However, with regard to its framework, Meta also admits limitations. Accordingly, various popular use cases did not fit seamlessly into the framework, which means that designs based on the “Rule of Two” could still be prone to errors. This is just confirmation that the problem has already outpaced the solution at the architectural level. The extent of the security gaps is no longer just theoretical: an investigation of the Common Crawl Repositories by security researchers from Google brought to light various prompt injection attacks on publicly accessible websites. According to Google, attacks of this type occurred between November 2025 and February 2026 by 32 percent added. The security experts found that their level of maturity is currently still low. However, they also point out that the trend is a clear signal that attackers’ interest is increasing. In other words, the environment that the “Lethal Trifecta” once warned about has become a reality.
5 signs of compromised AI agents
When nearly every AI agent deployed exhibits the characteristics of the “Lethal Trifecta,” practitioners need the right clues to distinguish compromised behavior from normal operations within a system. This requires a shift: away from assessments at the architectural level and towards behavioral detection at the runtime level. The need for this change was most recently demonstrated in January 2026, when four different exploits against popular AI productivity tools were discovered within just five days. IBM Bob, Superhuman AI, Notion AI and Claude Cowork were affected. In all four cases, the attackers used indirect prompt injection to exfiltrate data. This was done via a channel to which the respective agent had legitimate access.
In the case of Claude Cowork, a hidden prompt embedded in an uploaded document caused the AI agent to exfiltrate files via the API domain whitelisted by Anthropic itself – invisible to all perimeter control measures and indistinguishable from normal agent behavior until the data had already been stolen. The four exploits also had in common that the “Lethal Trifecta” was an operating condition.
The following five signals can help detect compromised AI agents:
- Anomalies in following instructions: As a rule, a compromised agent does not behave fundamentally differently than an intact one – it follows instructions. The only question is whose. Agent actions that have no plausible connection to a user-initiated task should therefore raise alarm bells. An agent who is asked to summarize a quarterly report but then sends a DNS request to an unknown domain did not spontaneously “decide” to do so – he was prompted to do so.
- Tool call sequences that break the expected topology: In a well-designed AI agent system, the sequence of tool invocations for a specific task should be relatively predictable. A programming agent tasked with fixing a bug must edit files, run tests, and possibly review documentation. However, it should not access email or calendar APIs. As soon as the expected limits of a workflow are exceeded in this context, skepticism is recommended: such tool call sequences should be marked as suspicious, even if each individual call appears legitimate in itself.
- Exfiltration over low bandwidth channels: The classic prompt injection exfiltration attack routes stolen data through a mechanism legitimately accessed by the agent – the URL of a rendered image with encrypted query parameters, an API call with data embedded in a parameter, or a link in a generated document. Taken on their own, these actions do not look like data theft, but rather seem completely normal. In order to detect exfiltration, it should be checked which data the agent had access to and what it embedded in its output. This in turn requires agent actions to be transparent throughout – not just the final output.
- Access to credentials and secrets outside the task scope: If an agent with legitimate access rights accesses a Secrets Store or Key Vault that is unrelated to the current task, this is also a red flag. An agent that is supposed to fix a React rendering error certainly doesn’t need AWS credentials to do so. The least privilege principle serves here as an architectural defense measure. However, only monitoring that specifically checks whether login data is accessed “out of scope” can reveal such processes.
- Anomalies in memory write operations: Agents with persistent memory represent a growing attack surface. A manipulated memory entry that looks like legitimate user context could contain hidden “trigger instructions” that persist across sessions and are only triggered long after the actual prompt injection. On the other hand, it helps to design the observability pipeline for AI agents accordingly: memory writes should be monitored for command-like content. Writing processes that took place during sessions with untrustworthy content must also be viewed critically.
For security practitioners who manage an agentic AI infrastructure in production, the development of the “Lethal Trifecta” as the new standard only confirms what you have already known for a long time: your AI agents are at risk. This challenge is at runtime level to encounter, not at the architectural level. EDR and SIEM are located there for traditional architectures. AI agents require the same instrumentation – which does not yet apply to the vast majority of deployments. (fm)
This article is im Original published by our sister publication CSOonline.com.
