AS-301e · Module 2

Separation of Data and Action

3 min read

The most effective architectural defense against exfiltration is separating the agent that has access to sensitive data from the agent that can take external actions. The reader agent can query the database but cannot send emails. The writer agent can send emails but cannot query the database. A successful injection against the reader yields data but no exfiltration channel. A successful injection against the writer yields an exfiltration channel but no data. Neither agent alone can complete the exfiltration chain.

Do This

Separate data access and external action into different agent roles with non-overlapping permissions
Route data between agents through a mediation layer that validates the transfer against policy
Log every data handoff between agents for forensic reconstruction of any exfiltration attempt

Avoid This

Give a single agent both data access and external communication capability — that is the complete exfiltration chain in one process
Allow direct agent-to-agent data transfer without mediation — the mediation layer is the policy enforcement point
Skip logging on internal data transfers — the most dangerous exfiltration paths are internal before they become external