SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
International Women’s Day
392 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Lockdown mode seo card
#
Firewalls
#
Data Protection
#
Network Security

OpenAI unveils Lockdown Mode to counter prompt attacks

Mon, 16th Feb 2026
Author image
By Mark Tarre, News Chief

OpenAI has introduced an optional security setting in ChatGPT called Lockdown Mode. It is also adding "Elevated Risk" labels to flag features that may expose users to higher security risks when AI systems connect to the web or third-party apps.

The update targets prompt injection attacks, in which an external party tries to manipulate a conversational AI system into following malicious instructions or disclosing sensitive information. OpenAI described prompt injection as a growing concern as AI products take on more complex tasks and gain broader access to networked resources.

Lockdown Mode

Lockdown Mode is aimed at a small group of users more likely to be targeted, such as executives and security teams. It is available on ChatGPT Enterprise, ChatGPT Edu, ChatGPT for Healthcare, and ChatGPT for Teachers. Workspace admins can enable it through role-based controls by creating a custom role and assigning selected users to it.

The setting restricts how ChatGPT interacts with external systems to reduce the chance that a prompt injection attack leads to data exfiltration from conversations or connected apps. It relies on deterministic constraints, with certain functions limited or disabled.

In Lockdown Mode, web browsing cannot access the live web. Browsing is limited to cached content, so no live network requests leave OpenAI's controlled network. Some features are disabled in cases where OpenAI says it cannot provide strong deterministic guarantees of data safety.

OpenAI said several capabilities are disabled in Lockdown Mode: ChatGPT responses cannot include images; Deep Research and Agent Mode are disabled; users cannot approve Canvas-generated code to access the network; and ChatGPT cannot download files for data analysis, though manually uploaded files can still be used.

OpenAI also clarified what Lockdown Mode does not cover. It does not deterministically prevent prompt injections from entering the context in the first place. For example, a prompt injection could still appear in cached browsing content. Instead, the control focuses on blocking outbound network requests that could transfer sensitive data to an attacker.

Lockdown Mode does not affect memory, file uploads, or the ability to share conversations, OpenAI said. Many of these settings remain configurable by workspace administrators. OpenAI also noted that Lockdown Mode does not affect network access in Codex.

Apps control

Connected apps-including connectors and MCPs-create a separate exposure because they can interact with the internet. Lockdown Mode does not disable apps by default; instead, app access remains under administrative control. Admins can choose which apps are available and which actions users can run while in Lockdown Mode.

OpenAI grouped app actions by risk. It described sync connectors and read actions in trusted apps as "Medium risk." It described write actions as inherently riskier because they create an observable side effect, and recommended enabling writes only when administrators are highly confident the effect cannot be observed by a malicious actor.

It also identified "High risk" scenarios it does not recommend for Lockdown Mode users, including read or write actions to untrusted apps, and write actions in trusted apps where the outcome may be visible to parties outside the trusted group.

OpenAI also pointed to the Compliance API Logs Platform for visibility into app usage, shared data, and connected sources, and said those logs are unaffected by Lockdown Mode.

Risk labels

Alongside Lockdown Mode, OpenAI is standardising "Elevated Risk" labels for certain existing features in ChatGPT, ChatGPT Atlas, and Codex. The labels are intended to provide consistent guidance in the product interface when a feature introduces additional security risk.

As an example, OpenAI cited Codex, where developers can grant network access so the system can take actions on the web, such as looking up documentation. It said the relevant settings screen includes an "Elevated Risk" label and explains what changes when network access is enabled and when that access is appropriate.

OpenAI said some network-related capabilities introduce risks that current industry mitigations do not fully address. It added that some users may accept these risks, particularly when balancing usefulness against exposure while working with private data.

Availability plans

OpenAI plans to make Lockdown Mode available to consumers in the coming months. It also said it will remove "Elevated Risk" labels once it determines security advances have sufficiently mitigated the associated risks for general use, and will update which features carry the label over time.

Related stories
Tetrate unveils Built on Envoy open source extension hub
DataBahn deepens Microsoft Sentinel tie-up to cut SIEM costs
IBM warns AI & quantum threats will reshape cybercrime
Salesforce guest flaws fuel large-scale data harvesting
Jazz raises USD $61m to reinvent data loss prevention

Top stories

Anthropic to open Sydney office in Australia, New Zealand
Cisco, UTS open digital innovation hub for AI in Sydney
Critical MediaTek flaw lets attackers steal phone crypto
GTIA launches PeerTrust Circles for security-led IT peers
Open source dependencies leave apps dangerously exposed