
Key facts.
- The lethal trifecta is a composition: each capability is safe alone, dangerous combined (Willison, 2025).
- Per-action access control approves each step in isolation, so it cannot see the dangerous sequence (Greshake et al., 2023).
- Defending composition needs flow-level reasoning: track what data the agent has touched and gate the action that would combine sensitive access with an exit.
Why does per-action security miss this?
Because it asks the wrong question. Per-action control asks "is this action allowed," and each action is. The dangerous property is the sequence: sensitive data read, then transformed, then sent outward. To catch it you have to reason about the flow, tracking that the agent has handled private data and that the current action would exfiltrate it. That is taint tracking applied to agent behavior, and it is the only level at which a composition attack is visible.

Per-action vs. flow-aware
| Per-action control | Flow-aware control |
|---|---|
| Each step approved alone | The sequence is evaluated |
| Dangerous combination invisible | Sensitive-then-exit pattern caught |
| Composition attacks succeed | The exit is gated when tainted |
VibeModel's Pattern Intelligence Layer reasons about the flow, not just the action: it tracks when an agent has touched sensitive data and recognizes the composition pattern that turns benign steps into a breach, gating the exit. You allow the individual actions; we watch the sequence they form. The breach is in the combination, so the defense has to be too.
Frequently asked questions
Can I block composition with action rules?
Not reliably. Each action is legitimate, so rules either block useful work or miss the attack. You need flow-level taint reasoning.
What is the canonical composition to watch?
Read sensitive data, then send externally, after ingesting untrusted content. That sequence is the lethal trifecta in motion.

