The FAIR Institute Blog

In Case You Missed It: Managing the Lethal Trifecta of Third-Party & Agentic AI Risk

Written by Jacqueline Lebo, Head of AI Workgroup | Jul 3, 2026 11:13:45 AM

The FAIR Institute’s AI Workgroup recently hosted an interactive open forum diving deep into two of the fastest-moving frontiers in cybersecurity: Third-Party AI and Agentic AI risk.

We were thrilled to host an incredible panel of experts who are actively building the frameworks to manage these emerging threats:

  • Dan Holland, Deputy CISO at Tampa General Hospital
  • Arun Pamulapati, Principal Security Engineer at Databricks and co-author of the Databricks AI Security Framework (DAS)
  • Abhiram (Abhi) Arikapudi, Senior Director of Security Engineering at Databricks
  • Jaqueline Lebo: Head of AI Workgroup, Director of Risk Advisory, SAFE Security

Arun and Jackie founded the AI Workgroup a few years ago, the mission was simple: make AI risk understandable. Today, that mission has evolved. We are focused on helping cybersecurity practitioners move at the speed of business by translating highly unpredictable, predictive AI systems into defensible, quantified risk metrics.

If you couldn't make the live session, here is a breakdown of the core strategies, architectural frameworks, and real-world takeaways discussed.

1. Moving from Static Questionnaires to Evidence-Based AI Tiering

Dan Holland kicked off the conversation by pulling back the curtain on how a major healthcare system like Tampa General safely steers heavy corporate investments in AI.

Dan dropped a truth bomb that every security leader needs to hear: the era of the static, 200-question vendor questionnaire is dead. It burns out analysts, frustrates vendors, and creates massive internal bottlenecks. Even worse, asking questions you don’t actually need data on introduces severe legal liability; if a vendor discloses a risk condition in a spreadsheet that your team never thoroughly reviews or acts upon, you lose plausible deniability.

Instead, Tampa General shifted to an evidence-based architecture review—demanding data flow diagrams, network architecture charts, model cards, and AI Software Bills of Materials (AI SBOMs) to see precisely how data transits a system.

To streamline governance, Dan’s team breaks incoming AI systems into four distinct classes:

  1. Deterministic Models: Where the primary concern is model drift over time.
  2. Probabilistic Models: Where teams look out for novel inputs like prompt injection.
  3. Decision Support Tools: Where the focus is validating strict human-in-the-loop oversight.
  4. Agentic Tools: Where autonomous execution requires rigorous isolation.

By classing systems upfront, they route workflows through a tiered governance funnel—ranging from Exempt (trusted vendors with no clinical impact or patient data), to Expedited Review (moderate risk voted on via consent agendas), to a Full Monthly Cross-Functional Review looking at utility, ethics, compliance, patient safety, and educational impact.

2. Demystifying the Anatomy of an AI Agent

As the conversation shifted toward the technical controls necessary to secure these classes, Arun Pamulapati introduced the freshly released Databricks AI Security Framework (DAS) 3.0.

While traditional AI models function primarily as predictive or retrieval mechanisms where a human explicitly handles the data input, Agentic AI represents a paradigm shift. Agents are inherently autonomous; they evaluate a goal, decompose it into micro-tasks, and independently fetch the data or call the APIs necessary to complete the job.

To threat-model an agent effectively, Arun noted that you have to look past the core model and analyze its entire anatomy:

  • Agent Core: The untrusted code that decomposes goals and delegates tasks.
  • Persistence Layer: The long-term storage where the agent maintains its state and remembers its progress.
  • Tools & Actions: The execution vectors, such as Model Context Protocol (MCP) tools hooking into Google Drive, Jira instances, or corporate databases.
  • Secure Sandbox: The isolated compute environment where the agent executes commands safely away from core infrastructure.
  • Governance & Observability: The logging, guardrails, and audit trails tracking every micro-action the agent takes.

3. The "Lethal Trifecta" and the Rule of Two

When you threat-model those structural components, the interaction of simple risks can quickly aggregate into an enterprise nightmare. Arun and Abhi highlighted what they call the Lethal Trifecta.

An architectural design flaw occurs when a single AI agent is simultaneously granted access to three specific conditions:

The Lethal Trifecta Rule: If an agent possesses all three of these capabilities at once, you are entirely leaving enterprise security to chance.

Abhi shared a classic example of this failure design pattern in the wild: Meta’s recent support bot vulnerability, where attackers took over roughly 20,000 Instagram accounts. The bot took untrusted inputs (hackers claiming account ownership), had access to private data (user profiles), and had the ability to change state (rewriting the associated profile email address without human verification).

How to Apply the "Rule of Two"

To mitigate this, organizations must enforce a strict Rule of Two—never allow an agent to possess more than two components of the trifecta simultaneously.

  • If an agent processes untrusted customer inputs and has access to private data, its backend tool permissions must be strictly read-only (No state changes).
  • If an agent must execute action workflows that change state based on untrusted inputs (like Dan’s real-world use case of an agent parsing incoming public medical faxes and writing them directly to a patient’s medical record), you must break the single agent design apart. Use one isolated agent to parse and sanitize the input, run it through strict sandboxing and validation guardrails, and pass it to a secondary, dedicated execution agent with human-in-the-loop checkpoints triggered by low confidence scores.

4. Fighting Predictive Systems with Deterministic Controls

The consensus among our panelists was clear: you cannot secure a highly fluid, predictive system by using other predictive boundaries alone. You must encircle them with rigid, deterministic security controls.

  • Identity & RBAC: Agents must honor proven, hardcoded authentication protocols. An agent operating on behalf of a user should have fine-grained, role-based access controls that are more restrictive than its human counterpart, strictly limited by the narrow scope of its specific use case.
  • Network & Guardrail Hardening: Just as corporate Data Loss Prevention (DLP) rules prevent an employee from sharing internal files with a personal cloud account, network segmentation must physically block an enterprise agent from reaching the public internet to prevent data exfiltration—forcing the agent to encounter a hard technical blocker when manipulated.

Looking Ahead

We barely scratched the surface during this forum, running right up against the clock before we could dive into the shifting global regulatory landscape, including the friction points between NIS2, DORA, and the latest high-risk classifications of the EU AI Act.

Because this landscape is shifting beneath our feet daily, the FAIR Institute AI Workgroup will be hosting a follow-up session completely dedicated to AI compliance, cross-border vendor requirements, and regulatory strategy. Stay tuned for details!

In the meantime, we highly recommend downloading the Databricks AI Security Framework 3.0 to review the 35 newly identified technical risks and bidirectional control mappings for your own program. Also reviewing our AI Third party whitepaper and the AI Workgroups recent post on Agentic AI Risk.

Let's continue building security natively into our cultures, enabling our businesses to innovate safely at scale.

Have thoughts on the Rule of Two or how your team tiers AI vendors? Reach out to Dan Holland, Arun Pamulapati, Abhi Arikapudi, or Jaqueline Lebo directly on LinkedIn!