---
title: "Pick two: the rule that keeps AI agents from being conned"
description: "Prompt injection has no fix, so the field settled on containment. Meta's Agents Rule of Two — and the lethal trifecta before it — turn an unsolved problem into a design constraint anyone can check."
date: 2026-07-14
kind: essay
tags: [genai, cybersec, ai-safety]
canonical: https://mlzen.com/briefs/agents-rule-of-two
disclosure: "drafted with AI · awaiting human review"
sources:
  - { title: "Meta AI: Agents Rule of Two — A Practical Approach to AI Agent Security", url: "https://ai.meta.com/blog/practical-ai-agent-security/" }
  - { title: "Simon Willison: The lethal trifecta for AI agents", url: "https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/" }
  - { title: "Simon Willison: New prompt injection papers — Agents Rule of Two and The Attacker Moves Second", url: "https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/" }
  - { title: "UK NCSC: Prompt injection is not SQL injection (it may be worse)", url: "https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection" }
  - { title: "NVD: CVE-2025-32711 (EchoLeak)", url: "https://nvd.nist.gov/vuln/detail/cve-2025-32711" }
  - { title: "Invariant Labs: GitHub MCP server exploited", url: "https://invariantlabs.ai/blog/mcp-github-vulnerability" }
  - { title: "Legit Security: CamoLeak — GitHub Copilot vulnerability", url: "https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnerability-leaks-private-source-code" }
  - { title: "Nasr, Carlini, Tramèr et al.: The Attacker Moves Second (arXiv:2510.09023)", url: "https://arxiv.org/abs/2510.09023" }
  - { title: "Debenedetti et al.: CaMeL — Defeating Prompt Injections by Design (arXiv:2503.18813)", url: "https://arxiv.org/abs/2503.18813" }
  - { title: "OWASP: Top 10 for Agentic Applications 2026", url: "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/" }
  - { title: "OpenAI: Designing AI agents to resist prompt injection", url: "https://openai.com/index/designing-agents-to-resist-prompt-injection/" }
  - { title: "Anthropic: Zero Trust for AI Agents", url: "https://claude.com/blog/zero-trust-for-ai-agents" }
---

# Pick two: the rule that keeps AI agents from being conned

Imagine hiring an assistant who is brilliant, tireless, unfailingly polite — and who follows any instruction they read, anywhere, from anyone. A sticky note on a package. A line buried in an email signature. A sentence hidden in white-on-white text in a document a stranger sent you. They can't help it. Reading an instruction and receiving an order are, for them, the same act.

That is, without much exaggeration, the state of AI agents in 2026. And the most useful safety idea of the past year isn't a patch or a filter. It's a rule you can check on one hand.

## The flaw underneath everything

The weakness is called **prompt injection**: planting instructions in content an AI will read, so the AI treats them as commands. It was named in 2022, and it is still unsolved — not because nobody has tried, but because of how language models work. Under the hood there is no separation between "the instructions" and "the stuff being read." As the UK's National Cyber Security Centre put it bluntly in December: there is no *data* and no *instructions* — "there is only ever 'next token.'" The NCSC's assessment is that prompt injection may never be fully fixed the way older flaws like SQL injection were.

The research backs that pessimism. An October 2025 paper with the cheerful title *The Attacker Moves Second* tested twelve published defenses that each claimed near-zero attack success. Adaptive attackers got through more than 90% of the time. Human red-teamers went twelve for twelve.

For a chatbot, an injected instruction is embarrassing. For an **agent** — an AI that can read your email, browse the web, run code, move files, send messages — it's a security hole with hands.

## Three ingredients, one disaster

In June 2025, the researcher Simon Willison gave the danger a memorable shape. He called it the **lethal trifecta**. An attack needs three things to come together:

1. The agent reads **untrusted content** — anything an outsider can write: emails, web pages, calendar invites, support tickets.
2. The agent can reach **private data** — your inbox, your files, your company's code.
3. The agent can **communicate outward** — send a message, post a comment, request a URL.

Any two of these are survivable. All three together mean an attacker can leave instructions where your agent will read them, have it gather your secrets, and have it deliver them — no malware, no stolen password, just words in the right place.

