As of June 17, 2026, Lockdown Mode is no longer only an enterprise edge case. OpenAI's ChatGPT release notes say Lockdown Mode is available to all logged-in users across account types and workspaces.
That does not mean every small team should leave it on all day. It means teams now need a plain rule for when the safer mode is worth the loss of connected features.
OpenAI's Lockdown Mode page frames the setting around sensitive information, connected features and prompt-injection risk. When it is enabled, ChatGPT can limit or turn off network-enabled capabilities such as live web access, deep research, agent mode, live connectors, Canvas networking, file downloads and some web-derived image support.
For a small team, the practical question is simple: which work should stay connected, and which work should happen behind stricter guardrails?
Treat it as a workflow setting
Do not treat Lockdown Mode as a sign that ChatGPT is either safe or unsafe. Treat it as a workflow setting.
Some jobs need current web context, citations, external files, connector access or agent-style action. Other jobs involve sensitive internal facts where the safest useful answer is one that cannot reach out to live web services or external tools.
Good candidates for Lockdown Mode include:
- summarizing a sensitive internal incident note;
- drafting an executive memo from private context;
- reviewing customer details that should not leave the conversation path;
- thinking through legal, security or personnel questions before sharing them;
- asking for help with a confidential board, funding or acquisition document;
- using ChatGPT around private credentials, even if the actual secret values are redacted.
The pattern is not "important work." It is connected-risk work. If the task combines private context with web access, connectors, file downloads or agents, decide whether those features are necessary before the prompt is pasted.
Decide what the answer needs before switching modes
Before turning Lockdown Mode on or off, ask what the answer actually needs.
If the job needs current public facts, fresh prices, a live product page or recent legal changes, a locked-down answer may be incomplete. If the job needs only the team's supplied context, a locked-down answer may be more appropriate.
Use a short preflight:
- Does this prompt contain private company, customer or employee context?
- Does ChatGPT need live web search to answer it?
- Does it need a connected app or MCP connector?
- Does it need to download or generate files?
- Would an agent action create risk if a webpage contained malicious instructions?
- Can the team verify the answer from supplied sources instead?
If the answer needs private context and no live external source, use the stricter path. If the answer needs current outside data, split the job: gather public facts in one step, then handle private synthesis in a separate locked-down step.
Watch the invisible dependency on web search
Many teams underestimate how often they rely on search. OpenAI's ChatGPT search documentation for Enterprise and Edu says web search is shaped by workspace settings, role permissions and restricted-access controls. It also notes that connected sources may be prioritized when selected, with web search used when those sources cannot answer.
That matters because a user may not know whether an answer came from:
- the prompt they pasted;
- a connected company source;
- public web search;
- cached or restricted search behavior;
- a general model response without fresh retrieval.
For sensitive work, the team should make this visible. Ask ChatGPT to state what sources it used, what it could not access and whether it relied on supplied text only. If the task is important, verify the answer from the source material instead of trusting that a locked-down answer has the same context as a connected one.
Use roles for repeatable decisions
For managed workspaces, Lockdown Mode should not depend on everyone remembering the same safety habit.
OpenAI's RBAC help page says workspaces with Lockdown Mode role support can create a custom role for members who need it. The same page says admins should treat Lockdown Mode as a role-level security configuration, not a single permission toggle.
That is the right mental model for small teams with different user groups:
- a finance or leadership group may need stricter defaults;
- a marketing group may need web search and file generation more often;
- an operations group may need connector access for routine work;
- a security reviewer may need both locked-down review and separate connected research.
If your plan supports role-based controls, write the role decision in plain language. Who gets Lockdown Mode? Which apps and actions still make sense for that role? Which connected sources remain available? Who can approve a temporary exception?
If the team uses personal or unmanaged accounts, the same logic still helps. Write a user-level rule for when to switch it on from security settings before starting sensitive work.
Separate research from private synthesis
The most useful habit is splitting mixed-risk prompts.
Instead of asking:
"Search the web and use our private customer notes to decide what we should do."
Use two steps:
- Search or research the public context without private data.
- Turn on the stricter mode and paste only the public summary plus the private notes needed for the decision.
This is slower, but it reduces the chance that private context is exposed to features that did not need it. It also makes review easier. The team can see which facts came from outside sources and which conclusions came from internal material.
The same split works for agent tasks. Let an agent gather public options or create a plan in a connected environment. Review the plan. Then use a stricter mode for sensitive edits, risk review or executive wording.
Do not use it as a substitute for source permissions
Lockdown Mode does not clean up messy source permissions. If a connected app, shared drive or internal tool exposes too much to a user, the safer mode is not the root fix.
Before relying on any connected workflow, check:
- which users can access each source system;
- whether shared folders contain private material by accident;
- which connectors are enabled for which users;
- whether app actions are read-only or can change records;
- whether citations or source links are visible enough to audit;
- who reviews failed or surprising answers.
Lockdown Mode reduces a class of external-interaction risk. It does not replace ordinary access control, source cleanup, admin review or employee training.
The small-team rule
Use Lockdown Mode when the prompt contains sensitive work context and the answer does not need live web access, agent actions, file downloads or live connector behavior.
Leave connected features available when the job genuinely depends on current outside information, app context or workflow actions. In that case, reduce the private data in the prompt and verify what sources were used.
The useful rollout is not "turn Lockdown Mode on for everyone." It is "these sensitive jobs use the stricter mode, these research jobs stay connected, and mixed jobs are split before private context enters the conversation."