Skip to content

OpenAI Lockdown Mode: Containment Without Complete Protection Against Data Leakage

The Bottom Line: Lockdown Mode reduces data leakage risks only partially and reveals trust issues with cloud-based AI agents that complicate full corporate control.

OpenAI introduces a “Lockdown Mode” to limit unauthorized data loss through external functions. Security experts and CISOs describe the feature as incomplete and warn that it represents only symptomatic treatment.

OpenAI has implemented Lockdown Mode, which can be activated internally and restricts several functions: web browsing is limited to cached content, image support and Deep Research are disabled, Agent Mode is blocked, Canvas-generated code cannot be approved for network access, and ChatGPT cannot download files for data analysis — but manually uploaded files can continue to be processed.

In an FAQ, OpenAI acknowledged that prompt injection “is currently not a major threat,” but its impact could grow with sophisticated attack concepts. This is criticized as contradictory by security analysts. Greyhound Research’s chief analyst, Sanchit Vir Gogia, points out: “OpenAI calls prompt injection itself a frontier research problem with lockdown mode, but at the same time says it is not a major threat. No vendor builds a sandbox for a house they think is safe. Lockdown Mode is itself the admission.” A case involving Instagram user data stolen by an AI agent in a password manager illustrated the practical risks.

Multiple experts doubt that Lockdown Mode actually blocks all data leakage channels. Sanchit Vir Gogia emphasizes that the mode remains “porous”: “Data can leak through a back door instead of being announced in the chat.” Tom Findling, CEO of Conifers.ai, states that it is still unclear whether the mode can be breached: “It’s probably the best they could do given their current infrastructure.” A senior employee of a major cybersecurity firm who wished to remain anonymous agrees and emphasizes that “virtually every AI sandboxing solution has been breached.”

Security professionals are debating whether organizations should use this OpenAI feature or instead deploy their own controls. Erik Avakian from Info-Tech Research Group argues that organizations do not need such features from OpenAI: “Security experts have been implementing similar concepts for years — through network segmentation, least-privilege principles, Zero Trust, and air-gapping.” Flavio Villanustre, CISO of LexisNexis Risk Solutions Group, shares the skepticism: Since LLMs and associated components are provided as a service by OpenAI, customers can only partially control which systems are reached. A gateway could improve this, but if the agent sits on OpenAI servers and accesses external services, enterprises have no way to restrict this. The safest solution remains on-premises deployment of AI infrastructure.


Source: www.csoonline.com · Published June 9, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.

Share on: