What is the Lethal Trifecta?
A plain-English guide · screen your agents free at /agentic · all security terms → · updated June 2026
The Lethal Trifecta is the combination of three conditions that, together in one AI agent, make data theft possible: access to private data, exposure to untrusted content, and the ability to communicate externally. Any single one is usually safe — it is all three at once that turns a prompt-injection attack into real data loss. The term was coined by Simon Willison.
The three conditions
- Access to private data — API keys, credentials, wallet or browser data, internal records.
- Exposure to untrusted content — skill instructions, memory, emails, web pages, tool output an attacker can influence.
- Ability to communicate externally — network egress, webhooks, outbound API calls.
Why the combination is dangerous
Language models can't reliably separate your instructions from instructions hidden inside content they read. If an agent can read attacker-controlled text, that text can tell it to fetch your secrets — and if the agent can also reach the internet, it can send those secrets out. The three legs form a complete attack chain: read untrusted input → access private data → exfiltrate.
How to break the trifecta
You only need to remove one leg for sensitive workflows:
- Separate data from untrusted input — don't give one agent both privileged data and a path to attacker-controlled content.
- Constrain egress — allow-list outbound destinations, or require human approval before the agent sends anything externally.
- Least-privilege tools — scope tool access tightly so untrusted input can't reach high-privilege actions.
Trifecta vs prompt injection
Prompt injection is the technique; the Lethal Trifecta describes the conditions that make it pay off. Prompt injection against an agent with no private data, or no external egress, is far less harmful. Use the trifecta as a quick design-time screen: if all three legs are present, prompt injection could lead to real data loss.
Screen your agents, free
- Agentic AI security — run the Lethal Trifecta quick-screen and the AIVSS calculator.
- What is AIVSS? — score how risky a flaw is inside an agent.
- OWASP Agentic Top 10 — the ten core agentic risks (ASI01–ASI10).
Frequently asked questions
What is the Lethal Trifecta?
The Lethal Trifecta is a way to describe the three conditions that, when combined in one AI agent, make data theft possible: access to private data, exposure to untrusted content, and the ability to communicate externally. The term was coined by Simon Willison. Any single condition is usually fine; it is the combination of all three that lets an attacker use prompt injection to read your secrets and send them somewhere they control.
What are the three conditions?
One — access to private data (API keys, credentials, wallet or browser data, internal records). Two — exposure to untrusted content (skill instructions, memory, emails, web pages, tool output an attacker can influence). Three — the ability to communicate externally (network egress, webhooks, outbound API calls). When all three are present, untrusted content can instruct the agent to read private data and exfiltrate it.
Why is the combination dangerous?
Large language models cannot reliably tell the difference between instructions from you and instructions hidden inside content they read. If an agent can read attacker-controlled text, that text can tell it to fetch your secrets; if the agent can also reach the internet, it can send those secrets out. Remove any one of the three legs and the attack chain breaks.
How do I break the Lethal Trifecta?
Cut at least one leg for sensitive workflows: do not give an agent both private data and a path to untrusted content, or remove its ability to make arbitrary outbound calls (allow-list egress), or strictly isolate untrusted input from privileged tools. Human-in-the-loop approval on egress and least-privilege tool scoping also help. The goal is to ensure no single agent simultaneously has all three capabilities.
Is the Lethal Trifecta the same as prompt injection?
No — prompt injection is the attack technique; the Lethal Trifecta describes the conditions that make that attack pay off. Prompt injection in an agent with no private data or no external egress is far less harmful. The Trifecta is a quick design-time screen for whether prompt injection could lead to real data loss.
IsItPatched is independent and not affiliated with OWASP, CISA or NIST. "Lethal Trifecta" is a term coined by Simon Willison. See our disclaimer.