ChatGPT's Lockdown Mode Cuts Prompt Injection Surface, Not All of It
OpenAI announced Lockdown Mode for ChatGPT on June 6, 2026. The feature targets organizations and individuals handling sensitive data who want to reduce the risk of prompt injection attacks and data exfiltration.
What Gets Turned Off
Lockdown Mode disables live web browsing. The model can still access cached content, but not the live web. Image retrieval and display from the web is off, though image generation remains available. Deep research and agent mode are both disabled.
The logic is straightforward. Each of those features is a potential injection vector. A live page with embedded instructions, an image containing text, an agentic workflow touching external systems. Removing them shrinks the attack surface.
What It Still Doesn't Stop
OpenAI acknowledges Lockdown Mode does not fully prevent prompt injections. Attacks can still arrive through cached web content. They can arrive through files a user uploads directly.
That caveat matters. The mode removes live content as a vector while leaving cached content and user-uploaded files as viable paths for injected instructions. For sensitive data workflows, it raises the bar. It does not eliminate the problem.
Availability
Lockdown Mode is rolling out to self-serve ChatGPT Business accounts and eligible personal accounts.
The Tradeoff
Prompt injection is a genuine problem for LLMs operating in any agentic context, and a dedicated mode for it is a reasonable response. The public acknowledgment of its limits is more useful than the usual release-day confidence.
For workflows that don't rely on live browsing, deep research, or agent mode, enabling Lockdown Mode costs little. For anything more capable, the tradeoff is significant. Whether it's acceptable depends on what the sensitive data is worth versus what the capability loss costs.
Source: Techcrunch