OpenAI deployed two security features targeting prompt injection attacks that exploit AI systems’ growing connectivity to external networks and applications. Lockdown Mode and Elevated Risk labels, announced last week, represent a shift from relying solely on model training to implementing deterministic infrastructure controls that physically prevent data exfiltration regardless of prompt manipulation.
What You Need to Know About the Lockdown Mode
Lockdown Mode is an optional security setting designed for high-risk users including executives and security teams at prominent organizations who require protection against advanced threats. The feature tightly constrains how ChatGPT interacts with external systems through deterministic restrictions that eliminate attack surfaces prompt injection exploits.
The mode’s core protection mechanism limits web browsing to cached content only. No live network requests leave OpenAI’s controlled network, preventing attackers from tricking ChatGPT into sending sensitive conversation data to external servers. This addresses scenarios where malicious websites contain hidden instructions designed to manipulate AI into exfiltrating confidential information through browsing activity.
Additional restrictions disable capabilities that cannot provide “strong deterministic guarantees of data safety.” ChatGPT responses cannot include images, Deep Research and Agent Mode are disabled, users cannot approve Canvas-generated code for network access, and the system cannot download files for data analysis, though manually uploaded files remain usable.
Workspace administrators on ChatGPT Enterprise, Edu, Healthcare and Teachers plans activate Lockdown Mode by creating specialized roles through Workspace Settings. Admins retain granular control over which apps and specific actions remain available even when Lockdown Mode is engaged. The Compliance API Logs Platform provides visibility into app usage, shared data and connected sources.
OpenAI said Lockdown Mode is not necessary for most users. The feature targets a small subset of highly security-conscious individuals who face elevated targeting risk and handle exceptionally sensitive organizational data. The company plans consumer availability in coming months following the enterprise rollout.
Also read: OpenAI Launches Trusted Access for Cyber to Expand AI-Driven Defense While Managing Risk
All About Elevated Risk Labels
Complementing Lockdown Mode’s preventative approach, Elevated Risk labels provide transparency about features introducing unresolved security vulnerabilities. The standardized labeling system appears across ChatGPT, ChatGPT Atlas and Codex whenever users enable network-related capabilities that may increase exposure.
In Codex, OpenAI’s coding assistant, developers can grant network access so the system can look up documentation or interact with websites. The settings screen now displays an Elevated Risk label explaining what changes when network access is enabled, what threats it introduces and when that access is appropriate. The labels represent educational signals rather than prohibitions, empowering users to make informed decisions about risk acceptance.
OpenAI stated it will remove Elevated Risk labels as security advances mitigate identified threats, and will continue updating which features carry labels to best communicate risk. The dynamic labeling approach acknowledges that some network-related capabilities introduce risks current industry mitigations do not fully address.
The security enhancements build on existing protections including sandboxing, protections against URL-based data exfiltration, monitoring and enforcement systems, and enterprise controls like role-based access and audit logs. The layered approach reflects recognition that as AI systems become more capable and connected, single-point security controls prove insufficient.
An Effort to Negate Prompt Injection Attacks
Prompt injection attacks manipulate AI systems by embedding malicious instructions in external content that conversational models process. When ChatGPT accesses web pages, reads documents or interacts with third-party applications, attackers can hide commands within that content designed to override the system’s intended behavior. Successful attacks extract conversation history, connected app data or sensitive organizational information without user awareness.
The vulnerability stems from language models’ inability to reliably distinguish between legitimate instructions from system prompts and malicious instructions embedded in user-supplied or externally sourced content. Traditional security measures focusing on input validation and output filtering have proven inadequate because sophisticated prompt injection techniques can bypass content-level filters.
OpenAI’s infrastructure-level restrictions in Lockdown Mode sidestep this challenge by physically preventing the actions attackers attempt to trigger. Rather than trusting the model to refuse malicious requests, the system architecture makes those requests impossible to execute regardless of prompt manipulation sophistication.
