Eligible users on Free, Go, Plus and Pro plans, along with self-serve ChatGPT Business accounts, are being given access to the feature through the Security section of ChatGPT settings. The rollout marks a notable shift from its initial positioning for higher-risk enterprise users, including executives, security teams and organisations handling sensitive material.
Lockdown Mode is designed to reduce the risk that malicious instructions hidden in web pages, files or connected services could cause ChatGPT to send sensitive information outside the conversation. The control does not claim to block every prompt injection attack, but it limits the final route through which stolen or exposed data might leave the system by restricting outbound network activity.
When enabled, the mode curbs or disables several ChatGPT capabilities that depend on live links to the internet or external services. Live web browsing is limited to cached content, meaning search results may be incomplete, unavailable or outdated. Deep Research is disabled, Agent Mode is turned off, Canvas-generated code cannot be approved for network access, and ChatGPT cannot download files for data analysis. Users can still upload files manually, and image generation remains available where the account otherwise supports it.
The change reflects a broader recalibration across the AI industry as assistants move from answering isolated prompts to handling tasks involving email, documents, websites, shopping, coding tools, workplace apps and external databases. These connections make systems more useful, but they also widen the attack surface. Prompt injection remains one of the most difficult security problems in AI because the harmful instruction may appear as ordinary content inside a page, document or tool output.
OpenAI’s approach is to trade some convenience for tighter control. A user working with sensitive internal documents, legal material, financial data, confidential reporting notes or business records may choose Lockdown Mode when the risk of external leakage outweighs the value of live web access or automated agent workflows. For ordinary queries, the setting may feel restrictive because several high-value ChatGPT tools become unavailable or limited.
The company has also positioned the feature as part of a layered defence system, rather than a standalone cure. Existing protections include sandboxing, restrictions against URL-based exfiltration, monitoring, enforcement mechanisms, enterprise controls, audit logs and role-based permissions. Lockdown Mode adds a more conservative operating state for users who want stronger boundaries around external interaction.
For personal and self-serve Business accounts, the feature can be turned on from Settings under Security. Once active, a status message appears above the composer. Users may disable it for an individual chat, allowing some flexibility when they need a less restricted session. Lockdown Mode and Developer Mode cannot run at the same time; switching on one turns off the other.
Managed workspaces have a different route. Administrators can use role-based access controls to create a custom Lockdown Mode role and assign it to members or groups. This allows organisations to apply stricter controls to selected employees rather than imposing the setting across an entire workspace. Administrators are also expected to review app permissions, connector access and write actions because app access inside ChatGPT does not override the permissions already set in the connected source system.
The connector rules are especially important for business users. For personal accounts and self-serve Business accounts, Lockdown Mode allows connectors that rely on synced data while blocking live connector access and connector write actions. Some connected experiences, including finance and shopping-agent functions, may be unavailable. In managed workspaces, apps, model context protocols and connectors depend on workspace settings and custom roles, so the restrictions may vary by organisation.
OpenAI has made clear that Lockdown Mode does not change every privacy or data setting. It does not alter memory, file uploads, conversation sharing, or whether chats may be used to improve models. Those controls remain separate and depend on the user’s account and workspace settings. It also does not affect Codex network access, which is governed by its own settings and elevated-risk warnings.
The wider release comes as AI providers face growing pressure to make security controls understandable to non-specialist users. Prompt injection can be difficult to explain because it does not always resemble a conventional hack. A hostile instruction may be embedded in a webpage, pasted text, email, document or third-party app output, then interpreted by the AI system as something to follow. The danger rises when an assistant has access to private context and tools capable of sending data elsewhere.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
