#37 AI Agents y Security: "choose two"

Swim AI-t our own risk

nov 06, 2025

I get teary-eyed every time I see someone say things that have become so rare lately, like “I was wrong” or “this thing here is better than that other thing I said or did.”

Specifically, I’m referring to the sincere recommendation from Simon Willison saying: “Yes, I coined the term prompt injection, I wrote this post that everyone read (“the lethal trifecta”) buuuut this paper here and especially this super cute Venn diagram cover the problem much better than my own work.”

He talks about the enormous attack surface of agentic AI systems that are shoved in our faces every day, and about the possibility that prompts hidden in web content (or other sources) accessed by your model to fulfill your request are processed and obeyed, leaving us exposed—our butts and other things out in the open as a result.

But in his discussion of the problem, Willison focused on data exfiltration. The little drawing indeed embraces many other issues, and does so in an extraordinarily easy-to-understand way.

Venn diagram titled "Choose Two" showing three overlapping circles labeled A, B, and C. Circle A (top): "Process untrustworthy inputs" with description "Externally authored data may contain prompt injection attacks that turn an agent malicious." Circle B (bottom left): "Access to sensitive systems or private data" with description "This includes private user data, company secrets, production settings and configs, source code, and other sensitive data." Circle C (bottom right): "Change state or communicate externally" with description "Overwrite or change state through write actions, or transmitting data to a threat actor through web requests or tool calls." The two-way overlaps between circles are labeled "Lower risk" while the center where all three circles overlap is labeled "Danger".

You can only pick two: it’s that simple.

1.- Process inputs from untrusted sources.

2.- Give the AI Agent access to your most sensitive info or personal data.

3.- The magic of AI agents is their ability to act adaptively if that’s what they need to achieve their goal. But of course, that includes (and could happen due to an attacker’s interference) not only external communication—with the associated risk of information exfiltration—but also “change states”: adjusting internal parameters, updating memory, or modifying plans and strategies. In a word: Skynet.

We found Simon thanks to Jorge Morell’s fantastic newsletter, by the way.

That hilarious diagram has inspired me to make another one about something I’ve been thinking about a lot lately:

What will happen to legal advice when ChatGPT releases its “specialized legal assistant”?

You are reading ZERO PARTY DATA. The newsletter on tech news from the perspective of data protection law and AI by Jorge García Herrero and Darío López Rincón.

In the spare time this newsletter leaves us, we like to solve complicated issues in personal data protection and artificial intelligence. If you have any of those, wave at us. Or contact us by email at jgh(at)jorgegarciaherrero.com

Thanks for reading Zero Party Data! Sign up!

🗞️World data News

.- The Danes drop the ChatControl issue, so we’ve gained a little. Or at least until another rotating presidency wants to bring up that nonsense again. Let’s enjoy the moment, even if it’s the calm in the eye of the hurricane.

High Quality Michael Scott bittersweet Blank Meme Template

.- The Norwegian Authority formally recommends not using Binding Corporate Rules. You read that right. Using standard contractual clauses is just as effective (make of that what you will), but at least everyone wastes less time. Via Guro Åsbø.

.- Can things at the Louvre get even worse? It seems so, because they had bomb-proof security:

Video surveillance system secured with an impossible-to-crack password: LOUVRE. And another with a password using the provider’s name (Thales);
Audit by the French INCIBE saying everything’s a mess after they commissioned a serious audit with pentesting (that’s when all the wonders were discovered); and
An old computer system with no security support whatsoever. Windows 98 and 2000 joined the chat.

Now imagine yourself as the DPO/Louvre team when the CNIL might drop by to see if what the press says is true + ask for everything (remember, the AEPD already told us they can come for A and end up at Z). And the breaches gathering dust, unreported, or even messes with rights to access video surveillance images/police in 72 hours (the icing on the cake: what if the thieves had deleted everything, just in case). The meme becomes reality.

.- Looks like Legitimate interest is coming as a legally recognized basis for AI training in the digital omnibus saga, via Luca Bertuzzi.

📄High density docs (for the real deal data junkies) ☕️

.- If days were 48 hours long, I’d love to listen to this podcast recommended by Philip M.. It’s Legal4tech with Rosalia Anna D’Agostino and Dr. M.R. (Mark) Leiser. What the heck, I’d even read the book on Dark Patterns by Mr. Leiser. Let’s not forget that Mr. Leiser would undoubtedly be the result if I ever took “The Substance”.

.- Two inspired articles on the Freedom of Privacy Forum blog: this one by Christopher Kuner (an old rocker who highlights the frayed seams of the regulation of international data transfers since the days of Schrems I) and this other one by Cedric Burton about my dear and much-handled Scania Doctrine.

📄Papers of the Week

.- It’s not a paper but it might as well be: Daphne Keller gives us this study (with more Venn diagrams) explaining many things, including the various access perimeters that different articles of the DSA assign to VLOPs data and other not-so-big critters.

💀Death by Meme🤣

🤖 NoRobots.txt or The AI Stuff

.- The Dutch Ministry of Economic Affairs has published a guide on the AIA that strongly reminds us of those docs that made the ICO famous in the early days of the GDPR: practical, down-to-earth advice without beating around the bush or incomprehensible jargon. Times that, apparently, will not return. Via Karin Tafur.

.- “Learn the lesson that AI works best when it empowers people, not when it replaces them. Of course, I don’t seriously expect many company executives to have learnt those lessons. Our memories are short and many will have forgotten what we learnt a decade ago.” Read Simon Wardley’s entire post here: it’s well worth it.

.- The new quantum leap in AI models fits in a jpg: Deepseek-OCR has been released, announcing a scandalous optimization in tokens for pdf inputs, allowing you to take advantage of almost the entire context window in the output. Susana García explains it perfectly here.

.- Yesterday’s ruling in the Getty Images vs Stability case deserves its own post. As an appetizer, here’s Darth Craddock’s obviously triumphalist take. Apply the fish matrix and caveat emptor. The two bottom lines are that Getty Images ended up looking rather foolish, and in obiter dicta the ruling states that the trained model does not actually contain images or personal data.

🙄 Da-Ta Dum bass

Seven genuinely funny minutes if you enjoy impro-stand-up

If you think someone might like—or even find this newsletter useful—feel free to forward it.

If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.

Deja un comentario