OpenAI is locking down parts of ChatGPT to reduce data theft risks
OpenAI has started rolling out Lockdown Mode for ChatGPT, an optional security setting that restricts access to external resources and several product capabilities. It is available for personal accounts, including Free, Go, Plus, and Pro plans, as well as self-serve ChatGPT Business accounts.
“Lockdown Mode is not intended for everyone. It is designed for people and organizations that handle sensitive data and want stronger protection against data exfiltration risks associated with prompt injection,” the company said.
How Lockdown Mode works
Lockdown Mode combines sandboxing, protections against URL-based data exfiltration, monitoring and enforcement mechanisms, and enterprise controls. These measures provide protection at the model, product, and system levels.
By limiting outbound network requests that could transfer sensitive data to an attacker, the feature blocks the final stage of a prompt injection attack. It does not prevent prompt injections from appearing in content processed by ChatGPT, and they may still influence the model’s behavior or the accuracy of its responses.
What changes when it is enabled
Several ChatGPT capabilities are restricted when Lockdown Mode is enabled. Web browsing is limited to cached content, and search results may be limited, unavailable, or outdated. ChatGPT cannot download files for data analysis. It can work with files uploaded manually.
Deep Research and Agent Mode are disabled. Users cannot approve Canvas-generated code that requires network access. ChatGPT cannot download files for data analysis. It can work with files uploaded manually.
Lockdown Mode does not affect memory, file uploads, conversation sharing, or whether conversations may be used to improve models. Workspace administrators can manage these settings separately.
The setting does not affect network access in Codex.
Managing app access and risk
For personal accounts and self-serve ChatGPT Business accounts, the setting allows connectors that use synced data. Live connector access and connector write actions are blocked. Features that depend on those capabilities, including Finances in ChatGPT and shopping-agent experiences, are unavailable.
In managed workspaces, access to apps, MCPs, and connectors is controlled through workspace settings and role-based permissions. Administrators should enable only the apps and actions required by members using the setting.
OpenAI recommends that administrators review the data exfiltration risk of each app and action before enabling them for members using Lockdown Mode.
Access to an app, connector, MCP, or action may be unavailable because the member’s role does not permit the required capability, the app has not been assigned to the user, the required read or write action is disabled, or the user lacks access to the underlying file, repository, channel, record, or source system.
App access in ChatGPT does not override permissions in the connected source system. When configuring apps for members who use the feature, administrators should assess the data exfiltration risk associated with each app and action.
Read and write actions in untrusted apps are not recommended. Write actions in trusted apps carry risk when their effects are visible to a broad audience or when administrators cannot verify who can view the results. Sync connectors present a lower risk because the data is already synced to OpenAI and queries do not trigger live network requests.
Read actions in trusted apps carry less risk because they do not create side effects. Both can expose sensitive data. Write actions in trusted apps with limited visibility should be enabled only when administrators know who can view the results.
The Compliance API Logs Platform provides visibility into app usage, shared data, and connected sources.
Lockdown Mode and Developer Mode cannot be enabled at the same time. Enabling one disables the other.
Download: The IT and security field guide to AI adoption