ChatGPT Lockdown Mode — OpenAI's Strongest Defense Against Prompt Injection

The Threat That Made This Necessary

As AI systems evolve from passive chatbots into active agents capable of executing complex workflows — browsing the web, reading emails, querying databases, deploying code — a new class of attack has emerged: prompt injection. A malicious prompt embedded in a webpage or document can trick the AI into ignoring its security guardrails, leaking sensitive data, or executing unauthorized actions on behalf of an attacker. OpenAI's response, announced in February 2026, is two new security controls that address this threat at the infrastructure level, not just the model level.

Lockdown Mode: A Deterministic Shield

Lockdown Mode is an optional, advanced security setting designed for a specific profile of user: executives, security teams, and high-risk roles at prominent organizations who require protection against sophisticated threats. It is not for everyone — and OpenAI is deliberate about that framing.

What makes it different from other security features is the word deterministic. Rather than relying on the model to "refuse" malicious instructions — which can be bypassed through clever prompting — Lockdown Mode operates at the infrastructure level, cutting off the attack surface entirely:

• Web browsing is restricted to cached content only — no live network requests leave OpenAI's controlled network, blocking data exfiltration via browsing
• High-risk tools are disabled entirely when strong safety guarantees cannot be provided
• Connected app interactions are tightly constrained to admin-approved actions only

The key insight here is that security-conscious organizations don't want AI that tries to be safe — they want AI that cannot be unsafe, regardless of what instructions it receives. Lockdown Mode is OpenAI's answer to that demand.

Elevated Risk Labels: Transparency at the Point of Action

Not every risky action warrants full lockdown. For the vast majority of use cases, OpenAI's second feature takes a more surgical approach: standardized "Elevated Risk" labels that appear across ChatGPT, ChatGPT Atlas, and Codex whenever a user is about to engage a capability with elevated security implications.

These labels appear in contexts such as:

• Granting Codex network access to look up documentation or take web actions
• Connecting ChatGPT to internal databases or proprietary codebases
• Authorizing autonomous actions like sending emails or deploying code
• Opening external links that OpenAI cannot verify as safe

Crucially, the labels are not static. As OpenAI's security capabilities improve and a previously risky action can be guaranteed safe, the label is removed. This creates a living security system that evolves alongside the threat landscape rather than freezing security posture at a fixed point in time.

Why This Matters Now

The timing of this launch reflects a broader maturation of the AI industry. In 2025, the focus was on raw capability — what can the model do? In 2026, the question enterprises are asking is: what can the model not do, and can we trust that guarantee? OpenAI's December 2025 cybersecurity assessment warned that upcoming models pose "high" risk, potentially capable of developing zero-day exploits or assisting complex intrusion operations. Lockdown Mode and Elevated Risk labels are a direct response to that honest self-assessment.

A finance department can now keep natural-language summarization active while disabling live browsing and code-generation tools that might expose proprietary data. A hospital can use ChatGPT for Healthcare with Lockdown Mode enabled and be confident that even a sophisticated prompt injection attack cannot exfiltrate patient records. That specificity of control — preserving utility while eliminating specific attack surfaces — is exactly what enterprise AI deployments have been demanding since the technology's inception.

Availability

Both features launched in February 2026. Lockdown Mode is available for ChatGPT Enterprise, Edu, Healthcare, and Teachers plans, enabled by workspace administrators through role-based access controls. Elevated Risk labels are live across ChatGPT, ChatGPT Atlas, and Codex for all applicable tiers. OpenAI has indicated plans to extend Lockdown Mode to consumer users in the coming months.

The era of AI security as an afterthought is ending. OpenAI is signaling — clearly — that the next phase of AI adoption requires not just smarter models, but provably safer ones.