Legitimate AI agents inherently satisfy all three criteria of the “lethal trifecta” (data access, external content, external communication), so security must shift from architectural design to runtime monitoring.
Current AI web agents lack reliable defenses against prompt injection attacks and can fulfill attack objectives undetected while users remain unaware of the threat.
