The agentic AI ‘lethal trifecta’: What CISOs should know

<p>By now, every CISO has probably heard the phrase <i>lethal trifecta</i> tossed around in AI security discussions. The term refers to a combination of three agentic AI properties that, together, make agents vulnerable to attack and put the enterprises using them at massive risk.</p>
<p>Programmer Simon Willison is credited with coining the term <i>lethal trifecta</i> as it relates to <a href=”https://www.techtarget.com/searchenterpriseai/definition/agentic-AI”>agentic AI</a>. Unfortunately, the cybersecurity field does not currently agree on a universal definition: different cybersecurity analysts and AI researchers often pick different trios of properties. And, of course, there’s no need to stop at three, but we lack a cutesy term like <i>quadfecta</i> or <i>quintfecta</i> to describe a longer list.</p>
<p>That said, conversations about the <a href=”https://www.techtarget.com/searchsecurity/tip/What-agentic-AI-means-for-cybersecurity”>agentic AI</a> lethal trifecta often center on the following three properties, as initially <a target=”_blank” href=”https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/” rel=”noopener”>described</a> by Willison:</p>
<ul class=”default-list”>
<li>Agent access to private or sensitive information, whether personal information about staff or customers or confidential intellectual property.</li>
<li>Agent ingestion of uncontrolled content. That is, having an agent that reads data from sources the enterprise does not control, such as public websites, and that can contain either intentionally incorrect information — meant to affect enterprise or agent decisions — or hidden prompts intended to redirect agent goals or actions.</li>
<li>Agent ability to communicate externally, and so to exfiltrate data.</li>
</ul>
<p>Alternatively, some cybersecurity experts include the following properties in the agentic AI lethal trifecta:</p>
<ul class=”default-list”>
<li>Agent empowerment to act in ways that affect other enterprise systems — e.g., reconfiguring network devices or modifying databases.</li>
<li>Agent ability to plan and adaptively pursue long-term objectives without reconfirmation of purpose by a human. Adaptability includes the ability to exploit chains of low-impact vulnerabilities — e.g., CVEs with low CVSS scores — to achieve high-impact outcomes such as root-level access to a key server.</li>
<li>Agent ability to self-improve and gain capabilities — e.g., modifying its own code; modifying its own goals; finding other tools to fill its functional shortcomings; or designing better models, then creating and use tools based on them.</li>
<li>Agentic velocity, or the ability to swamp human-scaled governance mechanisms.</li>
<li>Agentic prompt drift — i.e., agent non-determinism. Agents and other AIs can produce dramatically different results in response to the same prompt — and indeed, many jailbreak attacks rely on this to get an AI to break free of its alignment training.</li>
<li>Agent cost indeterminacy. An AI’s actual costs, in terms of tokens expended, can spiral unpredictably due to factors such as prompt drift and “context rot,” which drives it into recursive loops of re-reading the same context data.</li>
<li>Agents with superhuman persuasiveness can pursue slow and sophisticated social engineering attacks at scales previously impossible.</li>
</ul>
<p>Pick any subset of these problems, and the core idea is the same: AI plus agency plus permission to act in the enterprise environment add up to a risky synergy with potentially catastrophic consequences.</p>
<section class=”section main-article-chapter” data-menu-title=”Why CISOs should pay attention”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Why CISOs should pay attention</h2>
<p>Agentic AI introduces a new category of cyberthreat — one that can exploit every other existing threat category. An agent with data access, external connectivity and the ability to act autonomously could reconfigure systems, exfiltrate sensitive data and more, making it both a <a href=”https://www.techtarget.com/searchsecurity/feature/Agentic-AIs-role-in-amplifying-and-creating-insider-risks”>significant insider threat</a> and attack vector for external threat actors.</p>
<p>Traditional security tools can’t address the potential problems agentic AI creates; for example, traditional web application firewalls can’t prevent <a href=”https://www.techtarget.com/searchsecurity/tip/Types-of-prompt-injection-attacks-and-how-they-work”>prompt injection attacks</a>. Organizations must update core architectures to properly integrate new

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Search Security Resources and Information from TechTarget

Read the original article: