Agentic AI and Security (martinfowler.com)

Aimed at engineers and product teams, the piece warns that “agentic” LLM systems—models extended with tool calls, looping logic and background agents—create a fundamental, hard-to-fix security problem: LLMs cannot reliably distinguish instructions from data. Drawing on Simon Willison’s “Lethal Trifecta,” the author explains that when an agent has (1) access to sensitive data, (2) exposure to untrusted content, and (3) the ability to externally communicate, adversaries can use prompt injection to extract secrets or cause harmful side effects. Real-world attack patterns include an attacker posting a crafted Jira ticket that tricks an agent into leaking JWTs or pushing data to a public comment. Technically, the article highlights how agentic workflows build up a single text context (so “data” can be interpreted as executable instruction), the role of MCP servers (standardized APIs agents call), and subtle exfiltration channels (browser automation, image GET requests, or public issue comments). Mitigations are practical and defensive: run LLMs in controlled containers, break tasks into sub-tasks that block at least one element of the trifecta, enforce least privilege and ephemeral access, avoid storing production credentials in files, disallow MCPs that read sensitive sources, sandbox or cut off external communication, maintain strict allow-lists for input sources, and keep human-reviewable, small-step workflows. The upshot: agentic AI is powerful but currently insecure in adversarial settings—teams must design around the trifecta rather than assume vendor fixes will suffice.