ChatGPT Lockdown Mode is now available to personal accounts — here's what it does and who needs it
OpenAI's Lockdown Mode, a security setting that blocks live web access and agentic features to defend against prompt injection, is now available to all personal ChatGPT plans.
OpenAI has rolled out ChatGPT Lockdown Mode to personal accounts. Previously limited to enterprise customers since its February 2026 launch, it is now available on Free, Go, Plus, Pro, and self-serve ChatGPT Business plans as of June 4, 2026.
It is an optional, opt-in setting. Most users will never need it. But if you handle sensitive data and use ChatGPT’s connected features regularly, it is worth understanding what it does and why it exists.
The problem it solves
As ChatGPT has gained capabilities like web browsing, deep research, and agent mode, a specific category of attack has become more relevant: prompt injection.
The short version is this. When an AI system processes content from the web or external files, a malicious actor can embed hidden instructions in that content. The model reads the page or document, encounters the injected instruction, and may follow it, potentially including forwarding sensitive information from your conversation to an attacker-controlled destination.
Security researcher Simon Willison describes the worst-case version as a “Lethal Trifecta”: a system that has access to private data, processes untrusted external content, and has a mechanism to transmit data outward. ChatGPT’s connected features, by their nature, can tick all three boxes.
This is not a hypothetical concern. Researchers have demonstrated similar attacks against AI agents from multiple major vendors, resulting in paid bug bounties. The underlying problem is structural: large language models cannot reliably distinguish between data they are processing and instructions they should follow.
What Lockdown Mode actually does
Lockdown Mode addresses this by deterministically removing the tools an attacker could exploit. When enabled, the following capabilities are disabled:
- Live web browsing — replaced with cached content only, so no live network requests leave OpenAI’s infrastructure
- Deep research — fully disabled
- Agent mode — fully disabled
- Canvas networking — code in Canvas cannot access the network
- File downloads — ChatGPT cannot download files for analysis, though you can still upload files manually
- Some web-derived image support — ChatGPT may not retrieve images from the web, though you can still upload and generate images
What it does not touch: memory, file uploads, conversation sharing, and whether your data is used for model training. Those settings remain unchanged.
One important note: Lockdown Mode reduces the risk of prompt injection-based data exfiltration, but it does not eliminate it entirely. A prompt injection can still appear in cached web content or in an uploaded file and affect the accuracy or behaviour of a response. OpenAI is explicit about this. The goal is to remove the exfiltration routes, not to make the model injection-proof.
How to turn it on
For personal accounts and self-serve ChatGPT Business accounts, the path is straightforward:
- Open Settings
- Select Security
- Under Advanced Security, toggle on Lockdown Mode
- Confirm in the modal
You can also turn it off temporarily for a specific chat if you need full functionality for a particular conversation, without disabling it globally.
One constraint worth knowing: Lockdown Mode and Developer Mode are mutually exclusive. Enabling one turns off the other.
For enterprise and workspace admins
Enterprise, Edu, Healthcare, and Teachers plan admins have had access to Lockdown Mode since February. The configuration approach is more granular here, using role-based access controls (RBAC).
Rather than a single toggle, admins create a custom role designated as a Lockdown Mode role and assign members or groups to it. This allows organisations to apply the restriction selectively, for example to executives, legal teams, or anyone regularly working with confidential material, without affecting the rest of the workspace.
Enterprise admins also retain more control over which connected apps and actions remain available within Lockdown Mode. OpenAI classifies these into risk tiers:
- High risk: read or write actions for untrusted apps. Explicitly not recommended in Lockdown Mode.
- Medium risk: sync connectors and read actions for trusted apps. Lower exfiltration risk but can still expose sensitive source data.
- Lower risk: write actions for trusted apps, only where side effects are visible solely to trusted parties.
Before assigning members to a Lockdown Mode role, admins should review which apps and actions the role permits and confirm members still have the access they need in each connected system.
Elevated Risk labels
Alongside Lockdown Mode, OpenAI is rolling out standardised “Elevated Risk” labels for a short list of existing capabilities across ChatGPT, ChatGPT Atlas, and Codex. These labels signal that a feature carries risks not yet fully addressed by current industry mitigations. Each label typically links to guidance on what the risk involves.
OpenAI has stated these labels are temporary and will be removed as security improvements reduce the associated risks.
Who should actually use this
OpenAI is clear that Lockdown Mode is designed for a specific type of user: executives, security professionals, and people at prominent organisations who regularly work with sensitive information in ChatGPT. For most everyday users, it is not necessary, and the trade-off of losing live browsing, research, and agents is significant.
If you are using ChatGPT mostly for writing, coding, or general Q&A, there is no pressing reason to enable it. If you are pasting in confidential documents, discussing unreleased product details, or using ChatGPT in a professional context where data exposure would be a serious problem, it is worth considering.
The feature is available now. If it applies to your situation, it takes about thirty seconds to enable.