages but makes no live network requests that leave OpenAI's controlled network, removing a primary egress path for injected instructions.
Including shopping research
The multi-step research and shopping-research workflows that reach out to external sources are disabled, since they rely on the outbound channels Lockdown Mode is built to close.
Generation preserved
Creating images is preserved because it does not require fetching from the open internet; internet image retrieval and display, which does, is disabled.
05 — The LimitsWhat Lockdown Mode does not do.
This is the section most coverage skips, and it is where the real value of an honest read sits. Lockdown Mode is a meaningful control, but it is bounded. Treating it as a complete prompt-injection defence is the editorial error to avoid — and the operational one.
First and most importantly: Lockdown Mode does not prevent prompt injections from entering the context ChatGPT processes. Injected instructions can still arrive via cached web content or uploaded files and still influence the model's behaviour. What changes is only the final step — the model has no easy channel to ship data back out. Independent analysis published on June 8, 2026 documented several residual limitations along these lines: injections still reach the model, model behaviour can still be influenced, apps that remain enabled are still potential exfiltration surfaces, and cached content is not sanitized.
Second, the protection is partial by OpenAI's own words. The company states the feature is designed to substantially reduce the risk of injection-based exfiltration but does not guarantee exfiltration cannot happen. Any app or action an admin chooses to keep enabled is a residual surface. Lockdown Mode shrinks the attack surface; it does not eliminate it.
Third, there is a structural reason no setting can fully solve this today. Researchers across the major labs have acknowledged that large language models cannot reliably distinguish trusted operator instructions from attacker instructions when both arrive through the same context window. Prompt injection is ranked #1 (LLM01) on the OWASP Top 10 for LLM Applications 2025 precisely because it sits at that unsolved architectural seam. Defence-in-depth — layering controls rather than trusting one — is the only credible posture, and Lockdown Mode is one deterministic layer within it.
The severity of getting this wrong is not theoretical. A widely reported 2025 vulnerability in a major enterprise AI assistant — reported as EchoLeak (tracked as CVE-2025-32711, reportedly a critical-severity CVSS 9.3; verify the exact identifiers against the NVD before citing them) — showed how a crafted email could inject hidden instructions that the assistant ingested during summarization, pulling sensitive data from connected stores within seconds. And in early 2026, security researchers disclosed a cluster of indirect-injection vulnerabilities in several major AI productivity tools over a matter of days, each following the same lethal-trifecta pattern. The pattern is the point; the specific product names matter less than the recurring shape.
06 — RBAC DecisionWho actually needs it.
OpenAI names executives and security teams as the intended audience but publishes no structured role guidance. Turning Lockdown Mode on org-wide would cripple productivity — Deep Research, Agent Mode, live connectors, and browsing are exactly the features many teams use daily. The right approach treats it like any other least-privilege control: mandatory where data sensitivity and injection exposure are both high, optional or unnecessary where they are not.
The matrix below is our practitioner-level categorisation, built from OpenAI's stated target users, the OWASP LLM01 risk framing, and standard enterprise data-classification practice. Treat it as a starting template to adapt to your own data map, not a fixed rule.
| Role / team | Data sensitivity | Injection exposure | Recommendation | Productivity impact |
|---|---|---|---|---|
| C-suite / executives | Very high | High (targeted) | Mandatory | Medium |
| Legal / compliance | Very high | Medium | Mandatory | Low |
| Security operations | Very high | High | Mandatory | Medium |
| Finance | Very high | Medium | Mandatory | Low |
| HR / people ops | High (PII) | Medium | Mandatory | Low |
| Engineering | Medium | Medium | Per-chat override | High |
| Marketing / content | Low | Low | Not warranted | High if forced |
| General knowledge workers | Variable | Low–medium | Optional | Medium |
The shape of the matrix is the lesson: Lockdown Mode is worth its productivity cost precisely where sensitive data concentrates and attackers have a reason to aim. For public-facing content teams who live in browsing and Deep Research and handle nothing confidential, mandating it would trade real output for negligible risk reduction. This is the same least-privilege logic that underpins a well-run CRM and data-automation program — access matched to need, not granted by default.
07 — DeploymentHow to turn it on properly.
Enabling Lockdown Mode differs by plan. For individuals it is a personal toggle; for enterprises it is a role-based configuration that also unlocks granular control over which apps and actions survive the lockdown. The choice matrix below frames the three deployment paths.
Self-serve toggle
Free, Go, Plus, and Pro users enable Lockdown Mode under Settings > Safety and security > Advanced security > Lockdown mode. It is off by default and intended only for users with genuinely elevated risk.
