{"id":8419,"date":"2026-06-09T03:57:45","date_gmt":"2026-06-09T03:57:45","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8419"},"modified":"2026-06-09T03:57:45","modified_gmt":"2026-06-09T03:57:45","slug":"openais-lockdown-mode-is-trying-to-solve-the-problem-that-it-created","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8419","title":{"rendered":"OpenAI\u2019s Lockdown Mode is trying to solve the problem that it created"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

OpenAI\u2019s move to implement a Lockdown Mode that tries to limit data exfiltration by shutting down external capabilities is being seen as making the best out of a bad situation. But Lockdown Mode doesn\u2019t block exfiltration as much as it slightly reduces it, and the reality of enterprises using multiple AI vendors for their agentic models further complicates an already dicey governance strategy.<\/p>\n

When activated within OpenAI products\u2019 settings, Lockdown Mode limits web browsing to cached content, limits image support, disables Deep Research and Agent Mode, denies users the ability to approve Canvas-generated code to access the network, and prevents ChatGPT from downloading files for data analysis, though it can still operate on manually uploaded files, OpenAI said in a blog post<\/a>.\u00a0The company did not respond to a request for comment.<\/p>\n

That post included a frequently-asked-questions section in which OpenAI<\/a> wrote its own questions. and then answered them. One notably asked \u201cIs prompt injection a major risk?\u201d with the response, \u201cPrompt injection is not currently a major risk, but its impact could grow as attackers develop more sophisticated methods.\u201d<\/p>\n

Consultants found that sentence baffling.<\/p>\n

\u201cOpenAI\u2019s own posture is telling. It calls prompt injection a frontier research problem, hard enough to warrant a containment mode, while saying in the same breath that it is not currently a major risk,\u201d said Sanchit Vir Gogia<\/a>, chief analyst at Greyhound Research. \u201cA vendor does not build a panic room for a house it believes is safe. Lockdown Mode is the admission itself.\u201d<\/p>\n

And the risk of AI-enabled data exfiltration was illustrated recently when some Instagram users\u2019 personal data was stolen<\/a> after Meta had turned over control of password changes for accounts to an AI agent.\u00a0<\/p>\n

Still allows some exfiltration<\/h2>\n

Gogia added that the Lockdown Mode is porous, as it will still allow some data exfiltration; he called the OpenAI effort \u201ca model carrying a trusted user\u2019s authority while acting on instructions hidden in untrusted content. Data can leave by a side door rather than be announced in the chat.\u201d<\/p>\n

Tom Findling<\/a>, CEO of Conifers.ai, also questioned whether OpenAI could block all of what it claims it can block. \u201cIt is yet to be seen whether [Lockdown Mode] can be breached or not. Is it Nirvana? Probably not, but this is likely the best they could have done, given the infrastructure they have today.\u201d<\/p>\n

An executive with a major agentic cybersecurity firm, who asked to be not named, agreed with Findling: Lockdown Mode \u201cis not going to be validated until someone tries breaking it. Almost every sandboxing solution out there, AI has been able to break out of,\u201d he said.<\/p>\n

Debate over who has control<\/h2>\n

Analysts and consultants disagreed over whether enterprises should use the OpenAI capabilities for isolation or use the enterprise\u2019s own restrictions.<\/p>\n

\u201cThe question I immediately asked myself was whether organizations need OpenAI to do this for them. The answer, in my opinion, is no,\u201d said Erik Avakian<\/a>, technical counselor at Info-Tech Research Group. \u201cSecurity professionals have been implementing similar concepts for years through control areas like network segmentation, least privilege, applying Zero Trust concepts and principles, application controls, and \u2018air-gapping\u2019 some environments.\u201d<\/p>\n

Flavio Villanustre<\/a>, CISO for the LexisNexis Risk Solutions Group, also has doubts. \u201cSo long as the LLM and associated components are provided as a service by OpenAI, customers can only partially control where those systems can reach out, so this lockdown mode seems to be the answer to that,\u201d he said. <\/p>\n

\u201cYes, customers could use a secure gateway,\u201d he added, \u201cbut if the LLM and\/or agent sitting at OpenAI premises accesses other third party services, there would not be a way for the IT and\/or cybersecurity team from the customer to restrict this. The most secure approach is always the deployment of the AI infrastructure on premises, but that\u2019s just not viable for the majority of organizations.\u201d<\/p>\n

Dennis Xu<\/a>, a research VP with Gartner, flatly stated that enterprises need to rely on AI vendor provided cutoffs.\u00a0<\/p>\n

