Each action looked safe. Together they breached you.

Read a file. Summarize it. Send an email. Three harmless actions. In that order, with the wrong content, they exfiltrate your data.

B

Balagei G Nagarajan

3 MIN READ


Three individually green actions combining into a red exfiltration sequence
Per-action control asks "is this action allowed," and each action is.
— from “Each action looked safe. Together they breached you.”

Key facts.

  • The lethal trifecta is a composition: each capability is safe alone, dangerous combined (Willison, 2025).
  • Per-action access control approves each step in isolation, so it cannot see the dangerous sequence (Greshake et al., 2023).
  • Defending composition needs flow-level reasoning: track what data the agent has touched and gate the action that would combine sensitive access with an exit.

Why does per-action security miss this?

Because it asks the wrong question. Per-action control asks "is this action allowed," and each action is. The dangerous property is the sequence: sensitive data read, then transformed, then sent outward. To catch it you have to reason about the flow, tracking that the agent has handled private data and that the current action would exfiltrate it. That is taint tracking applied to agent behavior, and it is the only level at which a composition attack is visible.

Sankey diagram tracing a flow from private-data read through transform to external send with a taint gate at the exit

Per-action vs. flow-aware

Per-action controlFlow-aware control
Each step approved aloneThe sequence is evaluated
Dangerous combination invisibleSensitive-then-exit pattern caught
Composition attacks succeedThe exit is gated when tainted

VibeModel's Pattern Intelligence Layer reasons about the flow, not just the action: it tracks when an agent has touched sensitive data and recognizes the composition pattern that turns benign steps into a breach, gating the exit. You allow the individual actions; we watch the sequence they form. The breach is in the combination, so the defense has to be too.

Frequently asked questions

Can I block composition with action rules?
Not reliably. Each action is legitimate, so rules either block useful work or miss the attack. You need flow-level taint reasoning.

What is the canonical composition to watch?
Read sensitive data, then send externally, after ingesting untrusted content. That sequence is the lethal trifecta in motion.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.