The access control your agent has is the access control an attacker borrows

You do not need to break the agent's permissions. You just need to convince the agent to use them on your behalf.

B

Balagei G Nagarajan

3 MIN READ


An attacker whispering through a document while an agent opens private data it is allowed to see

Key facts.

  • The lethal trifecta: private data access plus untrusted content plus a way to communicate equals exfiltration risk (Willison, 2025).
  • Indirect injection was demonstrated exfiltrating data from Slack AI by planting instructions in content the assistant retrieved (PromptArmor).
  • The agent's legitimate read access is what makes the trick work; the attacker supplies only the instruction (Greshake et al., 2023).
there's no native sense of "this request is adversarial.
— from "The access control your agent has is the access control an attacker borrows"

Why can't the agent tell a real request from a manipulation?

Attackers don't break access, they persuade the agent to use it, and a better model holds the same keys: EchoLeak made one email an incident on Copilot. (arXiv:2302.12173)

Because both arrive as text and both read as plausible. The agent is built to be helpful, and a well-crafted prompt that asks it to summarize, forward, or reveal data sits comfortably inside that helpfulness. there's no native sense of "this request is adversarial." The defense isn't to make the agent smarter at spotting manipulation, it's to constrain what the agent can do with its access: gate exfiltration, separate private-data reads from external communication, and treat any turn that touched untrusted content as suspect.

Venn diagram of private data access, untrusted content, and external communication overlapping into the exfiltration zone

Trusting the agent vs. constraining it

Trusting the agentConstraining it
Helpfulness reaches all its accessSensitive access decoupled from comms
A crafted prompt opens dataExfiltration gated after untrusted input
Permissions equal attack surfacePermissions bounded by action gates

VibeModel's Pattern Intelligence Layer breaks the trifecta by recognizing when an agent that just read untrusted content moves toward revealing or sending private data, and stopping that pattern. You give the agent the access it needs; we make sure a stranger can't borrow it through a clever message.

Frequently asked questions

Is this the same as a jailbreak?
Related but distinct. A jailbreak removes safety behavior; this borrows legitimate access. Both end in the agent doing something it shouldn't.

How do I break the trifecta?
Remove one leg for sensitive flows: don't give the same agent both private-data access and unrestricted external communication in the same turn.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.