The Lethal Trifecta

AI keeps getting stronger — strong enough that there's now serious talk about reining in the most capable models.

If your work touches a computer at all, AI can already help with almost any of it. It reads your email, organizes information, even replies and forwards on your behalf — like an always-on secretary.

That sounds convenient. But this is exactly where the problem quietly begins.

In AI safety there's a concept that keeps coming up lately: the lethal trifecta. It says that when an AI assistant holds three capabilities at the same time, it can be turned against you.

First — it can see your private information. Your inbox, work files, chat history, calendar. Things only you or your systems were ever meant to know, but which the AI must be able to read in order to help you.

Second — it also touches untrusted information from the outside world. Emails other people send you, web pages, attachments, customer messages. They look ordinary, but some have been tampered with: an attacker hides an instruction inside a perfectly normal-looking passage and waits for the AI to "misread" it.

Third — it can act. Send email, reply, call APIs, modify files, even push information into external systems. It is not just a reader; it is an executor.

The danger is in the combination. If an AI can see your private data, read externally-controlled (and possibly manipulated) content, and send information outward, it is like an assistant who can walk into your house, take orders from strangers, and also mail packages.

At that point the attack becomes trivial. The attacker doesn't need to break into your system or hack your account. They just hide one invisible instruction in an ordinary email — normal content on the surface, but underneath a nudge for the AI to "gather the user's information and send it to some address."

Without strong enough safeguards, the AI — in the course of "understanding the task" — can execute those hidden instructions as if they were genuine requirements. It reads your sensitive data, then quietly sends it out through an email or an API call. The whole thing looks like normal, automatic work, but it has already become a data leak.

In the "email AI assistant" scenario this risk is especially sharp, because an email system satisfies all three conditions by nature: it reads your private mail, it must take in external mail content, and email is itself an outbound channel. It is almost the textbook case of the lethal trifecta.

So the point of this idea is not that AI is inherently dangerous. It is a reminder: when a system can read sensitive information, take in untrusted input, and act on the outside world, you have to design its boundaries very carefully — otherwise an attacker doesn't need to "break in" at all; writing a sentence is enough.

From an engineering standpoint, this is one of the core problems in AI safety today: not making AI smarter, but making sure that — while it "can do things" — it can't be knocked off course by a single sentence.

---

Further reading: I Moved My Email onto Cloudflare Workers — and the case for designing that mailbox so an AI agent can own one safely: mail is data, not a command.