The Agent Problem
Find Threat Talks on
The Lethal Triangle: Why Your Agent Is a Breach Vector
Agentic AI has put autonomous software inside your systems, with your permissions, against the data you’re paid to protect, and most organizations don’t yet have a security model for it.
In this episode, Jack Cable, CEO of Corridor and former Secure by Design lead at CISA, joins Lieuwe Jan Koning, Co-founder and CTO at ON2IT Cybersecurity, to walk through the three conditions that turn helpful agents into breach vectors, and what CISOs should be doing right now.
What you’ll learn
- Why the “lethal triangle” (sensitive access, untrusted input, and the ability to take unapproved actions) turns every basic email agent into a breach vector by default
- Why prompt injection cannot be reliably solved by another LLM, and why deterministic guardrails (sandboxing, allow-lists, human-in-the-loop) are the only durable answer today
- Why Jack Cable will not recommend any CISO authorize OpenClaw or similar general-purpose agents today, and what to deploy in their place
- What a defensible deployment actually looks like — sandboxing, sub-agent architectures, role-tailored permissions, and breaking the triangle wherever you can
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Jack Cable
CEO & Co-founder
Corridors
Episode details
For Jack Cable, the security failure mode of agentic AI isn’t surprising, it’s the same shape as the failures he chased down for years at CISA’s Secure by Design office. What’s new is the speed of deployment, and the fact that the people deploying agents are often not the people who own the security model.
The simplest case is the most useful one: the email agent. Read access to a user’s inbox already touches password resets, two-factor codes, financial and social account recovery, meaning a single agent with read access to email is effectively holding the keys to a personal or business identity. Add the second condition (the agent processes untrusted input – every inbound email qualifies) and the third (the agent can take an action – drafting, forwarding, or sending) and you’ve crossed all three edges of what Jack calls the lethal triangle.
The detection answer most teams reach for is to layer another LLM on top: a model that watches for prompt injection attempts. It helps. It doesn’t solve the problem. LLMs are non-deterministic by definition, and the second model inherits the same property. Anthropic’s recent move to route Claude’s per-action approvals through a separate model is a real improvement on the human-clicks-allow pattern, but no LLM-on-LLM scheme reaches anywhere near a hundred percent prevention.
What does work today is constraining what the agent can do. Sandbox it. Give it a role with the permissions that role needs and nothing more. Strip the ability to send before you grant the ability to read. Build sub-agent architectures with narrow tasks, instead of one agent that holds the keys to everything. And on OpenClaw and similar general-purpose agents (the kind that take a single prompt and act across email, messaging, and the browser at once) Jack will not recommend any CISO authorize them today. Use the more constrained vendor agents from Anthropic and OpenAI, with their guardrails in place, as your starting point.
The honest summary from Jack: this technology is not going away, and ignoring it costs as much as deploying it badly. Understand it. Experiment. But contain it. Don’t let the agent your sales team built last weekend become the breach you’re cleaning up next quarter.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
