
Key facts.
- The lethal trifecta: private data access plus untrusted content plus a way to communicate equals exfiltration risk (Willison, 2025).
- Indirect injection was demonstrated exfiltrating data from Slack AI by planting instructions in content the assistant retrieved (PromptArmor).
- The agent's legitimate read access is what makes the trick work; the attacker supplies only the instruction (Greshake et al., 2023).
Why can't the agent tell a real request from a manipulation?
Attackers don't break access, they persuade the agent to use it, and a better model holds the same keys: EchoLeak made one email an incident on Copilot. (arXiv:2302.12173)
Because both arrive as text and both read as plausible. The agent is built to be helpful, and a well-crafted prompt that asks it to summarize, forward, or reveal data sits comfortably inside that helpfulness. there's no native sense of "this request is adversarial." The defense isn't to make the agent smarter at spotting manipulation, it's to constrain what the agent can do with its access: gate exfiltration, separate private-data reads from external communication, and treat any turn that touched untrusted content as suspect.

Trusting the agent vs. constraining it
| Trusting the agent | Constraining it |
|---|---|
| Helpfulness reaches all its access | Sensitive access decoupled from comms |
| A crafted prompt opens data | Exfiltration gated after untrusted input |
| Permissions equal attack surface | Permissions bounded by action gates |
VibeModel's Pattern Intelligence Layer breaks the trifecta by recognizing when an agent that just read untrusted content moves toward revealing or sending private data, and stopping that pattern. You give the agent the access it needs; we make sure a stranger can't borrow it through a clever message.
Frequently asked questions
Is this the same as a jailbreak?
Related but distinct. A jailbreak removes safety behavior; this borrows legitimate access. Both end in the agent doing something it shouldn't.
How do I break the trifecta?
Remove one leg for sensitive flows: don't give the same agent both private-data access and unrestricted external communication in the same turn.

