OpenAI adds Lockdown Mode to ChatGPT for sensitive data protection

OpenAI is pitching a tougher security setting for ChatGPT, but its new Lockdown Mode is better understood as damage control than a cure. The company says the feature is meant to reduce the chance that prompt injection leads to sensitive data being exposed, not to eliminate the threat altogether.

Prompt injection, in plain language, is when a third party slips malicious instructions into content the AI reads, hoping to steer the system into leaking information or ignoring safeguards. OpenAI says that matters because ChatGPT and similar tools now do more than answer questions: they browse the web, help with research, and connect to outside services, which creates a larger attack surface for sensitive files, internal documents, and business workflows.

Lockdown Mode, first introduced on February 13, 2026 and expanded on June 4, 2026, rolls out to eligible personal accounts, including Free, Go, Plus and Pro, as well as self-serve ChatGPT Business accounts. It is available only to logged-in users. OpenAI says the setting limits or disables live web browsing, Deep Research, Agent Mode, Canvas networking, live connectors and file downloads. Browsing is restricted to cached content, which can be limited or stale.

That tradeoff is the point and the problem. OpenAI says Lockdown Mode does not stop prompt injections from appearing in cached web content or uploaded files, and those inputs can still shape responses or reduce accuracy. In other words, the setting cuts off some routes for data exfiltration, but it does not make the model immune to manipulation once tainted content is inside the system.

The company describes prompt injection as a frontier security problem and says its defenses are layered, including sandboxing, protections against URL-based exfiltration, monitoring and enforcement, and enterprise controls such as role-based access and audit logs. OpenAI says the feature is aimed at a small set of highly security-conscious users, such as executives or security teams at prominent organizations, rather than most users.

The caution is reinforced by OpenAI’s own safety work. Its March 25, 2026 bug bounty program lists third-party prompt injection and data exfiltration as an in-scope scenario, with reports required to be reproducible at least 50% of the time. OpenAI also cited a 2025 prompt-injection example from external researchers that worked 50% of the time in testing. Anthropic has reported similar risks in its Claude for Chrome pilot, with attack success rates of 23.6% without mitigations and 11.2% after mitigations.

For businesses and government agencies handling health records, personnel files or other sensitive material, the message is clear: Lockdown Mode reduces exposure, but it does not remove the need for strict data controls, careful access policies and human review. Browser-facing AI remains vulnerable, even as vendors harden the edges.