OpenAI Adds a Lockdown Mode to ChatGPT to Blunt Prompt-Injection Attacks
OpenAI's new Lockdown Mode strips ChatGPT down to a more defensive core — switching off live web browsing, agent mode, deep research, web images and file downloads — to make it harder for hidden prompt-injection attacks to exfiltrate sensitive data. It's rolling out beyond enterprise to Business and personal accounts, but OpenAI is candid that it doesn't stop injections outright.
OpenAI on June 6, 2026 introduced Lockdown Mode for ChatGPT, a stricter security setting aimed at people and organizations that handle sensitive data and want firmer protection against data exfiltration. The feature, announced alongside new "Elevated Risk" labels, is a direct response to prompt-injection attacks — where malicious instructions are hidden inside webpages, documents and other content that ChatGPT reads, then try to hijack the model into leaking information or taking unwanted actions.
The trade-off is deliberate: Lockdown Mode buys safety by removing reach. When it is switched on, ChatGPT turns off the features that connect it to the open web and external services — live web browsing (it can use only cached content), agent mode, deep research, retrieval and display of images from the web, and file downloads, among other connector-dependent capabilities. The idea is that an attacker who slips a malicious payload into a page has far fewer channels through which to pull data back out.
The setting began life as an enterprise-only option, but OpenAI is now rolling it out to self-serve ChatGPT Business accounts and eligible personal accounts. The company is explicit that it is "not intended for everyone." Instead it is pitched at a narrow set of highly security-conscious users — executives, security teams and organizations working with confidential material — who are willing to give up some product functionality in exchange for tighter guardrails.
OpenAI is also unusually candid about the limits. Lockdown Mode does not prevent prompt injections from entering the model's context in the first place: a payload baked into a cached webpage or an uploaded PDF can still influence how ChatGPT behaves and how accurate its responses are. It reduces the odds of sensitive data leaking out, not the odds of being attacked. As reported by TechCrunch, the launch underscores how prompt injection has become the defining unsolved security problem of the agentic-AI era — one the major labs are now managing with blast-radius controls rather than outright fixes.
Comments
Share your thoughts. Be kind.
Loading comments…
