essay · 2026-07-07
The lethal trifecta, gated
The most useful frame in agent security fits in one sentence: an agent that combines private data, untrusted content, and external communication can be made to exfiltrate the first via the third by the second. Each capability alone is safe. Prompt injection turns the combination into a weapon — reliably, boringly, in production.
Policy documents tell teams to "be careful." Infrastructure can do better: it can make the trifecta a scheduling decision.
Gate it where capabilities are granted
agentctl evaluates the trifecta per-agent at provision time. An agent's declared surfaces — which MCP servers (data), which triggers (content), which outbound domains (comms) — are visible in its spec, so the fleet controller can refuse or flag the full combination before a pod exists. Two legs are a workload; three legs are a decision someone signs.
Starve it at the runtime
agentd shrinks each leg by construction. No local code execution means untrusted content can't become arbitrary capability. Tools-as-remote-MCP means data access is enumerable rather than ambient. Direct-dial with short-lived identity means "external communication" is a list of endpoints with an audit trail, not an open socket.
Drain what leaks anyway
SCRUBR handles the residue: even a fully-gated agent talks to a model, and context accumulates secrets. Reversible masking means the exfiltration channel of last resort — the LLM request itself — carries sentinels, not values.
None of this makes prompt injection stop working. That is the honest part: the model stays gullible, so the system around it must make gullibility non-fatal. Gate the combination, starve the legs, drain the residue — and publish the mechanism, because "trust us, we're careful" is exactly the policy prose this stack exists to replace.