I don’t think people fully appreciate yet how agentic AI use cases are restricted by what Simon Willison coined the “lethal trifecta”. His article is a bit technical so I’ll try and break it down in more layman’s terms.

An AI agent becomes very high risk when these three things come together:

• Private data access – the agent can see sensitive information, like customer records, invoices, HR files or source code.
• Untrusted inputs – it also reads things you don’t control, like emails from customers, supplier documents, 3rd party/open source code or content on the web.
• External actions – and it has the ability to do things in the real world, like execute payments, update data, or deploy code.

Each of those has risks on its own, but when you put all three together it creates a structural vulnerability we don’t yet know how to contain. That’s what makes the trifecta “lethal”.

Where this matters most is in the types of “replace a worker” examples people get excited about. Think of:

• an AI finance assistant that reads invoices, checks supplier sites, and then pays them
• a customer support agent that reads emails, looks up answers on an online system and then issues refunds
• a DevOps helper that scans logs, searches the web for known vulnerabilities or issues, and then pushes config changes

All of those tick all three boxes – private data, untrusted input, and external actions – and that makes them unsafe right now.

There are safer uses, but they all involve breaking the loop – for example, a finance bot that only drafts payments for approval, a support agent that suggests but doesn’t issue refunds, or a DevOps helper that only runs in a sandbox.

Unless I have got this wrong, until we know how to contain the trifecta, the glossy vision of fully autonomous agents doesn’t look like something we can safely build.

And if so, I wonder how long it will take before the penny drops on this.