OpenAI began the rollout of Lockdown Mode for ChatGPT on June 7-8, 2026. This optional security feature restricts live browsing, Deep Research, Agent Mode, and other network-dependent functionalities. The measure aims to mitigate the risk of sensitive data exfiltration resulting from prompt injection attacks. OpenAI positions the mode as a necessary tool for users handling sensitive information rather than a mandatory requirement for the general user base.
- Lockdown Mode is optional and became available June 7-8, 2026, for personal accounts (Free, Go, Plus, Pro) and ChatGPT Business self-serve.
- The feature restricts outbound network requests to disrupt the final stage of a prompt injection attack: the transfer of data to external servers.
- It does not prevent the model from being influenced by malicious instructions within processed content or uploaded files.
- Disabled features: Live web browsing (restricted to cache), web image support, Deep Research, Agent Mode, Canvas networking, and file downloads for data analysis.
- Unchanged features: Memory, file uploads, conversation sharing, and model training usage.
- Lockdown Mode and Developer Mode are mutually exclusive; Codex remains unaffected by this protection.
The Mechanism: Restricting Outbound Traffic to Block Exfiltration
Lockdown Mode operates on the principle of outbound communication control. Rather than attempting to filter complex semantic inputs to detect prompt injections, OpenAI targets the attack's execution phase.
The mechanism is designed to reduce the risk of data exfiltration from prompt injection attacks by limiting outbound network requests, at the expense of disabling or limiting some useful features. While the model can still receive and process compromised content—including uploaded files containing hidden instructions—it is barred from transmitting data to external servers.
When active, web browsing only accesses cached content; searches are limited, unavailable, or may return outdated information. This is an explicit trade-off: preventing exfiltration requires a significant reduction in the attack surface created by live connections.
The Agentic AI Tension: Autonomy vs. Risk
The most significant aspect of this rollout is strategic. OpenAI has excluded core roadmap features from the maximum protection tier: Deep Research, which performs autonomous multi-step investigations, and Agent Mode, which operates on the user's behalf via external tools. These capabilities are disabled entirely under Lockdown Mode rather than merely mitigated.
This segmentation highlights a structural tension. The autonomy required for agentic tasks—planning, iterative API calls, and writing to connected services—overlaps directly with the exfiltration vectors Lockdown Mode is built to block. While OpenAI has not explicitly stated it is "separating rather than integrating" these paths, the functional result is that advanced agentic features are unavailable under this security protocol.
Activation is managed via Security > Advanced Security. For managed workspaces, administrators control apps, Model Context Protocol (MCP), and connectors through role-based permissions. While connectors with synced data remain functional, live access and write actions are blocked. Business self-serve users must perform individual risk assessments for each enabled app, supported by visibility from the Compliance API Logs Platform regarding usage, shared data, and connected sources.
Stated Limitations: No Guarantee of Immunity
"Lockdown Mode is designed to substantially reduce the risk of prompt injection-based data exfiltration... but it does not guarantee that data exfiltration cannot happen"
OpenAI identifies three residual vectors: enabled apps, unforeseen combinations of capabilities, and undiscovered techniques. There are currently no documented effectiveness metrics or case studies of blocked attacks. Furthermore, the absence of an associated CVE confirms that this is an architectural hardening measure rather than a patch for a specific cataloged vulnerability.
The rollout is proceeding gradually, with no confirmed completion date. OpenAI notes that prompt injection is not currently a widespread threat for the majority of users, framing Lockdown Mode as a preventive enterprise-grade measure rather than an emergency response to an active crisis.
Technical details regarding the underlying sandboxing mechanism or its impact on performance and latency have not been disclosed. The exception of Codex—which is explicitly excluded from these protections—suggests that OpenAI manages the security of its development systems using criteria distinct from those applied to end-user environments.
Threat Landscape Context
A 32% increase in malicious indirect prompt injection activity between November 2025 and February 2026, as detected by Google, provides context for the rising threat level. While this data is not directly linked to Lockdown Mode, it underscores the relevance of the risk category OpenAI is now addressing.
Implementation and Risk Assessment
Based on the documented features, organizations and users should:
- Monitor the availability of Lockdown Mode under Security > Advanced Security, given the gradual rollout schedule.
- Explicitly evaluate the data exfiltration risk for every enabled app or connector before maintaining its activation under Lockdown Mode.
- For managed workspaces, audit role-based permissions for apps, MCP, and connectors; utilize the Compliance API Logs Platform to monitor shared data and connected sources.
- Avoid activating Lockdown Mode if workflows depend on Deep Research, Agent Mode, or live browsing, as these features are disabled, not merely degraded.
Editorial Closing
Lockdown Mode is a niche, optional measure. As OpenAI points out, prompt injection does not currently pose a threat to the average user. For those not handling sensitive data or operating in high-security enterprise environments, immediate activation is unnecessary. The trade-off is functional: users exchange live connectivity for a reduced exfiltration surface. For those requiring both high-level protection and advanced agentic AI, a unified solution remains absent from the current dossier.
Note on sources: Information is verified against the cited editorial sources. Some sources, such as Gigazine, utilize machine translation which may impact original syntactic precision.
Information verified and updated at the time of publication.
Sources
- https://www.helpnetsecurity.com/2026/06/08/openai-lockdown-mode-available/
- https://thehackernews.com/2026/06/new-chatgpt-lockdown-mode-limits-tools.html
- https://www.hwupgrade.it/news/web/lockdown-mode-cambia-il-volto-di-chatgpt-piu-privacy-meno-liberta-operativa_154476.html
- https://gigazine.net/gsc_news/en/20260607-openai-lockdown-mode/
- https://www.helpnetsecurity.com/2026/04/24/indirect-prompt-injection-in-the-wild/
- https://thehackernews.com/2026/06/dashlane-discloses-brute-force-attack.html
- https://unit42.paloaltonetworks.com/cyber-extortion-economy/
- https://www.helpnetsecurity.com/2026/05/04/openai-chatgpt-advanced-account-security/
- https://www.helpnetsecurity.com/2026/06/02/openai-codex-knowledge-work/
- https://www.helpnetsecurity.com/2026/03/23/gidi-cohen-bonfy-ai-agent-security/