\u201cThis is not something end user clients can do on their own. As this controls how traffic flows from OpenAI infrastructure, the ChatGPT application, going outbound, only OpenAI has the ability to control that flow. ChatGPT is a web\/SaaS based application that cannot be air gapped,\u201d Xu said. \u201cIn the shared responsibility model, this falls under provider responsibility. End user clients will need to rely on what is available from providers such as OpenAI. Without that, they have no control over this data flow. So if they like this OpenAI feature, they need to raise this as a feature request with other providers for them to implement into their solution.\u201d<\/p>\n

That can get exponentially more complex if all AI vendors deploy such shutoff valves in different ways.\u00a0<\/p>\n

Gogia noted that vendor-specific controls are useful tactically and weak strategically, because each vendor can only constrain its own product. \u201cOpenAI can limit OpenAI but it cannot govern a local model in a business unit or an assistant embedded elsewhere,\u201d he said. \u201cIts own model shows the limit: in managed workspaces, apps and connectors remain governed by role-based access and Lockdown Mode does not automatically disable every app. The hard work does not vanish. It moves into governance.\u201d<\/p>\n

Villanustre added that the result will be that customers may need to deal with \u201ca patchwork of controls\u201d until independent third party governance tools come to the rescue and support this cross-vendor management model.<\/p>\n

As well, Avakian said, \u201crather than relying on a single AI platform, organizations will likely use multiple models from multiple vendors, in which each will serve different business functions. We might soon find ourselves talking about AI trust zones, AI segmentation, AI least privilege, and AI governance frameworks the same way we talk today about network segmentation and Zero Trust architectures.\u201d<\/p>\n

However, Carmi Levy<\/a>, an independent technology analyst, said that the OpenAI move is an improvement, albeit an incremental one.<\/p>\n

\u201cIt is not a replacement for pre-existing best practices within any organization. Rather, it enables greater in-model protections before organizational limitations can be imposed. With different vendors incorporating different lockdown modes into their models, IT is challenged to update its own protocols to integrate with an increasingly diverse vendor landscape,\u201d he said. \u201cThere\u2019s no getting around the fact that this will add ongoing overhead to IT and cybersecurity operations, as different vendors continue to evolve their own protection-focused regimes.\u201d<\/p>\n

Humans are the problem<\/h2>\n

One of the reasons that Lockdown Mode can\u2019t halt all exfiltration, even if it works perfectly, is the human factor, coupled with the tendency of autonomous agents to bypass rules.\u00a0<\/p>\n

For example, let\u2019s say that an end user works for a large publicly-held American company, and the user asks the agent to gather financial details about an upcoming quarter\u2019s revenue and net income. Security and Exchange Commission (SEC) rules in the US make it illegal to selectively share that unannounced data with the public.<\/p>\n

If the agent finds a way to access internal emails and documents from Finance and shares the answer with the end user, and that end user then copies and pastes that information into an email sent to some investors, or possibly even a financial journalist, the user is in contravention of the rule; the model that supplied the data may not have even known that this disclosure was prohibited.\u00a0<\/p>\n

Expands the attack surface<\/h2>\n

Justin Greis<\/a>, CEO of consulting firm Acceligence, noted that the most interesting thing about Lockdown Mode is that it acknowledges a reality many organizations are wrestling with: AI\u2019s value often comes from its ability to connect to systems, access data, browse the web, and take action.<\/p>\n

\u201cThose same capabilities also expand the attack surface. As AI becomes more integrated into critical business processes, the conversation shifts from maximizing capability to balancing capability with control,\u201d he said. \u201cThe broader implication is that we\u2019re likely moving toward a world where AI systems have configurable operating modes based on business context, data sensitivity, user privileges, and risk tolerance. That\u2019s a much more nuanced model than the all-or-nothing approaches we\u2019ve seen so far.\u201d<\/p>\n

Greis would like the OpenAI option to offer IT granular functionality choices. \u201cIT needs to have the availability to configure it and not just accept the default settings from OpenAI,\u201d he said. For example, IT might want to customize based on connectors, or GPTs, or models, or zones, or regions.<\/p>\n

Another Gartner VP analyst, Nader Henein<\/a>, said that OpenAI created Lockdown Mode \u201cwith a narrow set of clients in mind, specifically for non-classified government use, potentially for specific governments, the reason being that if an enterprise client has this level of concern regarding data sensitivity, they are not likely going to trust any provider, including OpenAI,\u201d he pointed out. \u201cThose clients are likely to seek on premises large language models, or large language models hosted in secure, trusted environments.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

OpenAI\u2019s move to implement a Lockdown Mode that tries to limit data exfiltration by shutting down external capabilities is being seen as making the best out of a bad situation. But Lockdown Mode doesn\u2019t block exfiltration as much as it slightly reduces it, and the reality of enterprises using multiple AI vendors for their agentic […]<\/p>\n","protected":false},"author":0,"featured_media":8420,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8419","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8419"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8419"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8419\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8420"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}