Vendors are rolling out “lockdown” profiles for AI tools to cut prompt injection, data exfiltration, and tool misuse. Here’s a vendor-agnostic checklist you can deploy today.
Why “lockdown” matters now
Lockdown-style configurations restrict risky model capabilities by default—think browsing, arbitrary tool use, or unsandboxed code execution. The goal is to shrink the attack surface without killing productivity.
For context, see Simon Willison’s note highlighting OpenAI Help documentation around a “lockdown” approach and safer defaults (source). Treat this as a pattern you can replicate across providers.
What to disable by default
- External web browsing and untrusted connectors (turn on only for vetted users and domains).
- Plugins or tools that can read/write data, send emails, or hit production systems without human-in-the-loop.
- Arbitrary code execution without sandboxing, no-network egress, and strict time/memory limits.
- File uploads to shared workspaces unless they’re scanned, tagged, and access-controlled.
What to enable and enforce
- Allowlists over denylists: Only approved tools, domains, and repositories.
- Network egress controls: Block outbound calls by default; require explicit approvals for specific hosts.
- Input/output guards: PII redaction, secrets scanning, and policy checks on prompts and model responses.
- Retrieval hygiene: Serve only curated documents; strip or neutralize instructions inside retrieved text to reduce prompt injection.
- Strict system instructions: Make the assistant refuse to follow instructions from data, links, or untrusted content.
- Validation on function calls: Confirm parameters, run dry-runs in lower environments, and require user confirmation for destructive actions.
- Logging and review: Capture prompts, tool calls, and responses with redaction; set alerts for risky patterns.
Rollout checklist (do this this week)
- Pick a default “no-browse, no-plugins, sandboxed-code” profile; document exceptions.
- Create an allowlist for tools, files, and domains; assign owners and review cadence.
- Harden retrieval: sanitize chunks, remove hidden prompts, and add context provenance labels.
- Turn on model-side safety features: sensitive-topic filters and rate/budget caps.
- Ship a one-pager for users: what the assistant won’t do, and how to request elevated access.
- Stage-gate elevated permissions: require justification, ticketing, and auto-expiry of access.
- Test with known-bad prompts from the OWASP LLM Top 10; track pass/fail over time.
Architecture tips for safer-by-default AI
- Use sandboxed function calling: Isolate tools in microservices with explicit scopes and audit logs.
- Adopt zero trust for AI: authenticate every tool call, prefer ephemeral credentials, and pin outbound hosts.
- Prefer retrieval over broad memory: keep sessions stateless; store sensitive context outside chat history.
- Build a “break glass” path: emergency escalation that’s logged, time-bound, and requires human approval.
Policy and governance essentials
- Map controls to the NIST AI RMF and your existing security baselines.
- Define data handling: what can be shared with models, where it’s stored, and retention rules.
- Run quarterly red-team exercises and privacy reviews; update allowlists and prompts accordingly.
Key sources
- Simon Willison on OpenAI Help’s “lockdown” approach (read)
- OpenAI Enterprise security and controls (openai.com/security)
- OWASP Top 10 for LLM Applications (owasp.org)
Takeaway
Treat “lockdown mode” as your secure default, not an afterthought. Start with least privilege, allowlist everything, and make elevation rare, logged, and reversible.
Like this? Get weekly, no-fluff AI playbooks in your inbox—subscribe to The AI Nuggets.
