The broader your agent can read, the more one breach can steal

You gave the agent wide retrieval so it could be helpful. You also gave one successful injection access to everything it can see.

B

Balagei G Nagarajan

3 MIN READ


An agent with wide read access to many data stores, one breach draining all of them

Key facts.

  • The lethal trifecta's private-data leg scales with read scope: broader retrieval means more to exfiltrate in a single compromise (Willison, 2025).
  • Slack AI was shown leaking private channel content via indirect injection, enabled by its cross-workspace read access (PromptArmor).
  • Scoping retrieval to what the task needs, per user, per query, bounds how much a single breach can reach.
Only at tasks that genuinely need the whole corpus, which are rare.
— from "The broader your agent can read, the more one breach can steal"

Why does broad retrieval feel safe until it isn't?

Broad read scope is breach scope, a system-layer wall a better model won't move: Slack AI leaked private channels via injection, and LLMs surface memorized PII. (Willison, 2025)

Because breadth is what makes the agent impressive: it can answer anything because it can read everything. The cost is invisible until an injection succeeds, and then the agent's wide read access becomes the attacker's wide read access. The fix is to scope retrieval the way you scope any sensitive access: limit it to the data the current task and the current user actually require, rather than granting the agent a standing pass to the entire corpus. Narrow read scope is narrow breach scope.

Funnel diagram showing wide retrieval scope narrowed per task and per user to bound exfiltration

Wide retrieval vs. scoped retrieval

Wide retrievalScoped retrieval
Standing access to the whole corpusAccess limited to task and user
One breach reaches everythingOne breach reaches a slice
Read scope equals breach scopeBreach scope is deliberately small

VibeModel's Pattern Intelligence Layer watches for the pattern of an agent retrieving and moving far more than the task requires, the signature of an exfiltration in progress, and flags it. You scope retrieval to the task and the user; we catch the moment a breach tries to drain beyond it. Make the agent helpful with the data it needs, not exposed by the data it can reach.

Frequently asked questions

Won't scoped retrieval make the agent less capable?
Only at tasks that genuinely need the whole corpus, which are rare. Most queries need a slice, and scoping to that slice barely affects capability while shrinking the breach.

How do I scope retrieval per user?
Honor the user's own access rights in the agent's retrieval, so the agent can never read for a user what that user could not read themselves.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.