OpenAI 帮助:锁定模式
TL;DR · AI 摘要
OpenAI 推出的“锁定模式”(Lockdown Mode)旨在通过限制出站网络请求来阻止数据泄露攻击的最后阶段,这是应对“致命三元组”(LLM 访问私有数据、接触不可信内容、以及数据窃取能力)的有效安全措施。
核心要点
- 锁定模式通过限制出站网络请求来阻止数据泄露,这是应对提示注入攻击的关键安全层。
- 该模式直接解决了“致命三元组”中数据窃取这一环节,通过限制 exfiltration vectors 来降低风险。
- 锁定模式的出现表明 ChatGPT 默认设置无法完全防御有决心的攻击者进行数据窃取,但该模式会牺牲部分功能性。
结构提纲
按章节快速跳转。
OpenAI 推出了新的安全功能“锁定模式”,旨在增强用户账户的安全性。
该模式通过限制出站网络请求来阻止数据泄露,是应对提示注入攻击的最后一道防线。
锁定模式旨在防止攻击者通过提示注入攻击窃取敏感数据。
锁定模式不能阻止提示注入本身出现在内容中,也无法完全阻止其影响响应行为。
锁定模式直接解决了 LLM 安全中的“致命三元组”问题中的数据窃取环节。
- ·解决思路
通过限制数据 exfiltration vectors 来解决三元组问题,且机制是确定性的,不易被 AI 自身攻破。
锁定模式的存在暗示了 ChatGPT 默认设置在面对决心强大的攻击者时,数据保护能力不足。
该模式并非面向所有用户,而是为高风险用户提供额外安全保障,但会带来功能性上的权衡。
思维导图
用一张图看清主题之间的关系。
查看大纲文本(无障碍 / 无 JS 友好)
- OpenAI 锁定模式
- 核心功能与目的
- 阻止数据泄露
- 限制出站网络请求
- 应对提示注入攻击
- 安全模型
- 致命三元组
- 访问私有数据
- 接触不可信内容
- 数据窃取能力
- 锁定模式的定位
- 限制数据窃取
- 确定性机制
- 影响与权衡
- 默认设置的局限性
- 适用人群(高风险用户)
- 功能性牺牲
金句 / Highlights
值得收藏与分享的关键句。
锁定模式旨在通过限制出站网络请求来阻止数据泄露,这是防止提示注入攻击的最后阶段。
“致命三元组”指 LLM 系统同时拥有访问私有数据、接触不可信内容以及数据窃取的能力。
锁定模式直接攻击“致命三元组”中的数据窃取环节,采用确定性机制,不易被 AI 系统本身攻破。
锁定模式的出现表明 ChatGPT 默认设置不能提供针对有决心攻击者的、稳健的数据泄露防护。
锁定模式并非为所有人设计,但对于风险较高的用户,它是进一步保障自身安全的一个优秀工具。
启用锁定模式会带来功能性和实用性上的权衡,但对高风险用户而言,这种权衡是值得的。
5th June 2026 - Link Blog
[OpenAI Help: Lockdown Mode](https://help.openai.com/en/articles/20001061-lockdown-mode). OpenAI first teased this in February, but now it's live and "rolling out to eligible personal accounts, including Free, Go, Plus, and Pro, and self-serve ChatGPT Business accounts":
Lockdown Mode is designed to help prevent the final stage of data exfiltration from a prompt injection attack by limiting outbound network requests that could transfer sensitive data to an attacker. Lockdown Mode does not prevent prompt injections from appearing in the content ChatGPT processes. For example, a prompt injection could appear in cached web content or in an uploaded file, and could still affect the behavior or accuracy of a response.
This looks really good to me.
The Lethal Trifecta occurs when an LLM system has access to all three of access to private data, exposure to untrusted content and a way to steal data and transmit it back to the attacker.
The only way to solve the trifecta is to cut off one of the three legs, and by far the easiest leg to restrict without making your LLM systems far less useful is the exfiltration vectors to steal data.
It looks to me like lockdown mode directly attacks that leg, using mechanisms that are deterministic and, crucially, are not evaluated by AI systems that themselves can be subverted by sufficiently devious attacks.
The existence of lockdown mode does however imply that ChatGPT, in its default settings, does _not_ provide robust protection against sufficiently determined data exfiltration attacks!
Update: This tweet OpenAI CISO Dane Stuckey:
Lockdown mode is not meant for everyone. However, for folks who have an elevated risk profile - due to who they are, what they work on, or the types of data they work with - it's an excellent tool for further securing themselves. This has some tradeoffs on functionality and utility, but for these users, the tradeoff is worthwhile.