The Rule of Two Tells You When to Worry. It Won’t Contain What Happens When You’re Wrong.

Prompt injection is architectural, not a bug to patch. Scope blast radius, not properties.

OWASP’s new agentic security report puts a number on it: prompt injection now maps to six of the ten categories in their Top 10 for agentic apps. Not an edge case. The universal joint.

The popular response is to reach for a tidy rule. Meta’s “Agents Rule of Two” says an agent running without a human can safely hold two of three risky properties… access to private data, exposure to untrusted content, the ability to act or send data out. All three, and you add a human.

It’s a useful triage heuristic, and I’d keep it on the whiteboard. But I watch teams treat “two of three” as a control, and that’s where it slips. A budget you can spend isn’t a boundary that holds.

The rule quietly assumes you can separate “untrusted content” from “instructions.” You can’t. A model reads the system prompt, the user, and a poisoned calendar invite as one stream of tokens. That’s architectural, not a bug to patch.

So rather than scoring properties, I’d scope blast radius. Assume the injection lands… then ask what the agent can actually reach when it does. Its own identity, not a borrowed service account. Least privilege. Credentials that expire. An allowlist that can’t be talked into running arbitrary payloads.

None of that is new. It’s the discipline we already had, applied at machine speed. Reinventing security for AI is a plan to fail.

The Rule of Two tells you when to worry. It won’t contain what happens when you’re wrong.

Share this: