It usually starts with something that feels harmless. You give an AI agent access to a few tools. Maybe it can read internal tickets, check a database, and send Slack messages. You wire things up, test a few flows, and everything works. Then someone asks a simple question: “What stops this agent from doing something it shouldn’t?” That’s where things get uncomfortable. The “Lethal Trifecta” (Why This Gets Risky Fast) There’s a concept from recent security research that’s been getting a lot of attention. It’s sometimes called the “lethal trifecta.” An AI agent becomes dangerous when it combines three capabilities: Access to private data Exposure to untrusted input Ability to take external actions Each of these is fine on its own. Together, they’re a problem. Imagine this: Your agent reads internal support tickets. It also processes external content, like GitHub issues. And it can send messages to Slack. Now someone posts a malicious prompt inside a public GitHub issue.…