OpenAI shipped Lockdown Mode on February 13, a security setting that deterministically shuts down ChatGPT features attackers could exploit to steal data through prompt injection. The blog post frames it as protection for "a small set of highly security-conscious users," meaning executives and security teams who worry about sensitive conversations being siphoned out through ChatGPT's web and app connections.
When active, Lockdown Mode restricts web browsing to cached content only, so no live network requests leave OpenAI's infrastructure. Deep Research, Agent Mode, and Canvas networking are all disabled. ChatGPT can't return images in responses or download files for analysis. The logic is blunt but clear: if a feature could theoretically shuttle data to an attacker via an outbound request, it gets cut. OpenAI calls these "deterministic" restrictions, a notable word choice that signals hard blocks rather than model-level filters that might be circumvented.
There are gaps. Lockdown Mode doesn't prevent prompt injections from entering the context window in the first place. Cached browsing results could still contain malicious instructions. And connected apps (MCPs, connectors) aren't disabled by default, though admins can configure whitelists for specific apps and actions. The Help Center docs are candid: the mode "does not guarantee" exfiltration can't happen.
Right now it's limited to ChatGPT Enterprise, Edu, Healthcare, and Teachers plans. Consumer access is planned "in the coming months." Separately, OpenAI is rolling out Elevated Risk labels across ChatGPT, Atlas, and Codex, warning users before they enable features with unresolved security exposure. Those labels are meant to be temporary, removed once OpenAI's mitigations catch up.
Bottom Line
Lockdown Mode blocks live web requests and disables Agent Mode, Deep Research, and Canvas networking to prevent prompt injection data exfiltration on enterprise ChatGPT plans.
Quick Facts
- Announced February 13, 2026
- Available on: ChatGPT Enterprise, Edu, Healthcare, Teachers
- Consumer rollout planned in coming months
- Disables: live web browsing, Agent Mode, Deep Research, Canvas networking, image responses, file downloads
- Does not disable: memory, file uploads, conversation sharing, connected apps (admin-configurable)
