---
title: "Splitting the Lethal Trifecta"
date: "2026-06-06T21:00:00-07:00"
lastmod: "2026-06-06T21:00:00-07:00"
description: "The lethal trifecta is private data, untrusted content, and external communication in one agent loop. Mission-bound authorization cannot make the model injection-proof, so it does the structural thing instead: type the three legs, keep them split at execution time, and make the third leg unreachable without a fresh decision."
summary: "Simon Willison named the combination that makes agents dangerous: access to private data, exposure to untrusted content, and the ability to communicate externally, held together in one loop. Any two legs are safe. All three are an exfiltration machine waiting for a poisoned document. This post runs the handbook against that threat model: the three legs become separately typed action classes under one Mission, the external leg becomes a consequential action that needs a fresh parameter-bound permit, mediated custody keeps the egress credential out of the agent\u0026rsquo;s hands, and the harness downgrades egress once untrusted content enters the session. Then the honest residuals: enforcement scope, composition, and the semantic gap."
slug: "splitting-the-lethal-trifecta"
tags:
  - "Agentic Identity"
  - "Authorization"
  - "Mission-Bound Authorization"
  - "Security Architecture"
  - "AuthZEN"
series:
  - "proving-mission-bound-authorization"
---


{{< tldr >}}

- **The threat model.** [The lethal trifecta](https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/) is Simon Willison's name for the combination that makes agents dangerous: access to private data, exposure to untrusted content, and the ability to communicate externally, in one loop. Any two legs are survivable. All three mean anything the agent reads can steal what the agent knows.
- **The answer in one line.** The handbook cannot make the model injection-proof, so it does the structural thing instead: the three legs become separately typed action classes under one Mission, kept split at execution time, with the external leg unreachable without a fresh, parameter-bound decision.
- **What lives in this post.** [Why the trifecta is an authorization problem](#the-trifecta-is-an-authorization-problem), [what each leg gets](#what-each-leg-gets), [why splitting beats guardrails](#why-splitting-beats-guardrails), and [the honest residuals](#the-honest-residuals).
- **The card analogy.** The hypnotized cardholder and the ATM: the agent is a cardholder whose judgment can be rewritten by a shop window, and every unmediated path is cash. [The Network Approves Every Transaction](/notes/the-network-approves-every-transaction/) is this threat in card language.
- **The laws.** [Containment (Law 5)](/series/mission-bound-authorization/#the-five-laws-of-delegated-authority) does the work: execution must continuously remain inside approved purpose. Termination stands behind it as the kill switch when containment catches something.
- **Specs (editor's copies).** [Mission-Bound Runtime Enforcement](https://mcguinness.github.io/mission-bound-authorization/#go.draft-mcguinness-mission-runtime.html), the [AuthZEN profile](https://mcguinness.github.io/mission-bound-authorization/#go.draft-mcguinness-mission-authzen.html), and [Mission-Aware Agent Harnesses](https://mcguinness.github.io/mission-bound-authorization/#go.draft-mcguinness-mission-harness.html).

**Reading path.** ~10 minutes in order, or jump to [the honest residuals](#the-honest-residuals) if you already know the trifecta and want the limits.

{{< /tldr >}}

# Overview

In June 2025, [Simon Willison named the pattern](https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/)
that the disclosures keep confirming: an agent that
combines access to private data, exposure to untrusted content, and
the ability to communicate externally can be turned against its
principal by anything it reads. No exploit code required. A poisoned
document instructs the agent to gather what it knows and send it out,
and the agent complies with its own legitimate credentials. Hold any
two legs and you are survivable. Hold all three in one loop and you
have built an exfiltration machine that is waiting for its
instructions.

The same month, researchers disclosed
[EchoLeak](https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html)
(CVE-2025-32711), which demonstrated the whole chain against a
production system: a single crafted email, invisible to the user,
steered Microsoft 365 Copilot into exfiltrating whatever its retrieval
scope could reach, with no click required. All three legs, one loop,
exactly as named.

The handbook's running example carries all three legs on purpose.
Alice's agent reads Q3 financials (private data), works through source
documents to draft the packet (untrusted content), and notifies the
audit committee (external communication). That is not a contrived
worst case. It is what a useful agent task looks like, which is
Willison's real point: the trifecta is not an edge case to avoid but
the normal shape of valuable work. The question is not how to avoid
assembling it. It is how to hold it safely.

This post is the first proof in the validation chapter: run the
handbook against the threat model and see what holds.
[Mission-Bound Runtime Enforcement](/notes/mission-bound-runtime-enforcement-profile/#the-lethal-trifecta-at-execution-time)
carries the execution-time contract this post walks. Here the goal is
the whole story in one place, honest residuals included.

