OpenAI launches ChatGPT Lockdown Mode to limit exfiltration

OpenAI has begun rolling out Lockdown Mode for eligible personal accounts and self-serve ChatGPT Business workspaces, according to a company blog post published February 13, 2026 and updated June 4, 2026 (OpenAI). The company describes Lockdown Mode as "an optional advanced security setting that limits many tools and capabilities in OpenAI products that can connect to the web or external services" (OpenAI). OpenAI's help documentation further states that Lockdown Mode is available to logged-in users across Free, Go, Plus, and Pro account types and to self-serve ChatGPT Business accounts, and notes that rollout may be gradual for some accounts (OpenAI help).

Per OpenAI's help article and blog post, Lockdown Mode reduces data exfiltration risk from prompt injection attacks by limiting outbound network requests and disabling or restricting features that create external connectivity. OpenAI explicitly lists the following capabilities as disabled or limited when Lockdown Mode is enabled (OpenAI help):

• •Live web browsing, restricted to cached content only
• •Image support in regular responses and retrieving images from the web
• •Deep Research functionality
• •Agent Mode
• •Canvas networking, which prevents approving generated code to access the network
• •File downloads for data analysis

OpenAI also states that Lockdown Mode does not change memory, file uploads, sharing controls, or whether conversations may be used to improve models, and that the feature "does not guarantee that data exfiltration cannot happen" because risk can remain through enabled apps or unforeseen capability combinations (OpenAI; OpenAI help).

Industry practitioners view prompt injection as an active attack vector against connected LLM systems that can convert model outputs or tool integrations into exfiltration channels. Lockdown-style controls reduce the available attack surface by removing network-capable features that an attacker could exploit to move data off-platform. For teams evaluating threat models, a toggle that trades connectivity for fewer outbound paths is a pragmatic mitigation layer that complements model-level hardening, sandboxing, and access controls.

Public reporting frames Lockdown Mode as part of OpenAI's broader "defense-in-depth" approach, alongside sandboxing, monitoring, enforcement, and enterprise controls such as role-based access and audit logs (OpenAI). For organizations handling high-risk data, product-level settings that reduce connectivity can simplify compliance conversations and operational risk assessments because they produce a measurable reduction in externally networked capabilities. However, OpenAI's documentation also makes clear the feature is not intended to eliminate all risk; prompt injections embedded in uploaded files or cached content can still influence model behavior even without external network access (OpenAI help).

• •Adoption signals: whether security-conscious teams adopt Lockdown Mode for default use in high-sensitivity environments, and whether vendors publish implementation guides or templates for enterprise policies.
• •Complementary controls: announcements from third parties or platform partners about integrations with audit logs, reporting, or hardened app patterns that work alongside Lockdown Mode.
• •Threat evolution: new prompt-injection techniques that attempt to exfiltrate data via allowed channels or through side effects that survive network restrictions.

Editorial analysis: For practitioners, Lockdown Mode is a practical tool in a layered security toolkit, but it does not replace model-level safeguards, secure software design, or rigorous access controls. Observers should treat it as a configurable mitigation that shifts the trade-off between functionality and exposure rather than a complete fix.