Break the Lethal Trifecta by Design
Privilege separation for agents: keep the model that holds tools away from the text an attacker controls.
The Conventional Framing
The highest-leverage defense against prompt injection is not a filter — it's an architecture. Separate a Privileged LLM that plans, holds tool access, and never reads raw untrusted text, from a Quarantined LLM that reads untrusted content, extracts facts or summaries, and has no tools. Untrusted instructions land on the model that can't act on them.
Google DeepMind's CaMeL extends this into a real enforcement boundary. The Privileged LLM emits code, and a custom interpreter enforces capability and information-flow policies so that untrusted data cannot influence sensitive tool arguments. Control flow is separated from data flow — the plan is fixed before any attacker-controlled value is in scope.
Why This Is the Right Pattern — and Where It Still Fails
This is the single most useful design lens we have. Simon Willison's lethal trifecta says exfiltration only becomes catastrophic when an agent simultaneously has (1) access to private data, (2) exposure to untrusted content, and (3) an external communication channel. Dual-LLM and CaMeL attack leg (2): the component exposed to untrusted content is the one component with no tools and no private context. Remove the leg and a successful injection has nowhere to go.
But it is not total, and honesty matters here. CaMeL blocked ~67% of AgentDojo attacks — and 0% on some models. The failure modes are real:
- The interface is the attack surface. If the Quarantined LLM can craft output that manipulates the Privileged LLM's decisions, you've just moved the injection up one layer. The boundary must carry structured, schema-validated data — not free-form prose.
- The extraction pass can be biased. A quarantined model can still be talked into mislabeling data, so the schema and downstream validation are what actually hold the line — not the model's good intentions.
- Cost and complexity. CaMeL uses roughly 2.7–2.8× the tokens and is a genuine re-architecture. Teams under delivery pressure cut the boundary down to a single string hand-off, which quietly re-merges the two models.
Architecture
Components:
- Quarantined LLM— reads untrusted content, extracts structured facts, has no tools and no private context
- Privileged LLM— plans and emits code/tool calls; never sees raw untrusted text
- CaMeL interpreter— enforces capability + information-flow policy on tool arguments
- Validated interface— structured, schema-checked hand-off between the two models
Trust Boundaries
- Untrusted content → Quarantined LLM — injection enters here and is contained; this model can't act
- Quarantined → validated interface — the critical boundary — structured data only, never prose commands
- Interpreter → tools — info-flow policy blocks untrusted-tainted values from reaching sensitive arguments
Threat Surface
| Threat | Vector | Impact |
|---|---|---|
| Interface manipulation | Quarantined output crafted to steer the Privileged LLM's plan | Injection crosses the trust boundary |
| Extraction bias | Untrusted content coerces the quarantined model into mislabeling data | Poisoned 'facts' pass into privileged reasoning |
| Policy gap | A tool argument path the info-flow policy doesn't cover | Tainted value reaches a sensitive action |
| Boundary collapse | Team simplifies the interface to a single free-text hand-off | Two models behave as one; separation lost |
The ZIVIS Position
- •This is where to spend the budget.Architectural privilege separation is the highest-leverage anti-injection control. Filters are defense in depth; this is the boundary.
- •The interface is everything.The security property lives in the hand-off. Structured data, validated schemas, explicit allow-lists for what the quarantined model can request.
- •Separate control flow from data flow.Fix the plan before untrusted data is in scope. CaMeL's interpreter is the enforcement mechanism, not a suggestion.
- •Don't oversell it.CaMeL blocked ~67% of AgentDojo attacks, not 100%. Pair it with least privilege and output hardening so a bypass still lands on nothing.
- •Audit the boundary.Log every cross-boundary value and every tool call the interpreter authorizes. The interface is your security surface; watch it.
What We Tell Clients
If you are building an agent that touches private data and can reach the outside world, this is the pattern to build toward. It is more expensive and more work than a guardrail — and it is the only option on this list that gives you a real security property rather than a probability.
Invest in the boundary, not the models. A validated, structured interface with an information-flow policy on tool arguments is what stops an injection from becoming an action. Get that wrong and you have two models and the same vulnerability. Get it right and the attacker's best injection lands on a model that can't do anything with it.
Related Patterns
- Dual-LLM (Agent Patterns)— the agent-architecture view of the same trust separation
- Privilege Separation— the security principle this pattern implements
- Plan-Then-Execute & Action-Selector— fixing the plan before untrusted content is seen
- Least Privilege & Isolation— removing the exfiltration leg of the trifecta
References
Frequently Asked Questions
What are Dual-LLM and CaMeL, and how do they defend against prompt injection?
They are privilege-separation architectures that split an agent into a Privileged LLM that plans and holds tools but never reads raw untrusted text, and a Quarantined LLM that reads untrusted content but has no tools or secrets. Google DeepMind's CaMeL adds a custom interpreter that enforces capability and information-flow policies so untrusted data cannot reach sensitive tool arguments. Injected instructions land on the component that cannot act on them.
Does CaMeL stop all prompt injection?
No. In testing, CaMeL blocked roughly 67% of AgentDojo attacks, and 0% on some models. It is the highest-leverage anti-injection control available, but it gives you a strong property rather than a guarantee, so it should be paired with least privilege and output hardening.
What is the lethal trifecta?
Simon Willison's framing that exfiltration becomes catastrophic only when an agent simultaneously has access to private data, exposure to untrusted content, and an external communication channel. Dual-LLM and CaMeL attack the untrusted-content leg by making the component that reads it the one component with no tools and no private context.
Where does Dual-LLM/CaMeL most often fail in practice?
At the interface between the two models. If the Quarantined LLM's output can steer the Privileged LLM's plan, the injection just moved up a layer, so the hand-off must carry structured, schema-validated data rather than free-form prose. Teams under delivery pressure often collapse the boundary into a single free-text string, which quietly re-merges the two models and restores the vulnerability.