OpenAI Help: Lockdown Mode

2026-06-05 · Source: Simon Willison's Weblog · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Intermediate, quick

Summary

OpenAI has launched "Lockdown Mode" for ChatGPT, a security feature first teased in February and now rolling out to eligible personal accounts (Free, Go, Plus, Pro) and self-serve ChatGPT Business accounts. This mode specifically aims to prevent the final stage of data exfiltration resulting from prompt injection attacks by restricting outbound network requests that could transfer sensitive data to an attacker. It is crucial to note that Lockdown Mode does not prevent prompt injections from appearing in content ChatGPT processes, nor does it affect the behavior or accuracy of responses influenced by such injections. The feature directly addresses the "Lethal Trifecta" by cutting off data exfiltration vectors, implying that default ChatGPT settings may not offer robust protection against determined data theft. OpenAI CISO Dane Stuckey clarified that Lockdown Mode targets users with an elevated risk profile, who prioritize security despite potential tradeoffs in functionality and utility.

Key takeaway

For AI Security Engineers evaluating LLM deployments handling sensitive data, you should enable OpenAI's Lockdown Mode for ChatGPT. This feature directly mitigates data exfiltration risks from prompt injection attacks by restricting outbound network requests. While this mode involves functionality tradeoffs, for high-risk profiles, the enhanced security against the "Lethal Trifecta" is a worthwhile compromise. You must also recognize that default ChatGPT settings may not provide robust protection against determined exfiltration attempts.

Key insights

OpenAI's Lockdown Mode prevents data exfiltration from prompt injections by limiting outbound network requests, mitigating a key "Lethal Trifecta" risk.

Principles

• Restrict data exfiltration to mitigate LLM "Lethal Trifecta."
• Deterministic, non-AI evaluated mechanisms enhance security.
• Default LLM settings may lack robust exfiltration protection.

Method

Lockdown Mode prevents data exfiltration by limiting outbound network requests, blocking the final stage of prompt injection attacks. This mechanism is deterministic and not AI-evaluated, enhancing reliability against subversion.

In practice

• Enable Lockdown Mode for elevated risk profiles.
• Accept functionality tradeoffs for enhanced security.
• Evaluate default LLM security for sensitive data.

Topics

• OpenAI
• ChatGPT
• Lockdown Mode
• Prompt Injection
• Data Exfiltration
• LLM Security
• Lethal Trifecta

Best for: CTO, VP of Engineering/Data, Executive, AI Security Engineer, Software Engineer, Director of AI/ML

Related on AIssential

• OpenAI unveils Lockdown Mode to protect sensitive data from prompt injection attacks — OpenAI's Lockdown Mode offers enhanced, but not absolute, protection against prompt injection for sensitive data handlers by disabling certain features.
• Introducing Lockdown Mode and Elevated Risk labels in ChatGPT — New OpenAI features enhance security against prompt injection by restricting external interactions and labeling risky capabilities.
• The 3 Invisible Risks Every LLM App Faces (And How to Guard Against Them) — LLM applications introduce unique security risks requiring specialized guardrails beyond traditional software security.
• Pretraining Data Filtering for Open-Weight AI Safety — Pretraining data filtering effectively builds tamper-resistant safeguards into open-weight LLMs by preventing undesirable knowledge acquisition.
• OpenAI's ChatGPT 5.5 Instant: The Good, The Bad And The Insane — Instant GPT models are achieving near-expert performance while halving medical hallucination rates, but require external safety classifiers.
• How to use ChatGPT: A beginner's guide to mastering OpenAI's chatbot in 2026 — ChatGPT offers tiered access to advanced AI capabilities for diverse tasks, from basic queries to complex research and automation.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.