Prompt injection
The core agentic vulnerability. Architectural, not a bug, and possibly permanent. The Lethal Trifecta names the exposure.
The core vulnerability of agentic security, and it is architectural: text from every source carries the same authority, so injected instructions ride in as data. The Lethal Trifecta names the exposure: private data, untrusted input, external communication. Each harmless alone; together, a complete attack chain.
The trifecta as a working checklist: what each condition contributes to the attack chain, which defenses bind it, and Meta's Rule of Two as the operating decision: no more than two of the three per session, or a human joins the loop.
The architectural flaw
If reliability is about agents getting things wrong by accident, security is about agents being made to get things wrong on purpose. In agentic systems the consequences are fundamentally worse because agents do not just answer questions, they take actions. The core vulnerability when it comes to agentic security is undoubtedly prompt injection. In 2025 OWASP ranked it LLM01, the highest-priority vulnerability, and it maps to six of the ten categories in OWASP's Top 10 for agentic applications. It also drives most agentic AI security failures in production as of 2026.
Prompt injection vulnerability is architectural and not a bug, because there is no reliable way to mark text from different sources (user, system, retrieved content) with different levels of authority. Commands and data all carry the same authority as a legitimate operator instruction. This is not a flaw in a specific model. It is how the technology works. OpenAI has acknowledged it as a "frontier security challenge" that may never be fully solved, and industry reporting increasingly describes it as a structural property rather than a patchable bug.
The Lethal Trifecta and the Rule of Two
When prompt injection takes place in agentic systems it hijacks the agent's goal, and as a result it can redirect tool calls, exfiltrate data and propagate malicious behavior across an entire orchestrated system. Simon Willison has identified three conditions that, when all present, make an agent exploitable. Private data access, which allows the agent to read emails, documents and databases. Untrusted input exposure, which occurs when the agent processes content from external sources. And external communication capability, the agent's ability to make outbound requests. Willison coined the term The Lethal Trifecta and postulated that each condition of the three is harmless on its own. However, when together they create a complete attack chain, because untrusted input redirects the agent's behavior, while private data becomes the target and external communication becomes the exfiltration channel. Meta, while adopting the framework, has established the "Rule of Two": until prompt injection can be reliably detected, an agent should satisfy no more than two of the three properties within a session, and an agent that needs all three requires human-in-the-loop supervision.
Defense, and the catalog
The uncomfortable truth is that prompt injection may be a permanent architectural flaw and not a patchable bug. The mitigation is layered defense, input validation and output filtering, while least-privilege tool access, sandboxing and human approval gates for high-risk actions are of paramount importance.
There are significant efforts to systematically catalog various prompt injection approaches. MITRE ATLAS for example has cataloged 16 tactics and over 100 techniques. Successive releases have expanded the catalog, and the detail is almost entirely agent-shaped as of mid-2026. The threat landscape has been formally mapped.
Security in agentic systems is not a hardened perimeter. It is a managed attack surface that grows with every tool the agent can access and every agent it can delegate to. The Lethal Trifecta and Rule of Two provide a concrete mental model for assessing potential exposure.
| Claim | Source | Status |
|---|---|---|
| Prompt injection maps to six of the ten categories in OWASP's Top 10 for agentic applications. | Top 10 for Agentic Applications 2026 | verified 2026-07-02 |
| The Lethal Trifecta: private data access, untrusted input exposure and external communication capability are each harmless alone and form a complete attack chain together. | AI Security 2026: The Lethal Trifecta | verified 2026-07-02 |
| Meta's Rule of Two: until prompt injection can be reliably detected, an agent should satisfy no more than two of the three trifecta properties within a session; an agent that needs all three requires human-in-the-loop supervision. | Agents Rule of Two: A Practical Approach to AI Agent Security | verified 2026-07-02 |
| MITRE ATLAS has cataloged 16 tactics and over 100 techniques for adversarial threats to AI systems. | ATLAS: Adversarial Threat Landscape for AI Systems | verified 2026-07-02 |
| OpenAI has acknowledged prompt injection as a frontier security challenge that may never be fully solved. | Understanding Prompt Injections: A Frontier Security Challenge | verified 2026-07-02 |
| OWASP ranked prompt injection LLM01, the highest-priority LLM vulnerability, in 2025. | LLM01:2025 Prompt Injection | verified 2026-07-02 |