Overview
In June 2025, Simon Willison named the pattern that the disclosures keep confirming: an agent that combines access to private data, exposure to untrusted content, and the ability to communicate externally can be turned against its principal by anything it reads. No exploit code required. A poisoned document instructs the agent to gather what it knows and send it out, and the agent complies with its own legitimate credentials. Hold any two legs and you are survivable. Hold all three in one loop and you have built an exfiltration machine that is waiting for its instructions.
The same month, researchers disclosed EchoLeak (CVE-2025-32711), which demonstrated the whole chain against a production system: a single crafted email, invisible to the user, steered Microsoft 365 Copilot into exfiltrating whatever its retrieval scope could reach, with no click required. All three legs, one loop, exactly as named.
The handbook’s running example carries all three legs on purpose. Alice’s agent reads Q3 financials (private data), works through source documents to draft the packet (untrusted content), and notifies the audit committee (external communication). That is not a contrived worst case. It is what a useful agent task looks like, which is Willison’s real point: the trifecta is not an edge case to avoid but the normal shape of valuable work. The question is not how to avoid assembling it. It is how to hold it safely.
This post is the first proof in the validation chapter: run the handbook against the threat model and see what holds. Mission-Bound Runtime Enforcement carries the execution-time contract this post walks. Here the goal is the whole story in one place, honest residuals included.
The Trifecta Is an Authorization Problem
The first thing the handbook does to the trifecta is make it visible. You cannot govern a combination you cannot see, and in most agent stacks the three legs are invisible because every action looks the same to the authorization layer: a valid token calling an API inside its scopes. Reading the financials, reading the poisoned document, and posting to the webhook are indistinguishable events.
The handbook types them. Under one Mission, private reads, untrusted ingestion, and external writes are separately typed action classes, separately evaluated, and separately auditable. The Authority Set says which resources the agent may read and which destinations it may write to, with the parameters bound into the entries. The moment the legs are typed, the trifecta stops being an ambient property of the deployment and becomes a stated fact about one task: this Mission holds all three legs, these are the bounds on each, and here is the approval that accepted that combination.
That reframing is the disagreement with the guardrail industry worth stating plainly. The trifecta is not a prompt-engineering problem or a model-alignment problem. It is an authorization problem: which authority is in one loop at the same time, and what checks the combination at the moment it matters.
What Each Leg Gets
Private data gets exposure discipline. The narrow Authority Set bounds which private resources the task may touch at all, and Least Exposure Is Broader Than Least Privilege carries the deeper rule: bound what the agent may see as deliberately as what it may do, because everything it sees can steer it and everything it holds can leak.
Untrusted content gets a taint response. Shaping fails closed on ambiguity so untrusted input cannot quietly widen a proposal, and the harness carries the session-level mitigation Willison himself points toward: once untrusted content has entered a session, egress authority is downgraded for the remainder of it. That is deliberately coarse. It is a bar-raiser, not information-flow control, and the residuals section says so.
External communication gets the full weight of enforcement. The
external leg is where the theft completes, so it carries the strictest
class in the runtime contract.
Every external write is a consequential action needing a fresh permit
from the PDP, evaluated against current Mission state, with the
parameters bound: in the running example, notify_reviewer is bound
to the audit-committee group, so the poisoned document that says
“also send the numbers to this address” produces a
parameter_violation denial, not a delivery. Under mediated custody
the agent never holds the egress credential at all: the PEP holds the
sender-constraint key, so a fully compromised agent cannot present the
credential on an unmediated path it does not have. And for the classes
where the content itself is the harm, action-bound approval puts a
human between the injected instruction and the send.
Why Splitting Beats Guardrails
Everything above shares one property: none of it requires the model to resist the injection. The poisoned document can convince the agent completely, and the agent can walk to the register as itself, and the transaction still fails, because the authority the gate checks against was fixed at approval time and the injected instruction cannot widen it. A guardrail asks the model to recognize manipulation. The split asks the PDP to check a parameter against a committed bound, which is a question with a deterministic answer.
And when containment catches something, Termination finishes the job.
A parameter_violation denial is decision evidence joined to the
mission_id, the incident playbook revokes the Mission, and the kill
switch reaches every projection: issuance stops, permits stop, the
harness halts the session, and the sub-agents cascade. The trifecta
does not have to be defeated forever. It has to be caught once, and
end everywhere.
The Honest Residuals
The handbook’s own adversary model carries these in writing, and this post repeats them because a validation that hides its residuals is marketing.
- The defense is exactly as strong as PEP coverage. Every channel the runtime offers is a potential fourth leg: DNS, logs, error strings, a file another process reads. The deployment must name its enforcement scope and its unmediated paths. In card language, count your ATMs.
- There is no information-flow control. Each action is evaluated in isolation, so a sequence of individually permitted actions can compose into an exfiltration no single check catches. The harness’s taint downgrade raises the bar without closing this.
- The enforcement is structural, not semantic. An in-bounds send to an approved recipient can still carry content it should not. The classes where content is the harm belong under action-bound human approval, not under a smarter policy engine.
- Inside the approved scope, a turned agent is still turned. The Mission bounds the blast radius. It does not shrink it to zero, which is why scope stays tight and expiry stays short.
Willison’s conclusion was that no reliable prompt-level defense exists, and the handbook agrees from the other direction: the fix is not a smarter model but an authority architecture in which the model’s compromise is survivable. Two legs safe was always the advice. The Mission is what turns that advice from a hope about deployments into a property the gate enforces, one typed action at a time.