OpenAI began rolling out a feature called Lockdown Mode on June 5, an optional setting meant to limit the damage a prompt-injection attack can do inside ChatGPT.
Prompt injection is the open problem of the agent era: malicious instructions hidden in a web page, an email, or an uploaded file can hijack what an AI assistant does next. The risk grows as assistants gain the ability to browse, run tools, and act on a user's behalf.
Lockdown Mode does not try to stop the injection itself. It targets the payoff. OpenAI's documentation says the setting "is designed to help prevent the final stage of data exfiltration from a prompt injection attack by limiting outbound network requests" — the channel an attacker would use to push stolen data back out.
In practice that means turning off the capabilities most useful to an attacker. According to OpenAI and early reporting, the mode restricts live web browsing, agent mode, deep research, and the retrieval of images from the web, while leaving core chat intact.
The notable part is OpenAI's candor about the limits. The company says the feature "does not prevent prompt injections from appearing in the content ChatGPT processes." Injected instructions in cached web content or an uploaded file can still affect how ChatGPT behaves or how accurate its answers are.
It is also not pitched at everyone. OpenAI's chief information security officer framed it as a tool "for folks who have an elevated risk profile — due to who they are, what they work on, or the types of data they work with." OpenAI says it is rolling out to personal accounts across the Free, Go, Plus, and Pro tiers, plus self-serve ChatGPT Business accounts.
Why it matters: a leading model vendor is shipping a defensive switch while plainly stating that the underlying vulnerability is unsolved. For anyone deploying these assistants on sensitive data, that admission is the signal — the mitigation reduces blast radius, it does not close the hole.