Lockdown Mode is rolling out to eligible personal accounts, including Free, Go, Plus, and Pro, and self-serve ChatGPT Business accounts. If you do not see Lockdown Mode in your settings, it may not be available for your account yet.
Overview
Lockdown Mode is an optional advanced security setting that limits many tools and capabilities in OpenAI products that can connect to the web or external services. It is designed to reduce the risk of data exfiltration from prompt injection attacks by limiting outbound network requests, at the expense of disabling or limiting some useful features.
Lockdown Mode is not intended for everyone. It is designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection.
Availability
Lockdown Mode is available for all account types and workspaces. You must be logged in to use it.
How Lockdown Mode helps reduce data exfiltration risk
Prompt injection is a frontier, challenging research problem, and we are continually working to harden our multi-layered security and safety systems to protect users from such attacks.
Lockdown Mode builds on protections across the model, product, and system levels. This includes sandboxing, protections against URL-based data exfiltration, monitoring and enforcement, and enterprise controls like role-based access and audit logs.
Lockdown Mode is designed to help prevent the final stage of data exfiltration from a prompt injection attack by limiting outbound network requests that could transfer sensitive data to an attacker. Lockdown Mode does not prevent prompt injections from appearing in the content ChatGPT processes. For example, a prompt injection could appear in cached web content or in an uploaded file, and could still affect the behavior or accuracy of a response.
Specifically, for those in Lockdown Mode, the following capabilities of OpenAI products are disabled:
Live web browsing: Web browsing is limited to accessing only cached content. Search results may be limited, unavailable, or stale.
Image support: ChatGPT may not display images in regular responses or retrieve images from the web. Users can still upload image files, and image generation remains available where it is otherwise available.
Deep research: Deep research is disabled.
Agent mode: Agent mode is disabled.
Canvas networking: Users cannot approve Canvas-generated code to access the network.
File downloads: ChatGPT cannot download files for data analysis. ChatGPT can still operate on your manually uploaded files.
Lockdown Mode does not change memory, file uploads, the ability to share a conversation, or whether your conversations may be used to improve models. Many of these settings are separately configurable by workspace admins.
Lockdown Mode does not affect network access in Codex.
Apps
How apps and connectors work in Lockdown Mode depends on your account type and workspace settings.
For personal accounts and self-serve ChatGPT Business accounts, Lockdown Mode allows connectors that use synced data but blocks live connector access and connector write actions. Some connected experiences, including Finances in ChatGPT and shopping-agent experiences, are unavailable in Lockdown Mode.
For managed workspaces, apps, MCPs, and connectors are controlled by workspace settings and role-based access controls. Lockdown Mode does not automatically disable every app in these workspaces. Workspace admins should enable only the trusted apps and actions that members using Lockdown Mode need.
For managed workspace troubleshooting, review the member's role and app settings together. A member may be unable to use an app, connector, MCP, or action if:
the member or group is assigned to a Lockdown Mode role that limits the required capability
the app is not assigned to the member, group, or role
the required read or write action is not enabled
the member does not have access to the underlying file, repository, channel, record, or source system
App access in ChatGPT does not override permissions in the connected source system. For more information about assigning roles, see: RBAC.
When configuring apps for members using Lockdown Mode, admins should consider the data exfiltration risk of each app and action.
High risk
These apps and actions are not recommended for users in Lockdown Mode:
Read or write actions for untrusted apps are not recommended. Enable only apps you trust.
Write actions for trusted apps with broad or uncertain visibility are not recommended. Avoid enabling write actions, even for trusted apps, if you cannot confirm that the side effect is hidden from a malicious actor.
Medium risk
Use these with caution for users in Lockdown Mode:
Sync connectors are lower risk as a possible data exfiltration sink because the data being accessed is already synced to OpenAI, so queries do not send live network requests outside OpenAI. They can still act as sources of sensitive data that a malicious actor may try to exfiltrate.
Read actions for trusted apps are lower risk as a possible data exfiltration sink because they do not create write-side effects. They can still act as sources of sensitive data that a malicious actor may try to exfiltrate.
Write actions for trusted apps with limited visibility are higher risk than read actions because they create side effects. Enable these only when you are confident that any side effect is visible only to people you trust, not to a malicious actor.
Separately from Lockdown Mode, the Compliance API Logs Platform provides detailed visibility into app usage, shared data, and connected sources to help admins maintain oversight. For more information about app usage logs, see: Compliance API for Enterprise customers.
Turn on Lockdown Mode
Personal and self-serve ChatGPT Business accounts
For eligible personal accounts and self-serve ChatGPT Business accounts:
Go to Settings.
Select Security.
Under Advanced security, turn on Lockdown Mode.
In the confirmation modal, select Turn on.
Lockdown Mode and Developer Mode cannot be used at the same time. Turning on Lockdown Mode turns off Developer Mode. Turning on Developer Mode later turns off Lockdown Mode.
When Lockdown Mode is on, a status message appears above the composer. To turn it off for only one chat, select Manage in that status message and then select Turn off for this chat. You can also open the more options menu (•••), select Lockdown, then select Disabled. To turn it back on for that chat, select Lockdown, then select Enabled.
Managed workspaces
Workspace admins can create a custom role and designate it as a “Lockdown Mode” role, then assign members or groups to it.
FAQ
Who can turn on Lockdown Mode?
Users on eligible personal accounts and self-serve ChatGPT Business accounts can turn on Lockdown Mode in Settings > Security when it is available for their account. Workspace admins can enable Lockdown Mode for managed workspace members using role-based access controls.
Does Lockdown Mode turn off training?
No. Lockdown Mode does not change whether your conversations may be used to improve models. You can manage this separately in data controls. Workspace data controls continue to depend on the workspace plan and settings.
Can I use image generation in Lockdown Mode?
Yes. Lockdown Mode limits image support in regular ChatGPT responses and web-derived images, but it does not turn off image generation.
Can I turn off Lockdown Mode for one chat?
Yes. When Lockdown Mode is on, select the Lockdown tab above the composer and select Turn off for this chat. You can also open the more options menu (•••), select Lockdown, then select Disabled. This changes only the current chat.
Does Lockdown Mode affect Codex?
No. Lockdown Mode does not affect network access in Codex.
Does Lockdown Mode prevent all prompt injection attacks?
Lockdown Mode is designed to substantially reduce the risk of prompt injection-based data exfiltration in ChatGPT and supported OpenAI products, but it does not guarantee data exfiltration cannot happen. Risk may remain through enabled Apps, unforeseen combinations of capabilities, or newly discovered techniques.
Lockdown Mode also does not prevent all other effects of prompt injection attacks. For example, a malicious instruction hidden in an uploaded file could still affect ChatGPT’s behavior, and cause an incorrect answer.
Is prompt injection a major risk?
Prompt injection is not currently a major risk, but its impact could grow as attackers develop more sophisticated methods.
Does Lockdown Mode change what gets logged in the Compliance API Logs Platform?
No. The Compliance API Logs Platform provides detailed visibility into app usage, shared data, and connected sources. These logs are not changed by Lockdown Mode.