
Key facts.
- The lethal trifecta's private-data leg scales with read scope: broader retrieval means more to exfiltrate in a single compromise (Willison, 2025).
- Slack AI was shown leaking private channel content via indirect injection, enabled by its cross-workspace read access (PromptArmor).
- Scoping retrieval to what the task needs, per user, per query, bounds how much a single breach can reach.
Why does broad retrieval feel safe until it isn't?
Broad read scope is breach scope, a system-layer wall a better model won't move: Slack AI leaked private channels via injection, and LLMs surface memorized PII. (Willison, 2025)
Because breadth is what makes the agent impressive: it can answer anything because it can read everything. The cost is invisible until an injection succeeds, and then the agent's wide read access becomes the attacker's wide read access. The fix is to scope retrieval the way you scope any sensitive access: limit it to the data the current task and the current user actually require, rather than granting the agent a standing pass to the entire corpus. Narrow read scope is narrow breach scope.

Wide retrieval vs. scoped retrieval
| Wide retrieval | Scoped retrieval |
|---|---|
| Standing access to the whole corpus | Access limited to task and user |
| One breach reaches everything | One breach reaches a slice |
| Read scope equals breach scope | Breach scope is deliberately small |
VibeModel's Pattern Intelligence Layer watches for the pattern of an agent retrieving and moving far more than the task requires, the signature of an exfiltration in progress, and flags it. You scope retrieval to the task and the user; we catch the moment a breach tries to drain beyond it. Make the agent helpful with the data it needs, not exposed by the data it can reach.
Frequently asked questions
Won't scoped retrieval make the agent less capable?
Only at tasks that genuinely need the whole corpus, which are rare. Most queries need a slice, and scoping to that slice barely affects capability while shrinking the breach.
How do I scope retrieval per user?
Honor the user's own access rights in the agent's retrieval, so the agent can never read for a user what that user could not read themselves.

