Overview
Lockdown Mode is an optional advanced security setting that locks down many tools and capabilities of OpenAI products, preventing them from accessing the network. It provides strong deterministic protection against prompt injection-based data exfiltration attacks, at the expense of disabling or limiting many otherwise useful features.
Lockdown Mode is not intended for everyone but is designed for organizations to protect the sensitive data of members operating with the highest-risk of prompt injection-based data exfiltration attacks.
Availability
Lockdown Mode is available for ChatGPT Enterprise, Edu, ChatGPT for Healthcare, and ChatGPT for Teachers.
We plan to make Lockdown Mode available to ChatGPT consumer and team plans in the coming months.
How does Lockdown Mode protect against prompt injection-based exfiltration attacks?
Prompt injection is a frontier, challenging research problem, and we are continually working to harden our multi-layered security and safety systems to protect all users from such attacks.
For those most at risk from such attacks, Lockdown Mode provides deterministic security protections by disabling many network-enabled tools and capabilities of OpenAI products.
Lockdown Mode builds on our existing protections across the model, product, and system levels. This includes sandboxing, protections against URL-based data exfiltration, monitoring and enforcement, and enterprise controls like role-based access and audit logs.
Specifically, for those in Lockdown mode, the following capabilities of OpenAI products are disabled:
Web browsing accessing the live web: web browsing is limited to only access cached content. This means that this capability cannot be used to transmit sensitive data to an attacker, though it also means search results may be somewhat limited or stale.
Image support: ChatGPT’s responses cannot include images. Users can still upload their own image files and can still use the image generation capability.
Deep Research: Deep Research is disabled.
Agent Mode: Agent Mode is disabled.
Canvas networking: users cannot approve Canvas generated code to access the network.
File downloads: ChatGPT cannot download files for data analysis. Note that ChatGPT can still operate on your manually uploaded files.
Configuring these features in this way is designed to prevent them from being used for the final stage of prompt-injection driven data exfiltration attacks by deterministically preventing outbound network requests that could be sent to the attacker to transfer such data. Note that Lockdown Mode does not deterministically prevent prompt injections from reaching the context in the first place (e.g. a prompt injection could be in cached content accessed via web browsing), instead it is designed to prevent network requests that could be used to transfer sensitive data to an attacker.
Note that Lockdown Mode does not affect memory, file uploads, and the ability to share the conversation. Many of these are independently configurable by workspace admins.
Note that Lockdown Mode does not affect network access in Codex.
How does Lockdown Mode work with apps?
Apps (including MCPs and connectors) can interact with the internet, so they carry potential risk of usage by attackers for prompt injection-driven data exfiltration attacks, despite our various multi-layered security and safety protections.
Since many important workflows rely on specific trusted apps, Lockdown Mode does not disable apps, but instead organization admins are recommended to carefully configure which apps, and which actions within them, are enabled, to the very minimal set needed.
When configuring apps for members with Lockdown Mode enabled, we recommend admins consider the following guide describing the data exfiltration risk of each:
Medium risk – use with caution for users in Lockdown Mode:
Sync connectors: sync connectors are low risk as a possible “sink” for data exfiltration attacks, since the data being accessed is synced to OpenAI so queries do not result in network requests leaving the OpenAI network. That said, they can still act as sources of sensitive data that malicious actors may attempt to exfiltrate from.
Read actions of trusted apps: read actions within trusted apps are low risk as a possible “sink” for data exfiltration attacks. That said, they can still act as sources of sensitive data that malicious actors may attempt to exfiltrate from.
Write actions of trusted apps, where the write action is guaranteed to only be accessible to those you trust: write actions are inherently riskier than read actions since they result in an observable side-effect. We strongly recommend you do not enable any write actions unless you are highly confident that the side effect is not observable by any possible malicious actor.
High risk – not recommended for users in Lockdown Mode:
Read or write actions to untrusted apps: we strongly recommend against enabling apps you do not trust
Write actions of trusted apps, where the write action is not guaranteed to only be accessible to those you trust: we strongly recommend against enabling write actions, even to apps you trust, if you do not have full confidence that the side effect of such a write action is definitely not observable by any possible malicious actor.
Additionally, and separate from Lockdown Mode, the **Compliance API Logs Platform** provides detailed visibility into app usage, shared data, and connected sources to help admins maintain oversight as AI capabilities expand.
Enabling Lockdown Mode for your workspace members
Workspace admins can create a new custom role and designate it as a “Lockdown Mode” role, and then assign a group of users to that custom role.
FAQ
Who can turn on Lockdown Mode?
Workspace admins can enable it in Workspace Settings using role-based access controls.
Does Lockdown Mode prevent all prompt injection attacks?
Lockdown Mode is designed to substantially reduce the risk of prompt injection-based data exfiltration in ChatGPT and Atlas, but does not guarantee it cannot happen, for example via enabled Apps, or unforeseen and newly discovered combinations of other capabilities. Additionally, Lockdown Mode does not affect our Codex products.
Additionally, Lockdown Mode does not prevent all other effects of prompt injection attacks, for example a malicious attack hidden in an uploaded file could still affect the behavior of ChatGPT, for example by causing ChatGPT to answer your question incorrectly.
Is Lockdown Mode available on Plus, Pro, Free or Teams?
Not yet. It is available for Enterprise, Edu, Healthcare, and Teachers. We plan to expand availability for it in the coming months.
Does Lockdown Mode change what gets logged in the Compliance API Logs Platform?
The Compliance API Logs Platform provides detailed visibility into app usage, shared data, and connected sources. Such logs are unaffected by Lockdown Mode.