OpenAI rolls out Lockdown Mode against prompt injection

OpenAI is rolling out Lockdown Mode on ChatGPT Business and eligible personal accounts, to limit exposure to prompt injection attacks. The mode shuts off live web browsing, image retrieval, deep research and agent mode. Lockdown Mode targets organizations handling sensitive data.

Key Takeaways

• Lockdown Mode is a stricter security posture for ChatGPT Business and eligible personal accounts.
• It disables live web browsing, image retrieval, deep research and agent mode.
• OpenAI says Lockdown Mode “is not intended for everyone”, only for orgs handling sensitive data.

What Lockdown Mode actually turns off

Announced on June 6, 2026, Lockdown Mode is a new ChatGPT security posture. It activates from the user side or the admin side, depending on the account type. The intent is explicit: cut the attack surface usable through prompt injections, which are hidden instructions buried in a webpage or in an uploaded file.

A prompt injection hides a malicious order inside content, so the AI agent executes it as if reading a legitimate instruction. The technique has become the top risk for enterprise AI deployments over the last 18 months.

Concretely, Lockdown Mode disables four sensitive features: live web browsing (cached content stays accessible), image retrieval and display from the web, the deep research function, and agent mode. Each of those is a known injection vector for prompt injection payloads.

The mode is available on ChatGPT Business through self-serve, and on eligible personal ChatGPT accounts. OpenAI did not detail the eligibility criteria on the personal side. Activation stays an opt-in choice. The default mode does not change.

OpenAI acknowledges a limit upfront: Lockdown Mode “could still be vulnerable to prompt injections” hiding in cached content or uploaded files. The promise is to reduce exposure probability, not to wipe it out.

A signal on enterprise risk maturity

Lockdown Mode is not a random launch. Several recent public incidents showed that a booby-trapped webpage could exfiltrate data via an AI agent. Incident costs for enterprises were starting to outweigh productivity gains on some sensitive deployments.

OpenAI’s stance is clear: cut rather than filter. Disabling whole features is easier to audit than a fine-grained filter. That choice matches an explicit CISO demand: a binary toggle compliance teams can grasp, not a parameter set open to interpretation.

The AI cybersecurity angle overlaps the recent Anthropic mapping. We covered it in our piece on MITRE ATT&CK and the Anthropic AI cyber threats overview. The pace of new attack patterns justifies a platform-side response, not just a CISO-side one.

For competitors, pressure rises. Anthropic, Google and Microsoft will likely announce an equivalent over the coming weeks. Missing an equivalent mode would become a commercial liability in enterprise security RFPs.

Also on Horizon:

• Google SpaceX deal: $920M/month to plug AI compute
• Poke becomes first AI agent live on Apple iMessage
• Meta Tent Data Centers Power Its $145B AI Push

What it changes for enterprise AI rollouts

Short term, Lockdown Mode changes the conversation between IT and business teams. Teams can now document a strict default posture on sensitive use cases. Compliance sign-off gets simpler, which will unlock deployments that had been stuck for months.

Over three to six months, the issue shifts to AI agents. Agent mode, disabled by Lockdown Mode, is exactly the layer every vendor is pushing. OpenAI signals that agents and sensitive data do not yet mix safely. That contradicts the standard product narrative.

For AI security tooling vendors, Lockdown Mode opens a real market. Prompt injection detection tools, until now stuck in research, gain an operational reason to exist next to platform mode. AI SOC vendors will likely speed up their roadmap.

For end users, the trade-off is explicit. Turning on Lockdown Mode means giving up web browsing and agents on some tickets. OpenAI owns the trade-off out loud: security against features, ChatGPT offers the choice without forcing it.

For IT buyers, the call is immediate: Lockdown Mode is now an RFP checkbox. Any vendor missing it within six months falls behind contractually. The market just shifted from an optional defensive posture to an implicit standard.

Follow the story on Horizon.