AI Infrastructure · Deep dive 03

Connecting agency data to AI without opening an exfil path

EchoLeak showed a single email could make Copilot leak internal files. Here is how we wire data to a model with least-privilege retrieval and no vendor lock-in.

Draft outline · Security / vendor economics lens
The anchor

In June 2025 Aim Security disclosed EchoLeak (CVE-2025-32711, reported around CVSS 9.3), the first documented zero-click prompt-injection exploit against a production AI system: a single crafted email made Microsoft 365 Copilot read internal files and exfiltrate them. Connecting your data to an assistant is a data-exfiltration surface, and it must be designed as one.

Sources we build on
Journalism
WIRED / The Register on EchoLeak

Independent reporting on the first zero-click AI data-exfiltration exploit and its significance.

Primary

The authoritative framework naming the lethal-trifecta pattern and the design controls.

Article outline
  1. EchoLeak in plain terms. Untrusted content plus data access plus an exfil channel.
  2. The lethal trifecta. Why those three together are the danger.
  3. Least-privilege retrieval. The assistant sees only what this user may see.
  4. Output and egress controls. Cutting the exfiltration channel.
  5. No lock-in. An abstraction over the model so the agency can swap it.
How it aligns to what we do

Security-led but paired with vendor economics: least-privilege retrieval and an abstraction layer that avoids lock-in. It reflects the product's promise to build the plumbing without tying the agency to one vendor, and grounds it in a headline exploit.

Points to hit
Control it ratifies
ISM / E8 Supports ISM access-control and data-handling controls by scoping AI retrieval to user entitlements and constraining output channels.