Role-based deployment
Workspace Admins enable Lockdown Mode in Workspace Settings by creating a new role via the Roles tab, then assign exactly which apps and which specific actions within them remain available to users in the role.
Compliance API Logs
The Compliance API Logs Platform gives enterprise admins visibility into app usage, shared data, and connected sources — relevant for governance regardless of whether a given user is in Lockdown Mode.
Elevated Risk labels
For users not in Lockdown Mode, Elevated Risk labels warn — without blocking — when a feature may introduce additional risk, with explanations of what changes and when access is appropriate.
The enterprise path is the one worth dwelling on. Because admins assign apps and actions per role, Lockdown Mode is not a blunt all-or-nothing switch at the org level — it is a configurable egress policy. A legal team can keep an approved internal connector while losing live browsing; a finance team can retain file processing while losing Deep Research. Combined with the Compliance API Logs Platform, this gives governance teams both the control and the visibility they need to defend the configuration in an audit. Designing those role definitions well is exactly the kind of work an AI transformation engagement should scope alongside an AI governance implementation plan.
"Lockdown Mode is not intended for everyone. It is designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection."— OpenAI, official Lockdown Mode announcement, June 2026
08 — GovernanceWhat this signals for AI policy.
Step back from the feature and the more interesting signal appears. The very existence of Lockdown Mode is OpenAI quietly confirming that the default ChatGPT product is not hardened for the most sensitive data. That is not a criticism — it is an honest acknowledgement that a connected, capable assistant carries inherent exfiltration risk, and that the responsible answer is to give customers a deterministic way to dial that risk down when the stakes warrant it.
For compliance teams building AI usage policies, that reframes the buying question. The question is no longer "is ChatGPT safe?" but "which roles, handling which data classifications, should operate under which controls?" Lockdown Mode becomes a line item in a control catalogue alongside connector scoping, data classification, and audit logging — not a silver bullet. Pairing it with Elevated Risk labels is instructive: the labels are how OpenAI surfaces residual risk it has not yet engineered away, and the company has said it will retire each label once security advances mitigate the underlying risk. The catalogue is live and evolving, and your policy has to be too.
Looking forward, expect deterministic egress controls to become a baseline expectation across enterprise AI products, not a differentiator. As agentic features proliferate and more assistants gain the lethal trifecta's three legs by default, regulators and auditors operating under frameworks like the EU AI Act and the NIST AI Risk Management Framework will increasingly ask not whether a vendor detects attacks, but whether the customer can structurally prevent exfiltration for sensitive workloads. Organizations that have already mapped roles to data sensitivity — the work the matrix above forces — will adopt these controls in an afternoon. Those that have not will discover their AI governance was a slide deck, not a configuration.
Residual exposure by kill-chain stage under Lockdown Mode
Source: Digital Applied analysis of OpenAI's Lockdown Mode coverage by attack stage. Lower bars = better Lockdown Mode coverage.The bars above make the boundary visible: Lockdown Mode does its real work at stages four and five, leaves stages one and two wide open, and only partially touches stage three. That is not a flaw to hide — it is the precise scope of a well-designed single-purpose control, and it is why defence-in-depth, not any one toggle, remains the only honest posture. If you want help mapping these stages onto your own stack, our AI transformation team runs exactly this kind of control-coverage assessment, drawing on the 12-layer prompt injection defense framework and the Q3 2026 AI governance forecast.
09 — ConclusionA precise control, used precisely.
Lockdown Mode is a deterministic off-switch for the last stage of an attack — treat it as exactly that.
ChatGPT Lockdown Mode is the clearest example yet of a frontier lab shipping a control you can actually reason about. It does not promise to outsmart attackers; it removes the channels attackers need. That deterministic posture is more trustworthy than another layer of probabilistic detection, and it is honest about its own limits: injections still land, behaviour can still be influenced, and OpenAI does not guarantee exfiltration cannot happen.
The practical move is to deploy it the way you would any least-privilege control. Mandatory for the roles where sensitive data and attacker interest both concentrate — executives, legal, finance, security, HR. Optional or unnecessary for teams who live in browsing and research and handle nothing confidential. Pair it with Elevated Risk labels, the Compliance API Logs Platform, and a real data map, and it earns its place in your control catalogue.
The broader signal is the one to carry forward: the existence of a dedicated exfiltration control confirms that capable, connected AI carries inherent risk, and that the responsible answer is structural prevention scoped to the workloads that need it — not a blanket promise of safety. Organizations that have already mapped roles to data will fold Lockdown Mode in without friction. The rest will use this release as the prompt to finally do that mapping.