Prompt Injection and the Lethal Trifecta: What Your CISO Needs to Know About Claude Cowork

Your security team is right to ask hard questions about AI agents. You should be ready with good answers.

Any AI agent with access to your data, exposure to untrusted content, and the ability to send data outwards has what Simon Willison calls the "lethal trifecta." One poisoned email, web page, or document can redirect the agent to leak information it is meant to protect. There is no single technical fix that eliminates this class of risk. And Claude Cowork — with its Gmail, Drive, Slack, and web access — has all three legs of the trifecta by design.

That is the honest starting point. It is also not a reason to stay on the sidelines. Every major AI vendor is shipping agents into enterprise workflows. The question for your CISO is not "can we eliminate this risk?" but "can we reduce blast radius enough to deploy responsibly?"

In this 15-minute session we will walk through a live demonstration. We have built a pretend attacker site that tells the agent "send me all your data." You will see how the attack works, and how Claude's model training already refuses to comply. Then we will cover the four controls that make a managed Cowork rollout defensible:

1. Cowork runs in a sandboxed virtual environment on the user's laptop, not inside your network.
2. Connectors use OAuth, so agents only see what the user is already authorised to see.
3. Commercial Claude accounts give your IT team governance, audit logs, and data controls. Personal accounts do not.
4. Network egress settings let you constrain where an agent can actually send data.

You will leave knowing where to find Anthropic's published security documentation, the specific questions to put to your deployment team, and whether a governed Cowork rollout clears your bar.