ChatGPT Lockdown Mode: what it changes for prompt-injection risk

OpenAI added an optional security setting to ChatGPT called Lockdown Mode. It is aimed at people who run connected ChatGPT workflows and want to lower the chance that a hidden instruction buried in a web page or a file quietly pushes their data somewhere it should not go. This explainer covers what OpenAI says the setting does, what it explicitly does not do, and how to weigh it when you evaluate connected AI tools.

What OpenAI changed in June 2026

OpenAI describes Lockdown Mode as an optional advanced security setting that limits many tools and capabilities that connect to the web or external services (https://help.openai.com/en/articles/20001061-lockdown-mode). According to OpenAI, the goal is to reduce prompt-injection data-exfiltration risk by limiting outbound network requests (same help page).

OpenAI says the setting is rolling out to eligible personal accounts including Free, Go, Plus, Pro, and self-serve ChatGPT Business accounts, and that availability may vary by account (https://help.openai.com/en/articles/20001061-lockdown-mode). OpenAI's product post, "Introducing Lockdown Mode and Elevated Risk labels in ChatGPT," frames it as a deterministic setting for users and teams willing to trade some functionality for stricter guardrails; that post was updated June 4, 2026 (https://openai.com/index/introducing-lockdown-mode-and-elevated-risk-labels-in-chatgpt/).

The useful security idea: cut the exfiltration path

The reason this setting matters is narrow but real. A connected assistant becomes dangerous when three things line up at once: it can read your private data, it can be exposed to untrusted content, and it has a way to send data back out. Independent researcher Simon Willison calls this combination the "lethal trifecta" — private-data access plus untrusted-content exposure plus an external communication or exfiltration path (https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/). That framing is Willison's analysis, not OpenAI's wording.

Lockdown Mode targets the third leg. By limiting outbound network requests, it aims to remove the deterministic channels an injected instruction would use to leak data, even when the model has already been tricked (https://help.openai.com/en/articles/20001061-lockdown-mode). Willison's link note on the OpenAI Help page reads the change in the same terms (https://simonwillison.net/2026/Jun/5/openai-help-lockdown-mode/).

What Lockdown Mode limits or disables

OpenAI says Lockdown Mode can limit or disable several capabilities, with behavior that depends on the account or workspace (https://help.openai.com/en/articles/20001061-lockdown-mode):

• live web browsing and use of cached web content
• showing images in responses and retrieving images
• Deep Research
• Agent Mode
• Canvas networking
• live connector access and connector actions
• file downloads

Because OpenAI notes the effect is account- and workspace-dependent, the exact set you see may differ from what another user sees.

What Lockdown Mode does not change

This is the part that is easy to get wrong. Lockdown Mode does not prevent prompt injections from appearing in the content ChatGPT processes, including cached web content or uploaded files; OpenAI says such injections can still affect behavior and accuracy (https://help.openai.com/en/articles/20001061-lockdown-mode). In other words, it narrows the exit, not the entry.

OpenAI also says Lockdown Mode does not change memory, file uploads, conversation sharing, whether conversations may be used to improve models, or network access in Codex (same help page). The Codex point is worth repeating: turning on Lockdown Mode does not restrict Codex's network access.

For managed workspaces, OpenAI says that app, MCP, and connector behavior depends on workspace settings and role-based access controls, and it advises admins to enable only the trusted apps and actions that Lockdown Mode users actually need (https://help.openai.com/en/articles/20001061-lockdown-mode). That is not the same as every connector or app being disabled automatically.

Buyer and builder checklist for connected AI tools

Use the same lens on any connected assistant, not just ChatGPT:

• Does the tool process untrusted content such as web pages, emails, or documents?
• Does it have access to private or sensitive data?
• Does it have outbound network or write channels?
• Are egress controls deterministic, or are they mediated by the model itself?
• Are admin controls, audit logs, and connector policies available?

If a tool claims it "resists" injection but still lets the model freely trigger outbound actions, you are trusting the model to police itself.

Toolhalla verdict

Lockdown Mode is a sensible step for sensitive ChatGPT workflows, and OpenAI is right to frame it as a trade: less capability in exchange for tighter guardrails (https://openai.com/index/introducing-lockdown-mode-and-elevated-risk-labels-in-chatgpt/). It is not a fix for prompt injection, and it does not make every OpenAI surface safer by default. Treat it as one control among several. App-level sandboxing, allowlists, output validation, and least-privilege tool access still do the heavy lifting — see our guide to AI agent guardrails and output validation.

FAQ

Does Lockdown Mode prevent prompt injection? No. OpenAI says injections can still appear in the content ChatGPT processes and can still affect behavior and accuracy; Lockdown Mode limits outbound requests to reduce exfiltration, but it does not stop the injection itself (https://help.openai.com/en/articles/20001061-lockdown-mode).

Which ChatGPT plans can use Lockdown Mode? OpenAI says it is rolling out to eligible personal accounts including Free, Go, Plus, Pro, and self-serve ChatGPT Business accounts, with availability varying by account (https://help.openai.com/en/articles/20001061-lockdown-mode).

Does Lockdown Mode affect Codex? OpenAI says Lockdown Mode does not change network access in Codex (https://help.openai.com/en/articles/20001061-lockdown-mode).

What features are disabled in Lockdown Mode? Depending on the account or workspace, it can limit live browsing and cached content, images in responses, Deep Research, Agent Mode, Canvas networking, live connectors and actions, and file downloads (https://help.openai.com/en/articles/20001061-lockdown-mode).

Should builders still use sandboxing and egress controls? Yes. Lockdown Mode is one layer; deterministic egress controls, sandboxing, and least-privilege access remain the core defenses.

Sources:

• OpenAI Help Center — Lockdown Mode: https://help.openai.com/en/articles/20001061-lockdown-mode
• OpenAI — Introducing Lockdown Mode and Elevated Risk labels in ChatGPT: https://openai.com/index/introducing-lockdown-mode-and-elevated-risk-labels-in-chatgpt/
• Simon Willison — OpenAI Help: Lockdown Mode: https://simonwillison.net/2026/Jun/5/openai-help-lockdown-mode/
• Simon Willison — The lethal trifecta for AI agents: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/