OpenAI's Lockdown Mode restricts what ChatGPT can do in order to reduce security risk. That tradeoff reveals a deeper problem with how AI security is being approached.
Security by Subtraction
OpenAI's Lockdown Mode is a direct response to a real threat. When AI agents connect to external systems—browsing the web, calling APIs, reading files—they become exploitable. Indirect prompt injection, credential exfiltration, data leakage through retrieval: these aren't hypothetical. They're documented, reproducible, and increasingly common.
The solution Lockdown Mode offers: do less. No live web requests. Restricted connected apps. Certain features disabled entirely. "Elevated Risk" labels on workflows where full protection isn't possible.
OpenAI is being honest about the tradeoff. That's worth acknowledging. But the tradeoff itself is the problem.
The Capability-Security Contradiction
The same connectivity that makes AI agents useful is what makes them vulnerable. An agent that can browse the web, query databases, and call external services can do so with injected instructions just as easily as with legitimate ones. The attack surface and the capability surface are the same surface.
Lockdown Mode's response to this is to shrink that surface by shrinking capability. Browsing gets crippled. Connected workflows break. The agent becomes safer because it can do less.
That's a coherent engineering decision given current constraints. It's not a solution.
A solution would preserve capability while securing the agent against adversarial use of that capability. Lockdown Mode doesn't claim to do that—it explicitly trades one for the other.
What "Safe" Actually Costs
The practical cost isn't just developer inconvenience. Organizations adopt AI agents because of specific productivity gains: retrieving live information, automating multi-system workflows, operating across connected tools without constant human handholding.
When Lockdown Mode disables features to reduce risk, it disables the features that justify the deployment. A restricted agent isn't a secure agent doing the same work—it's an agent doing less work, more safely.
For high-security environments, that may be the right call in the short term. For everyone else, it reframes AI as a conditional capability: you can have it, but only if you're willing to accept either the risk or the restriction.
Neither of those should be the only options available.
The Gap
The gap between where AI agent security is now and where it needs to be is this: an AI that can operate in hostile environments without needing to be caged.
Hostile inputs should be detected and blocked before they reach the model. Retrieval pipelines should be scanned for injected instructions before they enter the context window. Connected tools should operate within enforced policies that can't be overridden by adversarial prompts. The agent's behavior shouldn't depend on limiting what the agent can see.
Security built at the input layer, the retrieval layer, and the execution layer—not by disabling features.
Lockdown Mode reveals the gap clearly. Until that gap is closed, capability and security will remain in tension.
Promptention is built around the principle that agents should be able to operate at full capability in production environments. Security shouldn't require a smaller attack surface—it should defend the one that exists.
