OpenAI's Lockdown Mode disables live browsing, deep research, agent mode, image retrieval, and file downloads. Everything that makes a web agent act like a web agent, turned off to keep data from leaving after a prompt injection attack.
OpenAI is candid about what remains. "Lockdown Mode does not prevent prompt injections from appearing in the content ChatGPT processes," their documentation states. A malicious instruction embedded in a cached page or uploaded file still reaches the model, still shapes its reasoning, still degrades accuracy. The agent can be manipulated into producing wrong outputs. It just can't send your data to an attacker's server.
So the containment works. But it works by removing the agent's reach, which was the point of having an agent. OpenAI's own framing: users "trade elements of product functionality for stricter product guardrails." The agent still ingests poisoned content and still acts on bad instructions. It's in the room with the liar. It just can't call anyone about what it heard.
Disabled in Lockdown Mode Live web browsing, deep research, agent mode, image retrieval, Canvas networking, file downloads
Still available Cached browsing, file uploads, image generation, memory
What OpenAI acknowledges "Prompt injection is a frontier, challenging research problem" with no claimed solution
The residual risk Injections in cached pages or uploaded files still affect model behavior and response accuracy
Who it's for Users and organizations handling sensitive data who want exfiltration protection. "Not intended for everyone"
What shipping this signals OpenAI treats prompt-injection-driven data theft as a production-scale enterprise problem worth a dedicated, capability-limiting control