Decoding the world of cybersecurity

OpenAI expands ChatGPT Lockdown Mode

OpenAI has expanded Lockdown Mode across logged-in ChatGPT users, giving organisations a concrete control for reducing prompt-injection data-exfiltration paths.

OpenAI expands ChatGPT Lockdown Mode
Summary
  • OpenAI says Lockdown Mode is now available to logged-in users across account types and workspaces.
  • The setting limits web and external-service access to reduce prompt-injection data-exfiltration risk.
  • The control does not eliminate prompt injection, but it gives organisations a clearer way to govern connected AI capabilities and outbound data paths.

OpenAI has expanded Lockdown Mode across logged-in ChatGPT users, making an optional security setting for reducing prompt-injection data-exfiltration risk available across account types and workspaces.

The company’s ChatGPT release notes say Lockdown Mode is now available to all logged-in users. OpenAI’s support documentation describes the feature as an advanced opt-in setting that limits tools and capabilities able to connect to the web or external services. The aim is to reduce the risk that a prompt injection attack can move sensitive data out through outbound network requests.

When enabled, Lockdown Mode restricts network-enabled capabilities including live web browsing, deep research, agent mode, file downloads, and some web-derived image support. Personal users can enable it through Settings and Security, while workspace administrators can configure access for members through workspace settings and role-based access controls.

The feature is deliberately narrow. OpenAI says Lockdown Mode does not stop prompt injections from appearing in content processed by ChatGPT. A malicious instruction could still be present in cached web content or an uploaded file and could still affect behaviour or accuracy. The control is designed to help prevent the final exfiltration stage by limiting outbound network requests, not to solve prompt injection as a class.

OpenAI also says Lockdown Mode does not change memory, file uploads, conversation sharing, or whether conversations may be used to improve models. Those settings remain separately configurable, including by workspace administrators depending on plan and controls. It also does not affect network access in Codex.

In enterprise environments, prompt injection is less a novelty attack than a data-governance and egress-control problem. AI tools increasingly connect to browsers, files, applications, knowledge bases, productivity suites, code repositories, and business systems. Each connection creates a potential route for malicious instructions embedded in ordinary content to influence retrieval, action, or disclosure.

That places AI security close to familiar disciplines: least privilege, segregation of duties, data loss prevention, egress control, application allow-listing, audit logging, and role-based access. The difference is that instructions can be embedded inside web pages, documents, tickets, emails, repositories, and other material the assistant is asked to process as part of legitimate work.

Lockdown Mode does not remove the need for governance around which tools are enabled, which connectors are trusted, and which write actions are allowed. OpenAI’s documentation warns that apps and connectors behave differently depending on account type and workspace settings. In managed workspaces, Lockdown Mode does not automatically disable every app. Administrators still need to decide which apps, model context protocols, connectors, and actions are available to users operating under tighter controls.

Those distinctions become sharper when sensitive information is involved. A user handling acquisition documents, board papers, legal advice, incident reports, or customer data may need stricter controls than a general-purpose user. A developer using AI against repositories and build artefacts may need a different model again. The governance question is where sensitive data, connected tools, and outbound actions intersect.

The wider AI market is likely to move toward more visible security modes, risk labels, and administrative controls. Buyers are already asking vendors how AI assistants handle prompt injection, connector permissions, logs, data residency, and external actions. Lockdown Mode gives one implementation of a principle that is becoming harder to avoid: high-risk AI workflows should not share the same network and action surface as ordinary productivity sessions.

×