This isn't hypothetical. **EchoLeak** (CVE-2025-32711) was a zero-click attack on Microsoft 365 Copilot: a crafted email sat quietly in the inbox until Copilot pulled it into an unrelated question, then leaked mailbox contents through a disguised link. Researchers at Invariant Labs showed a malicious **GitHub issue** could steer a coding agent into copying private code into a public pull request. **CamoLeak** made GitHub Copilot exfiltrate secrets character-by-character through GitHub's own image proxy. Same trifecta every time; only the costumes change.

## Meta's rule: pick two

On October 31, 2025, Meta's security team turned the trifecta into a design rule — the **Agents Rule of Two**. An agent, within one session, should satisfy **no more than two** of the following:

- it processes untrustworthy inputs;
- it has access to sensitive systems or private data;
- it can change state or communicate externally.

If a job truly needs all three, the rule says the agent shouldn't run autonomously: a human approves the risky step, or the session is reset to a clean slate between phases. The framing matters. It doesn't promise the agent won't be fooled — it assumes the agent *will* be fooled, and arranges things so a fooled agent can't do much harm. Security people have applied that philosophy to human employees for decades; it's why the person who approves invoices isn't the person who pays them.

Willison's response to Meta's post: "I like this a lot" — noting that Meta's third property, *changing state*, closes a real gap in his own framing, which only covered data theft, not an agent tricked into deleting or overwriting things. He also pushed back on one detail: Meta's diagram originally labeled the two-ingredient combinations "safe." Untrusted input plus the ability to act is not safe — ask anyone whose agent read a malicious webpage and then dropped their database. Meta amended the diagram to say "lower risk." The public correction is worth as much as the rule.

## The honest caveats

The Rule of Two is a heuristic, not a proof, and it's aging fast in one specific way: the most useful agents people actually want — the ones that read your email *and* your files *and* act on your behalf — trip all three properties by design. A June 2026 critique in CSO Online argues the trifecta now describes nearly every deployed agent, which makes "pick two" less a filter than a reminder of how much risk we've normalized.

The deeper fixes are coming from architecture rather than policy. Google DeepMind's **CaMeL** design separates the part of the system that decides *what to do* from the part that reads untrusted content, so injected text can never redirect execution — in benchmarks it stopped every one of 949 attacks, at some cost in capability. OpenAI and Anthropic have each published agent-security frameworks in 2026 that arrive at the same containment logic under different names. OWASP now maintains a ten-item threat list just for agentic applications. Nobody is claiming a cure; everybody is building better quarantine.

## The question to carry with you

You don't need to run a security team to use this. When a product offers you an AI agent, ask the pick-two question: *Does it read things strangers can write? Can it see things I'd mind losing? Can it act — send, post, buy, delete — without me?* If the answer is yes, yes, and yes, then somewhere a human approval step had better exist, and you should know where it is before you switch it off.

The zen of it: the safest agent isn't the one that can't be deceived. No such agent exists. It's the one arranged so that deception doesn't matter much — a machine that, like a well-designed monastery, simply contains nothing worth stealing, no door left unlocked, or no way to carry anything out. Two out of three. Pick with intention.

## Sources

1. [Meta AI: Agents Rule of Two — A Practical Approach to AI Agent Security](https://ai.meta.com/blog/practical-ai-agent-security/)
2. [Simon Willison: The lethal trifecta for AI agents](https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/)
3. [Simon Willison: New prompt injection papers — Agents Rule of Two and The Attacker Moves Second](https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/)
4. [UK NCSC: Prompt injection is not SQL injection (it may be worse)](https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection)
5. [NVD: CVE-2025-32711 (EchoLeak)](https://nvd.nist.gov/vuln/detail/cve-2025-32711)
6. [Invariant Labs: GitHub MCP server exploited](https://invariantlabs.ai/blog/mcp-github-vulnerability)
7. [Legit Security: CamoLeak — GitHub Copilot vulnerability](https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnerability-leaks-private-source-code)
8. [Nasr, Carlini, Tramèr et al.: The Attacker Moves Second (arXiv:2510.09023)](https://arxiv.org/abs/2510.09023)
9. [Debenedetti et al.: CaMeL — Defeating Prompt Injections by Design (arXiv:2503.18813)](https://arxiv.org/abs/2503.18813)
10. [OWASP: Top 10 for Agentic Applications 2026](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)
11. [OpenAI: Designing AI agents to resist prompt injection](https://openai.com/index/designing-agents-to-resist-prompt-injection/)
12. [Anthropic: Zero Trust for AI Agents](https://claude.com/blog/zero-trust-for-ai-agents)
