The lethal trifecta of AI agents and the NHI governance gap

At a glance

What this is: Cyera frames the lethal trifecta as a structural AI agent risk: private data access, untrusted content, and outbound actions combine into a zero-click exfiltration path.

Why it matters: For IAM and NHI practitioners, the issue is not just prompt safety but whether agent permissions, context, and tool access can be constrained before data leaves the trust boundary.

👉 Read Cyera's analysis of the lethal trifecta in AI agent security

Context

AI agent security breaks down when an autonomous system can read sensitive internal data, ingest untrusted external content, and communicate outward through approved tools. That combination turns normal workflows into an NHI governance problem because the agent is acting with persistent or semi-persistent authority across multiple trust domains. The result is not a classic exploit chain, but a permission and context design failure.

Cyera's example is useful because it starts from a normal business workflow, not an exotic attack. That is typical of the problem space: the risk emerges when organisations optimise for agent usefulness before defining the identity, data-flow, and egress boundaries that make autonomous action safe.

Key questions

Q: How should security teams govern AI agents that can read internal data and send external messages?

A: Treat the agent as a non-human identity with tightly scoped authority, not as a helpful interface layer. Limit the agent to the smallest task-specific permission set, inspect outbound content in real time, and require human approval for any action that crosses a trust boundary. Governance must cover identity, context, and egress together.

Q: Why are zero-click attacks especially dangerous for AI agents?

A: Zero-click attacks are dangerous because the attacker does not need the user to fail or click anything. The malicious instruction can arrive inside ordinary email, documents, or calendar content, and the agent may execute it while following normal workflow logic. That makes the attack covert, scalable, and hard to detect with traditional controls.

Q: What is the difference between least privilege and session containment for AI agents?

A: Least privilege limits what the agent can access, while session containment limits what a compromised session can do after access has been granted. Both are necessary. Least privilege reduces the reachable data set, and containment prevents one manipulated session from turning temporary access into broader operational impact.

Q: When should organisations require human approval for AI agent actions?

A: Use human approval whenever the agent is about to cross a trust boundary, disclose sensitive data, or widen its scope beyond the original task. Approval is especially important when the agent has read access to private information and an external communication channel. That is where automation can become accidental exfiltration.

Technical breakdown

Why the lethal trifecta creates a zero-click agent attack path

The lethal trifecta is dangerous because it joins three capabilities that security teams usually control separately: access to private data, ingestion of untrusted content, and external communication. Once all three exist in one agent session, indirect prompt injection can turn ordinary text into instructions. The agent does not need a malicious binary or a failed login. It simply reads content, places it into context, and then uses an authorised tool to send data back out. Traditional perimeter controls struggle here because the payload is language, not code.

Practical implication: Treat every tool-enabled agent as a potential exfiltration channel and enforce policy at each boundary, not only at the prompt layer.

Identity and scoped permissions for AI agents

Agent identity determines whose authority the system can exercise. An agent acting on behalf of a user inherits user context, while a service identity can be constrained more tightly, but both models require explicit scoping. Least privilege matters, but so does intersection control, meaning the agent should only act within the overlap of approved user rights, task scope, and time window. Without that, an innocuous workflow can still reach admin-grade data or actions. In NHI terms, the agent becomes a non-human identity with dynamic privilege that must be governed like any other high-risk workload identity.

Practical implication: Define the agent's authority explicitly, cap it by task, and prevent privilege expansion outside a verified workflow.

Data-flow enforcement and runtime egress controls

Static permissioning is not enough because the dangerous step often happens after the agent has already accessed valid data. Runtime enforcement needs to inspect outbound payloads, block unsafe writes, and default-deny egress unless a destination is approved. This is where DLP-style checks, allowlists, and session-level lockdown matter. If an agent touches restricted data, the session should lose external write capability until a human or policy engine re-authorises the action. The architectural goal is to separate reading from releasing, so sensitive context cannot cross a trust boundary unnoticed.

Practical implication: Build inline decision points for every outbound tool call and fail closed when the agent handles sensitive context.

Threat narrative

Attacker objective: The attacker wants the agent to disclose internal data or act on it through legitimate channels, turning authorised automation into a covert exfiltration path.

1. Entry occurs when an attacker embeds instructions in normal business content such as email, a PDF, or a meeting invite that the agent is likely to process.
2. Escalation happens when the agent combines that untrusted content with private internal context and cannot reliably separate data from instructions.
3. Impact follows when the agent uses an authorised tool, such as email or chat, to exfiltrate sensitive information without a traditional exploit or login event.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

The lethal trifecta is now an NHI governance pattern, not an edge-case AI safety issue. Once an agent can read, reason over, and act on the same corpus of data, the security model shifts from discrete authentication to continuous control of context and egress. That is a non-human identity problem because the agent is exercising authority across systems with little human friction. Practitioners should stop treating agent security as a prompt hygiene exercise and start treating it as identity governance for autonomous software.

