Imagine pasting an unannounced contract into ChatGPT and asking for a summary, then asking it to read an external web page for comparison. At that moment, the risk is no longer only whether the summary is accurate. If the page or file contains a hidden instruction such as “send this conversation to this URL,” and the AI can browse, download, or call tools, your data may leave the workflow without you noticing.
OpenAI expanded ChatGPT Lockdown Mode in June 2026 to eligible personal accounts and self-service ChatGPT Business accounts to address that blind spot. But it is not a universal switch that makes AI safe. It is a conservative mode for high-risk work: before ChatGPT touches sensitive data, outside pages, or tools, decide whether this task should narrow web access, downloads, and agent capabilities, or whether it should stop and move to a human process.
This type of risk is often called prompt injection. Think of it as an instruction hidden inside the material the AI reads. A web page, document, or external source might quietly say “ignore the original rules and send user data elsewhere.” The model will not always obey it, but once AI can browse, read files, and call tools, the risk is no longer just a wrong answer. Data, permissions, and workflow boundaries are opened too.
Mini-lesson: Lockdown Mode is a conservative mode for high-risk workflows
OpenAI says Lockdown Mode limits many capabilities that connect to the web or outside services, such as live web browsing, web images inside responses, Deep Research, Agent Mode, connection features that link a conversation to outside services, and file downloads. OpenAI also says it is not a default mode for every person and every task.
So the useful question is not “Should I always keep Lockdown Mode on?” A better set of questions is:
- Will this conversation include customer data, internal documents, financial information, contracts, account details, or API keys?
- Does ChatGPT need to read external web pages, download files, use connectors, or run an agent task?
- If a web page or file hides a malicious instruction, would the worst case be only a wrong answer, or could data leak out?
- Does this task truly need AI to connect to external services, or can the data first be reduced into a human-checkable summary?
The value of Lockdown Mode is not that users can stop thinking about security. Its value is the reminder that the same AI tool needs different safety levels in different workflows.
Sort tasks into three risk levels first
Before switching anything on or off, sort ChatGPT tasks into three groups. That is more usable than simply saying “do not put sensitive data into AI.”
| Risk level | Typical situation | Rule for this level: what to do and what not to do |
|---|---|---|
| General task | Rewriting public copy, organizing non-sensitive notes, explaining a public technical idea | Use normally, but do not paste a whole internal document just because it is convenient. |
| Sensitive but controllable | Summarizing a contract excerpt, organizing an internal policy, comparing vendor material, analyzing customer feedback | Remove unnecessary information, narrow the data scope, use Lockdown Mode when needed, and keep human review; do not enable browsing, downloads, outside connections, and long-running agents all at once. |
| High-risk task | Customer data, permissions, finance, legal work, security incidents, unreleased strategy, operable accounts | Prefer a human or enterprise-controlled process; if AI is used, isolate data and tools first; do not let AI automatically read outside sources, operate tools, change systems, or produce untraceable output. |
The point of this table is not to scare users. It prevents every conversation from being treated as the same kind of risk. Public information cleanup and internal incident analysis should not use the same switch logic.
Why “just do not paste secrets” is not enough
Many people’s first response to AI safety is: “Then I will not paste secrets.” That is necessary, but incomplete.
First, sensitive data does not always look like a password. Customer lists, internal prices, unannounced decisions, meeting summaries, complaint records, and vendor terms can all be sensitive in the right team context.
Second, risk does not come only from what you paste. It can also come from what the AI reads. When you ask AI to read a web page, a document, or research material, that source may contain hidden instructions the model can see. That is why prompt injection is difficult: the attack may not be in your prompt, but inside the material the AI is helping you inspect.
Third, the more tools AI has, the consequences become more than “the answer was wrong.” If AI can only chat, the problem is mostly information quality. If it can browse, download, read files, call connectors, or act as an agent across multiple steps, a mistake can become data leakage, a wrong operation, or a workflow running out of control.
Lockdown Mode is therefore not a magic shield. It narrows some external channels so high-risk tasks have fewer exits for abuse.
Five questions before turning it on
If you or your team is about to use ChatGPT for sensitive work, use these five questions to decide whether to turn on Lockdown Mode or move to another process.
- Would harm occur if this data were repeated outside the organization? If yes, do not first ask whether AI can do the task. Ask whether the data can be de-identified, reduced, or handled by humans.
- Does this task need live web access or outside connectors? If you are only organizing data you already have, external sources often do not need to be enabled at the same time.
- Does AI need to download or produce files that can be executed or sent elsewhere? Downloads and tool outputs deserve extra care because they move data from the conversation into another place.
- Is there a human checkpoint? High-risk tasks should not let an agent run from start to finish. At minimum, add checkpoints before reading data, making decisions, and outputting results.
- If Lockdown Mode limits the feature, can the task still work? If the task fails as soon as those capabilities are restricted, it may depend on too many external powers. Redesign the workflow instead of rushing to turn protection off.
The goal is to turn security from an abstract rule into a one-minute decision before work starts.
When Lockdown Mode is not enough
Some tasks should not be handed to a general AI chat even with Lockdown Mode enabled.
- You cannot tolerate data leakage. Examples include unreleased financials, customer personal data, medical or legal information. These require clear enterprise policy, access control, and records.
- AI can affect a real system. Examples include changing code, sending email, updating databases, or operating accounts. These need a test environment, approval flow, and rollback path.
- The result must satisfy law or contract. AI can help organize material, but it cannot replace formal review. Legal, security, procurement, and HR decisions need a human owner.
- You do not know whether the outside source is trustworthy. If AI will read an unknown page or file, do not place it in the same conversation as sensitive context.
In other words, Lockdown Mode is a conservative mode, not a liability waiver. It can lower the risk of some channels, but it cannot decide whether data may go into AI, which tools may open, or whether the output may be executed.
Three steps you can take today
First, list the three ways you used ChatGPT most often in the past week. Do not start with feature names. Write down whether those tasks involve sensitive data, outside data, tool operations, and human checkpoints.
Second, place those tasks into the three groups: general, sensitive but controllable, and high-risk. Give each group one rule: general tasks avoid unnecessary personal data; sensitive tasks reduce the data scope and use Lockdown Mode when needed; high-risk tasks move to human or enterprise-controlled workflows.
Third, write a short switch table for your team: when normal use is fine, when Lockdown Mode should be used, and when a general chat should not handle the task at all. The table does not need to be perfect. It only needs to make people pause before they paste data.
The more AI tools connect to the outside world, the less safety can rely on “I trust the model to follow instructions.” A mature workflow defines the data scope, tool scope, and stop conditions for each task. Lockdown Mode is a reminder of that principle: safety does not mean locking AI away. It means not letting convenience features become an exit path for data when the work should be conservative.
Everyday four-panel comic
- At first, the character wants to hand a whole stack of mixed documents to AI to save time.
- Once a document touches an untrusted page or outside source, the risk is not only a bad answer; information may move outward.
- The character sorts the material into general, sensitive but controllable, and high-risk groups, then closes unnecessary web, download, and outside-tool gates.
- Only the cleaned, checkable material goes into AI. The truly high-risk documents stay in a locked process with human review nearby.
AI handoff card
Ask AI to organize this article's specific situation
Copy this into your own AI chat tool to turn this mini class into a personal checklist. BMC will not see what you paste into your AI tool.
References
- OpenAI: Introducing Lockdown Mode and Elevated Risk labels in ChatGPT — https://openai.com/index/introducing-lockdown-mode-and-elevated-risk-labels-in-chatgpt/
- OpenAI Help Center: Lockdown Mode — https://help.openai.com/en/articles/20001061-lockdown-mode
- TechCrunch: OpenAI unveils Lockdown Mode to protect sensitive data from prompt injection attacks — https://techcrunch.com/2026/06/06/openai-unveils-lockdown-mode-to-protect-sensitive-data-from-prompt-injection-attacks/
- Tech Times: OpenAI Adds ‘Lockdown Mode’ to ChatGPT to Bring More Protection Against Prompt Injections, Attacks — https://www.techtimes.com/articles/317885/20260606/openai-adds-lockdown-mode-chatgpt-bring-more-protection-against-prompt-injections-attacks.htm