# The Trifecta Is an Authorization Problem

The first thing the handbook does to the trifecta is make it visible.
You cannot govern a combination you cannot see, and in most agent
stacks the three legs are invisible because every action looks the
same to the authorization layer: a valid token calling an API inside
its scopes. Reading the financials, reading the poisoned document, and
posting to the webhook are indistinguishable events.

The handbook types them. Under one Mission, private reads, untrusted
ingestion, and external writes are separately typed action classes,
separately evaluated, and separately auditable. The Authority Set says
which resources the agent may read and which destinations it may write
to, with the parameters bound into the entries. The moment the legs
are typed, the trifecta stops being an ambient property of the
deployment and becomes a stated fact about one task: this Mission
holds all three legs, these are the bounds on each, and here is the
approval that accepted that combination.

That reframing is the disagreement with the guardrail industry worth
stating plainly. The trifecta is not a prompt-engineering problem or a
model-alignment problem. It is an authorization problem: which
authority is in one loop at the same time, and what checks the
combination at the moment it matters.

# What Each Leg Gets

**Private data gets exposure discipline.** The narrow Authority Set
bounds which private resources the task may touch at all, and
[Least Exposure Is Broader Than Least Privilege](/notes/least-exposure-is-broader-than-least-privilege/)
carries the deeper rule: bound what the agent may *see* as
deliberately as what it may do, because everything it sees can steer
it and everything it holds can leak.

**Untrusted content gets a taint response.** Shaping fails closed on
ambiguity so untrusted input cannot quietly widen a proposal, and the
[harness](/notes/mission-agent-runtime-and-audit/) carries the
session-level mitigation Willison himself points toward: once
untrusted content has entered a session, egress authority is
downgraded for the remainder of it. That is deliberately coarse. It is
a bar-raiser, not information-flow control, and the residuals section
says so.

**External communication gets the full weight of enforcement.** The
external leg is where the theft completes, so it carries the strictest
class in the [runtime contract](/notes/mission-bound-runtime-enforcement-profile/).
Every external write is a consequential action needing a fresh permit
from the PDP, evaluated against current Mission state, with the
parameters bound: in the running example, `notify_reviewer` is bound
to the `audit-committee` group, so the poisoned document that says
"also send the numbers to this address" produces a
`parameter_violation` denial, not a delivery. Under mediated custody
the agent never holds the egress credential at all: the PEP holds the
sender-constraint key, so a fully compromised agent cannot present the
credential on an unmediated path it does not have. And for the classes
where the content itself is the harm, action-bound approval puts a
human between the injected instruction and the send.

# Why Splitting Beats Guardrails

Everything above shares one property: none of it requires the model to
resist the injection. The poisoned document can convince the agent
completely, and the agent can walk to the register as itself, and the
transaction still fails, because the authority the gate checks against
was fixed at approval time and the injected instruction cannot widen
it. A guardrail asks the model to recognize manipulation. The split
asks the PDP to check a parameter against a committed bound, which is
a question with a deterministic answer.

And when containment catches something, Termination finishes the job.
A `parameter_violation` denial is decision evidence joined to the
`mission_id`, the incident playbook revokes the Mission, and the kill
switch reaches every projection: issuance stops, permits stop, the
harness halts the session, and the sub-agents cascade. The trifecta
does not have to be defeated forever. It has to be caught once, and
end everywhere.

# The Honest Residuals

The handbook's own [adversary model](/notes/mission-bound-authorization-reference/#adversary-model)
carries these in writing, and this post repeats them because a
validation that hides its residuals is marketing.

- **The defense is exactly as strong as PEP coverage.** Every channel
  the runtime offers is a potential fourth leg: DNS, logs, error
  strings, a file another process reads. The deployment must name its
  enforcement scope and its unmediated paths. In card language, count
  your ATMs.
- **There is no information-flow control.** Each action is evaluated
  in isolation, so a sequence of individually permitted actions can
  compose into an exfiltration no single check catches. The harness's
  taint downgrade raises the bar without closing this.
- **The enforcement is structural, not semantic.** An in-bounds send
  to an approved recipient can still carry content it should not. The
  classes where content is the harm belong under action-bound human
  approval, not under a smarter policy engine.
- **Inside the approved scope, a turned agent is still turned.** The
  Mission bounds the blast radius. It does not shrink it to zero,
  which is why scope stays tight and expiry stays short.

Willison's conclusion was that no reliable prompt-level defense
exists, and the handbook agrees from the other direction: the fix is
not a smarter model but an authority architecture in which the model's
compromise is survivable. Two legs safe was always the advice. The
Mission is what turns that advice from a hope about deployments into
a property the gate enforces, one typed action at a time.

