Our Take
Lockdown Mode is damage control, not a fix: it reduces the surface area for prompt injection but admits outright that injections can still occur in cached content and uploaded files.
Why it matters
Teams handling regulated data (legal, healthcare, financial) now have a toggleable isolation layer, but the feature's own caveats signal that prompt injection remains a fundamental architectural problem, not a solved one.
Do this week
Security leads: audit which workflows actually need Lockdown Mode (web-dependent queries will fail) and test with your cached content before rolling out to users.
OpenAI launches Lockdown Mode for sensitive-data workflows
OpenAI announced Lockdown Mode, a new setting for ChatGPT that restricts several features to reduce exposure from prompt injection attacks. The mode disables live web browsing (cached content only), image retrieval from the web, deep research, and agent mode. The company is currently rolling it out to ChatGPT Business accounts and select personal accounts.
OpenAI was explicit about what Lockdown Mode does not do. The company stated: "Even with Lockdown Mode turned on, ChatGPT could still be vulnerable to prompt injections, which could appear in cached web content or in an uploaded file, and could still affect the behavior or accuracy of a response." The goal is to reduce the likelihood that sensitive data gets shared, not to eliminate the attack vector.
The feature is narrowly scoped. OpenAI said it is "not intended for everyone" and is "designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection."
The core trade: capability for containment
Lockdown Mode works by surface area reduction. Disabling web access, image retrieval, and agent mode removes common injection entry points. But this is a containment strategy, not a defense. The attack surface shrinks, but the vulnerability persists in the two places most organizations cannot eliminate: cached content and file uploads.
This framing matters. OpenAI is not claiming it solved prompt injection. It is offering a risk-reduction setting for teams whose data sensitivity demands isolation, even if isolation is incomplete. Organizations handling PII, legal contracts, or health records now have a formally supported option to degrade ChatGPT's capabilities in exchange for lower exfiltration risk.
The admission that injections can still occur in uploaded files is particularly relevant. Many use cases that drive enterprise adoption (document analysis, contract review, knowledge-base queries) rely entirely on file upload. Lockdown Mode protects some workflows but leaves others exposed.
For practitioners: test the perimeter
Teams considering Lockdown Mode should map which workflows actually depend on live web access, image retrieval, or agent behavior. For document-heavy use cases (legal review, financial analysis, HR workflows), the mode may cause no functional loss. For research and discovery work, it will break critical paths.
Run a pilot with a subset of users. Measure where the feature prevents data leakage and where it merely shifts risk to cached content or file-based injections. Document which queries fail and whether the compliance benefit justifies the capability gap.
This is not a feature that solves prompt injection for everyone. It is a tool for teams that have mapped their injection risk and decided that disabling certain capabilities is worth the trade.