You may have seen Meta’s “Rule of Two” floating around, as a mental model for agentic security. Don’t buy the hype…it’s a great example of systems ignorance, and precisely the type of reductionist thinking in cyber that makes breaches inevitable.
The “Rule of Two” essentially says that agents should never have more than any two legs of Simon Willison‘s three-legged Lethal Trifecta model (link in comments); without the third leg, the prompt injection risks associated with agentic workflows can be avoided.
Typical agentic workflows are made up of transitive trust relationships, and also often have shared management and control planes. As I described in my post about the systems foundations of graph security (link in comments), systems are made up of highly interconnected, often interdependent, elements. Precisely like the interconnected and interdependent relationships between the elements in a complex agentic workflow.
👉 The point: It doesn’t matter if none of the agents have all three legs of the Lethal Trifecta; it’s not a collection of independent actors but an interconnected and interdependent system. I don’t need to get control of one agent with all three; if all three permissions are present somewhere in the chain of dependencies, it has all three in the aggregate. I only need control of the system, or one element that has a control relationship with the others, and I can almost certainly get all the permissions represented by the three legs, either way.
The reason this is so frustrating is because we’ve already learned this lesson. If I said to you that a helpdesk admin had administrative control of a management server, and that management server had administrative control of domain controllers, then the helpdesk admin (or an attacker) can easily traverse that chain of dependencies to get Domain Admin, we would all agree. We’ve heard this story a thousand times. Yet somehow in the agentic world, we think the rules don’t apply…they do, and we will learn the hard way. Again.
Nobody escapes the rule of control transitivity and gets away with it: If A can control B, and B can control C, then A can control C. If an agent can send instructions to another agent…which is literally what agents in a complex agentic workflow do…then it can almost certainly be leveraged to manipulate or control the target, along with any downstream (and sometimes upstream) element in the system. Ken Huang also took a good, sensible swipe at the problem in his post on the subject yesterday (link in comments).
To be successful, these control relationships must be broken. We know how to do this in identity, and we know how to do it in agentic AI (deterministic hard boundaries along with contextual, step-wise policy controls). The “Rule of Two” perpetuates the problem because it sounds sensible, but it’s a reductionist paradigm that cannot work. Not because I said so, but because that is not how ANY complex system works.