Operating Inside the Lethal Trifecta

The lethal trifecta names the fundamental security problem of AI agents. Three capabilities, each safe in pairs, become catastrophic when combined:

• Access to private data: bank credentials, SSNs, medical records
• Exposure to untrusted content: emails, web pages, documents
• External communication: send emails, submit forms, make API calls

Any two are manageable. All three create a complete kill chain: an attacker embeds instructions in content the agent encounters, the agent reads private data, and the agent sends it out. AI agents require all three capabilities to be useful. The three ingredients that create the kill chain are exactly the three ingredients that make agents worth building.

This is not theoretical. In 2025, researchers demonstrated this attack against Perplexity's Comet AI browser: a single URL with hidden instructions caused the agent to read a user's Gmail and POST everything to an attacker-controlled server. The same vulnerability class appeared in Microsoft Copilot and Google Gemini. OWASP ranks prompt injection #1 in its 2025 Top 10 for LLM applications. OpenAI states prompt injection is "unlikely to ever be fully solved."

Every existing mitigation (input filters, output scanners, instruction hierarchy) is probabilistic. A 95% interception rate is a failing grade in security. The attacker only needs to succeed once.

The task: A user asks their AI agent to make a quarterly estimated tax payment. Log into Chase, retrieve routing and account numbers, navigate to IRS Direct Pay, fill in the form, submit, then check Gmail for the confirmation receipt. All three trifecta ingredients required simultaneously.

The legitimate workflow

The attack

In the user's inbox, between the IRS confirmation and a newsletter, sits an email. Somewhere in the body, invisible to the user (white text on white background, an HTML comment, text hidden after blank lines):

The agent reads the injection, follows the instructions, and composes an email with the user's name, SSN, routing number, and account number. The attacker receives a complete financial identity package.

Replay the same scenario with the defense in place. The critical difference: the agent has never seen the user's real data. Every name, SSN, routing number, and account number was replaced with a synthetic value before the agent processed anything.

When the agent viewed the Chase account page, the bank displayed 021000021 for the routing number and 483291076 for the account number. Before the agent saw any of it, a detection pipeline identified the PII and swapped each value with a synthetic substitute. The routing number became 073921584. The account number became 891043267. "Michael Chen" became "Robert Fitzgerald." The agent saw a normal-looking bank page. Every sensitive value was synthetic. The agent had no way to tell.

When the agent navigated to IRS Direct Pay and filled in the form, it typed the synthetic values: 073921584 for the routing number, 891043267 for the account number, "Robert Fitzgerald" for the name. At the moment of form submission, the system checked its policy: IRS Direct Pay is an authorized destination for this data. The synthetic values were silently resolved to the real values at the DOM boundary. The IRS received 021000021, 483291076, "Michael Chen." The payment went through with real data.

On sites where policy disables typing entirely, the agent physically cannot input text. The type command is rejected before anything reaches the page. This is a separate enforcement layer from value resolution.

PII can only flow within a website or between websites that are explicitly linked in the policy. Bank data resolves on the IRS because that flow is authorized. Bank data does not resolve on Gmail. Gmail data does not resolve on the bank. Each linkage must be explicitly configured.

The agent checks Gmail. It reads the attacker's email. The prompt injection fires. The agent follows the instructions, composing an email to the attacker's address and typing the "stolen" financial data into the body.

The agent types what it believes is the user's real information. The system checks its policy: Gmail compose is not an authorized destination for this PII. Resolution is denied. The agent's type command goes through, but only the placeholders reach the page. The real values were never in the agent's possession to begin with. The synthetic values the agent worked with all session are replaced by their placeholder tokens.

The email sends. The attacker receives this:

The system detected a policy violation. What happens next is configurable:

Every guardrail the industry has built operates at the instruction layer. Input filters scan for prompt injection patterns. Output scanners look for exfiltration attempts. Instruction hierarchy tells the model to prioritize system prompts. All of these are probabilistic. All of them try to win an arms race against the infinite space of possible malicious instructions.

The defense operates at the data layer, upstream of instructions entirely. By the time the injection fires, the agent was never given real data. You cannot exfiltrate what you never possessed.

Think of guardrails as a security guard at the vault door, trying to tell legitimate visitors from robbers. The guard catches 95 out of 100. The five who get through walk out with real cash. This system replaced the cash with counterfeits before anyone entered the building. The door is open. Robbers walk in freely, fill their bags, walk out. Then try to spend the money.

The trifecta treats "access to private data" as atomic. This architecture splits it into two distinct capabilities:

• Functional access: the ability to direct data to authorized destinations. Type a routing number into a payment form, submit an SSN to a tax portal. The agent uses the data.
• Informational access: the ability to observe data content. Read the routing number, know the SSN. The agent knows the data.

Every system ever built has treated these as inseparable. If you can use data, you can see it. The coupling is so universal that nobody discusses it.

This architecture gives the agent full functional access and zero informational access. It directs real routing numbers to the IRS, real credentials to Chase, real SSNs to TurboTax. Every transaction completes with real data. The agent has worked with synthetic values from the start, and at authorized destinations, those values are silently resolved to real ones.

Detection is not perfect. The system relies on a pipeline to identify PII and replace it with synthetic values. Some values will be missed: an unusual format, a name the model doesn't flag, a value in an unexpected context.

The failure mode is different from every other defense.

• They can't validate SSNs without attempting fraud. 19 of 20 attempts fail with synthetic numbers
• They can't correlate names to SSNs because the synthetic names don't match the synthetic SSNs
• They can't identify the real value by format, because synthetics are generated to match real formatting exactly

At 99% detection accuracy, which production NER systems routinely achieve on standard PII categories, the signal-to-noise ratio is 1:99.

We don't avoid the lethal trifecta. We operate inside it.

All three ingredients remain fully active. The agent accesses private data, directing real routing numbers, real SSNs, and real credentials to authorized destinations. Transactions complete. The agent encounters untrusted content. The agent communicates externally.

The kill chain breaks because the data access is functional, not informational. The agent directs data it has never observed. At authorized destinations, synthetic values resolve to real ones. At unauthorized destinations, only placeholders reach the page. The prompt injection is not prevented. The agent is not constrained. The data was already replaced before the agent saw anything.

This is the architecture we described in Your AI Doesn't Need to Know Who You Are, and the structural separation we explored in the Two Room Thought Experiment. Applied to the hardest unsolved problem in AI agent security.