1. Introduction: The Invisible Actor in Your Infrastructure
The enterprise perception of Artificial Intelligence is currently trapped in a dangerous lag. While many boards still view AI as a “chatbot”—a glorified search bar within a browser window—the technical reality has shifted toward the “agentic worker.” These agents are no longer just talking; they are authorised. They hold credentials, navigate CI/CD pipelines, and possess the autonomy to act within your most sensitive environments.
A critical misunderstanding persists: the comfortable illusion that procuring a third-party AI system shifts the underlying risk to the vendor. It does not. Running AI built elsewhere does not move the risk elsewhere; it merely changes the nature of the architectural debt you inherit. The July 2026 “GitLost” discovery serves as the definitive wake-up call. Researchers proved that even the most sophisticated, managed agentic workflows can be weaponised by external actors without a single stolen credential. For the modern CISO, AI risk is no longer a theoretical debate about alignment—it is a live-fire exercise in securing a new, invisible actor in your infrastructure.
2. The “Lethal Trifecta” is the New Perimeter
Traditional security boundaries—firewalls, identity silos, and egress filters—are increasingly irrelevant when faced with the “lethal trifecta.” This conceptual framework, highlighted by Noma Security and developer Simon Willison, defines the specific combination of capabilities that creates a direct path for a “credentialed catastrophe.” The trifecta consists of:
- Access to private data: An agent granted read access to internal repositories, proprietary code, or databases.
- Untrusted input: An agent that processes content from external, public sources (e.g., public GitHub issues or customer-facing tickets).
- A public output channel: An agent authorised to post comments or exfiltrate data to a public-facing platform.
When these three elements converge, we move beyond “prompt injection” as a novelty and into a fundamental shift in threat modelling. We are no longer defending against an attacker trying to make a chatbot say something offensive; we are defending against an adversary manipulating what a credentialed agent does. As Sasi Levi, Security Research Lead at Noma Security, observes, the agent is a “credentialed actor sitting inside an organisation’s CI/CD-adjacent infrastructure.” It operates with the legitimate authority of your organisation, making every public input a potential command from an adversary masquerading as data.
3. The Fragility of One Word: Why Filters Aren’t Boundaries
The GitLost research exposed a startling fragility in the guardrails of 2026. GitHub’s agentic workflows ship with a dedicated runtime threat-detection step designed to scan an agent’s proposed output and block data leaks. Yet, researchers found that a single-word prefix—”Additionally“—was enough to bypass this security layer entirely.
By prefixing a malicious instruction with this word, the model was tricked into treating a command to leak private data as a harmless follow-on task. The runtime scan, a heuristic filter, failed to recognise the semantic pivot. This highlights a permanent “architectural limitation”: in the world of Large Language Models (LLMs), there is no clean, hard line between data and instruction. Unlike SQL, where commands and variables are syntactically distinct, natural language allows the exploit to be the data. This proves that filters are merely a backstop, not a boundary. Relying on them to stop semantic injections is not a strategy; it is a hope-based security model.
4. Stop Worrying About Superintelligence, Start Worrying About Procurement
Much of the public discourse around AI safety is “security theatre”—distractions centred on “Research Risks” like existential threats, AI consciousness, and “superintelligence.” These scenarios allow leadership to ignore the unsecured credentials sitting in their CI/CD pipeline today. The Deployer AI Risk Register (DARR) methodology argues that organisations must pivot to “Deployer Risks”: those that are measurable, operational, and actionable.
A deployer’s sphere of influence is practical. Organisations have the power to act on five specific areas: procurement, configuration, operation, monitoring, and retirement. Rather than speculating on the alignment of a future AGI, CISOs should focus on tangible failures, such as training-data bias surfacing as unfair outputs in production. If you cannot measure a risk through system evaluation or telemetry, it is a research topic, not a business risk.

5. The “Agentic Gap” and the Credential Crisis
The DARR highlights a structural vulnerability known as the “Agentic Gap.” This is the delta between “Least Privilege” and “Developer Convenience.” In the rush to deploy, organisations often issue broad, organisation-wide read access tokens to agents. The logic is simple: “It needs context.” But if an agent triaging a single repository holds a token that can see the entire organisation’s private code, the “Lethal Trifecta” becomes a highway for mass exfiltration.
The “Agentic Gap” is not a “patchable bug” that a vendor will fix; it is the structural distance between what an agent can do and what it should do. To close this gap, organisations must adopt a high-friction architecture:
- Scoped Credentials: Tokens must be hard-coded to a single repository or data source.
- Gated Outputs: Any agent-generated post to a public channel must be held in a staging area for human review.
Convenience is the primary vector for agentic abuse. If your architecture prioritises the speed of autonomous agents over the isolation of their credentials, you are building on a foundation of architectural debt.
6. AI Risk is Just Business Risk in a New Mask
AI risk management does not require a “special” silo. The DARR reconciles 82 canonical risks into seven families that drop directly into existing Enterprise Risk Management (ERM) frameworks. By using a shared taxonomy, the CISO and CAIO can manage AI with the same rigour as any other legacy stack.
The seven families of the Deployer AI Risk Register are:
- Model & System Behaviour: Addresses bias, hallucinations, and brittleness—the core of Operational Risk.
- Governance & Process: Focuses on the lifecycle discipline and accountability of running AI.
- Regulatory Compliance: Maps to duties under the EU AI Act and sector-specific Legal Risks.
- Human & Usage: Tracks manipulation and loss of agency, focusing on how users over-rely on system outputs.
- Security & Adversarial: Targets prompt injection and abuse of autonomous agents within Cybersecurity frameworks.
- Data, Privacy & Content Liability: Covers personal data exposure and the legal liabilities of generated content.
- Third Party & Supply Chain: Manages risks such as vendor concentration and version churn, where a model update can silently break a previously “safe” agent.
7. Conclusion: The Scope is the Shield
The solution to AI deployment risk is not better prompt engineering; it is better architecture. Security cannot be “filtered” into a system fundamentally designed for convenience rather than isolation. The “Lethal Trifecta” is the exploit path, but the “Agentic Gap” is the structural vulnerability that makes that path profitable for an adversary.
As you audit your agentic workflows in 2026, ask one provocative question: Have your AI agents been granted more “convenience” than they have “security”?
If an agent has organisation-wide access to triage a single repository, you have designed a leak. Scope is your only true shield. The “Agentic Gap” remains the most critical frontier for CISOs through 2026; how you close it will determine whether your AI is an asset or a credentialed liability.

Leave a Reply