ACL & Lethal Trifecta
Access Control Levels and the three-capability threat model Edison Watch enforces against prompt-injection data exfiltration.
Edison Watch prevents data exfiltration by detecting and blocking the combination of capabilities required for an attack.
The Threat: Prompt Injection
AI agents are vulnerable to prompt injection-malicious instructions hidden in external content (like a web page or file) that manipulate the AI into exfiltrating sensitive data.
The Lethal Trifecta
Exfiltration requires three capabilities. Edison Watch tracks these via per-session monotonic flags:
| Capability | Security Flag | Action |
|---|---|---|
| Private Data Access | read_private_data | AI reads internal files, DBs, or docs. |
| Untrusted Content | read_untrusted_public_data | AI fetches data from the internet. |
| External Communication | write_operation | AI sends data out (Slack, Email, APIs). |
Enforcement Logic: If a session has accessed both Private Data AND Untrusted Content, any subsequent External Communication is paused for human approval.
Session State
State is tracked in the Edison server and is monotonic: once a flag is set (e.g., Private Data accessed), it cannot be unset for that session. This prevents "reset" attacks.
Access Control Levels (ACL)
ACLs prevent sensitive data from flowing to lower-sensitivity destinations regardless of the Trifecta state.
| Level | Rule |
|---|---|
| PUBLIC | Can flow anywhere. |
| PRIVATE | Cannot flow to PUBLIC. |
| SECRET | Cannot flow to PRIVATE or PUBLIC. |
Example: If an agent reads a database marked SECRET, it is immediately blocked from posting to a PUBLIC Slack channel.