Most AI security features try to reason their way to safety. Lockdown Mode doesn’t.
OpenAI confirmed this week that Lockdown Mode, previously available only in enterprise workspaces since its February 2026 introduction, is now available across all logged-in ChatGPT tiers. The feature works by restricting network access to the web and external services entirely. According to OpenAI’s Lockdown Mode help documentation, it “limits access to the web and external services to help reduce data exfiltration risk from prompt injection attacks.” That language is precise and worth reading carefully.
Exfiltration risk. Not injection risk.
Here’s the distinction that matters for every security team evaluating this feature. Prompt injection attacks work in two stages: first, malicious instructions enter the model’s context (through a document, a webpage, a connected tool); second, the model is manipulated into sending sensitive data somewhere external. Lockdown Mode addresses stage two. The injection itself, the malicious instruction appearing in context, still happens. The model still processes it. What Lockdown Mode prevents is the follow-through: the data can’t be sent out because the network path doesn’t exist.
Lockdown Mode: What It Blocks vs. What Remains Available
Warning
Lockdown Mode does not prevent prompt injection instructions from appearing in the model's context. It only blocks the downstream exfiltration stage, after a successful injection, the malicious instruction is still processed by the model. The network-level block removes the exit route, not the entry point.
That’s a meaningful architectural choice. An LLM-layer defense would try to detect and reject malicious instructions, a fundamentally harder problem, because the model must evaluate adversarial content it’s designed to process. A network-level block doesn’t ask the model to judge anything. It removes the capability entirely. The attack surface shrinks because the exit route is closed.
The trade-off is functionality. According to PCMag’s coverage, enabling Lockdown Mode disables live web browsing, Deep Research, Agent Mode, Canvas networking, live connectors, and file downloads. OpenAI’s help documentation is the authoritative source for the current feature list, consult it before deploying in any workflow that relies on connected capabilities. Standard file uploads and image generation remain functional.
The catch is that this trade-off is binary. There’s no granular control, no way to allow web browsing while blocking external data exfiltration, or to permit specific trusted connectors while restricting unknown ones. For teams running Agent Mode or Deep Research workflows, Lockdown Mode is an all-or-nothing security posture. Some workloads will tolerate that. Others won’t.
This rollout extends a February 2026 enterprise feature to every tier, including free users. That’s a meaningful expansion of the security floor across ChatGPT’s entire user base. The network-level restriction approach also fits a broader pattern emerging across agentic AI deployments: as AI systems connect to more external tools and services, deterministic infrastructure controls are appearing alongside, and sometimes instead of, model-layer defenses.
Who This Affects
For enterprise security architects, the immediate question isn’t whether Lockdown Mode works. The mechanism is sound. The question is whether the feature trade-offs are acceptable for specific workflows. Teams using ChatGPT in read-only analytical contexts with no connected tool dependencies should enable it. Teams whose workflows depend on Deep Research or Agent Mode need to assess whether those use cases carry acceptable exfiltration risk without the feature enabled, or restructure those workflows to minimize that surface.
Don’t treat Lockdown Mode as a complete prompt injection defense. It’s the right half of one. The other half, reducing the likelihood that malicious instructions reach the model in the first place, remains an open problem.