Ephemeral trust without egress control creates ephemeral credential trust debt. Even short-lived privileges can become dangerous if the agent can pass sensitive data into external channels before the session ends. Time-bound access helps, but it does not solve the core issue that the agent's execution context can be manipulated after access is granted. The practical conclusion is that JIT access must be paired with runtime inspection and session containment, or the exposure merely moves to a shorter time window.

Hard boundaries matter more than model behaviour tuning. Security leaders cannot rely on the agent to interpret malicious text correctly every time, because the failure mode is architectural, not behavioural. Identity scoping, data-flow enforcement, isolation, and human approval gates are the real controls that reduce damage when the agent is tricked. The field should now expect NHI governance to expand from credentials and rotation into context boundaries and action boundaries.

Agentic AI security will converge with existing NHI and PAM controls, but only if teams reframe privilege as conditional and observable. Agents need the same scrutiny applied to service accounts and privileged automations, with stronger session-level telemetry and tighter default-deny egress. The organisations that succeed will be the ones that map agent workflows to explicit control points instead of assuming productivity features are harmless. Practitioners should align agent governance with least privilege, auditability, and blast-radius reduction.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a broader control framework, review OWASP NHI Top 10 for agentic application risks and map those findings to your own privilege and egress controls.

What this signals

Lethal trifecta controls will become a baseline requirement for agent programs. Organisations that cannot separate data access from outbound action will keep inheriting the same failure mode under different labels. The governance gap is structural, and the right response is to design for containment first, then extend capability only where policy and monitoring exist. Teams should expect agent security reviews to look more like NHI risk assessments than chatbot policy reviews.

With 98% of companies planning to deploy even more AI agents within the next 12 months, the control problem is compounding faster than most access governance programmes can adapt. That means identity owners should treat agent growth as a capacity issue for IAM, PAM, and audit functions, not just an AI rollout. The sooner teams instrument context, session, and egress controls, the less remediation debt they inherit.

Identity blast radius will become the most useful planning concept for agent governance. A small mis-scoped agent can still produce a large impact if it can read private data and speak externally with authority. That is why teams should align their control roadmap to blast-radius reduction, not to model sophistication. The practical next step is to map every agent workflow to explicit trust boundaries and decide where human approval remains mandatory.

For practitioners

• Define explicit agent identity models Decide whether each agent acts as the user, as a service identity, or through a constrained hybrid model. Document the allowed intersection of permissions, the time window, and the exact actions the agent may perform, then review that model as part of access governance. Use the same discipline you would apply to a high-risk service account.
• Enforce runtime egress controls Inspect tool calls and outbound messages for sensitive data, then block or quarantine any session that touches restricted content. Pair DLP-style inspection with default-deny outbound policies and allowlists for destinations and schemas so the agent cannot silently move data outside the trust boundary.
• Isolate sessions and remove implicit access Prevent shared state across agent sessions, and disable remote previews, web fetches, and image loading unless they are explicitly approved. Session containment should include teardown logic so context, tokens, and temporary artefacts do not persist after the task completes.
• Require human approval for sensitive actions Use human-in-the-loop approval when an agent is about to send data externally, widen scope, or act on restricted context. The agent can draft and summarise, but a person should authorise the final step when the trust boundary changes.

Key takeaways

• AI agents create a governance problem when private data access, untrusted input, and external action exist in the same workflow.
• The scale of the issue is already visible, with most organisations reporting agent behaviour beyond intended scope.
• Security teams should respond with scoped identity, runtime egress controls, session containment, and human approval at trust boundaries.

Key terms

• Lethal Trifecta: A risky AI agent condition where one system can read private data, consume untrusted content, and communicate externally. When those three capabilities overlap, the agent can be tricked into disclosing sensitive information through legitimate tools without a conventional exploit.
• Indirect Prompt Injection: An attack method that hides instructions inside content the agent is expected to process, such as email, documents, or web pages. The agent treats the malicious text as part of its working context and may follow it, even though no user explicitly asked for the action.
• Identity Blast Radius: The amount of damage a non-human identity can cause if it is mis-scoped, compromised, or manipulated. In agentic systems, blast radius depends on access rights, connected tools, and whether the session can move sensitive data outside the trust boundary.
• Session Containment: A control pattern that limits what a single AI agent session can access, retain, or carry forward. It reduces persistence, shared state, and cross-session leakage so that one manipulated interaction does not become an environment-wide security incident.

Deepen your knowledge

AI agent identity scoping and runtime control boundaries are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building an agent governance programme from the same starting point, it is worth exploring.

This post draws on content published by Cyera: When Language Becomes the Attack Vector: The Lethal Trifecta of AI Agents. Read the original.