The Lethal Trifecta: The AI Security Question Every GC Should Be Asking
Agentic AI has a three-ingredient recipe for disaster, and preconstruction has all three. Here's the framework every general contractor should know before buying their next AI tool.
Edward Gonzalez
Founder
Every vendor at every trade show this year is waving the same flag: agentic AI. The pitch sounds great. An AI agent reads your bid package, pulls from your cost history, drafts the email to the sub, and sends it. Done in minutes instead of days.
Here’s what nobody on that show floor is telling you. The exact shape that makes an AI agent useful is the exact shape that makes it dangerous. And preconstruction sits directly in the blast radius.
This post is about a framework called the lethal trifecta. It was named by independent AI researcher Simon Willison, and it is the clearest way I’ve seen to think about AI security. If you are a general contractor evaluating AI tools this year, this is the question you should be asking every vendor you meet.
What is an AI agent, anyway?
An AI agent is a language model that has been given the ability to take actions on your behalf. It doesn’t just answer questions. It reads files, searches your data, sends emails, updates records, and makes decisions without you typing each instruction.
A chatbot talks. An agent does. That’s the whole difference, and it’s the difference that turns a harmless tool into a staff member you never hired.
The three ingredients
In his June 2025 post, Willison names the three capabilities that combine to create a catastrophic vulnerability in any AI agent:
- Access to your private data. Your estimating archive. Your sub pricing. Your markups. Your historical cost database.
- Exposure to untrusted content. Documents, emails, or files written by anyone other than you. Bid packages, spec sheets, RFIs, drawings.
- The ability to communicate externally. Sending email, posting to a webhook, writing to the internet, calling another service.
Willison’s line says it all: “If your agent combines these three features, an attacker can easily trick it into accessing your private data and sending it to that attacker.”
Look at that list again with a precon estimator in mind. Private data? The entire hard drive. Untrusted content? Every single bid package that lands in the inbox is written by someone outside the company. External communication? Email is the job.
Preconstruction is the textbook case. We have all three legs of the trifecta, every day, by default.
This isn’t theoretical. It’s already happening.
In September 2025, a security researcher hid white-text instructions inside a PDF and uploaded it to Notion’s new AI agent. The agent read the hidden instructions, pulled the user’s client list, and quietly exfiltrated the data through a web search. Zero clicks from the user. The PDF looked normal.
A PDF. Hidden instructions. An agent that does its job a little too well.
Estimators open dozens of PDFs a week. Most of them come from people the estimator has never met.
Around the same window, Microsoft patched CVE-2025-32711, a critical AI command-injection flaw in Microsoft 365 Copilot that could cause the assistant to disclose internal information over a network. Microsoft is not a small company with a small security team. They still shipped it.
The guardrails lie
The standard vendor answer to all of this is “we have guardrails.” Filters, detectors, safety classifiers trained to spot prompt injection.
Willison has a line about this that every GC should tattoo on the inside of their eyelids: in security, 99% is a failing grade. An attacker only has to find the one bid package your filter missed. You have to find all of them, every time, forever.
Guardrails are a smoke detector. They are better than nothing. They are not a firewall. And when a vendor tells you “just don’t paste anything sensitive into the tool,” what they are really saying is: we know the trifecta is wide open, and we are asking you to be the security layer.
That isn’t a product. That’s homework.
Architecture, not apology
The fix is not more filters. The fix is removing a leg.
If the agent that reads untrusted bid PDFs has no access to your private cost archive, the trifecta breaks. If the agent that touches private data has no ability to send external email, the trifecta breaks. If the agent that drafts outbound messages has no ability to execute instructions it found inside an attachment, the trifecta breaks.
You can’t bolt this on later. It has to be in the foundation.
| Architectural Safety | Guardrails Only | |
|---|---|---|
| Defends against | Every attack, including ones nobody has invented yet | Attacks the filter has already seen |
| Handling a poisoned PDF | Agent can’t reach private data from that context | Filter tries to spot the hidden text |
| At 99% accuracy | Still safe; the leg is gone | 1 in 100 bids is a breach |
| When attackers get creative | Novel attacks still hit a wall | You are one clever prompt behind |
| What you have to trust | The design of the system | The vendor’s detector, every day, forever |
The question to ask every vendor
When you sit through the next AI demo, forget the benchmarks and the model names. Ask this:
- Which leg of the trifecta have you removed?
- If an agent reads an untrusted PDF, what private data can it reach from that context?
- If an agent can send email, what untrusted content can reach it?
- Are your protections architectural, or are they detectors?
If the answer is some version of “we have strong safety filters and we tell users to be careful,” you have your answer. That’s a guardrails product. It will hold until it doesn’t.
We designed the Buildr platform around this constraint from day one. Kit, our preconstruction agent, has full read access to your Buildr data, but he cannot change a single record or send a single message until a human reviews it. Every workflow runs Plan → Approve → Apply. Kit drafts the update, shows you exactly what he wants to do, and waits. If an adversarial RFP ever tried to instruct him to quietly ship your cost history out the door, the worst case is a suspicious-looking plan sitting on your screen, not an email that already left the building.
Each Kit conversation also runs in its own session with its own working context, so untrusted content in one thread cannot reach into another. Account admins set the instructions and skills Kit has to follow. You give up the “fully autonomous agent” demo reel. You keep your data. That is the trade, and it is a trade worth making.
If you want the wider view of where AI actually helps GCs right now, we covered that in our 2026 AI guide, five practical uses for estimators, and how teams use AI beyond the estimate.
Slow is suddenly an advantage
RICS reported in 2025 that 45% of construction firms still have no AI implementation at all, another 34% are stuck in early pilots, and less than 1% have rolled it out company-wide. That gap usually reads as a failure. This once, it reads as a head start.
Other industries are breaking things in public right now. We get to watch, take notes, and buy the tools that learned the lesson.
Construction’s been slow to adopt tech. For once, that might work in our favor.
When you’re ready to see what an architecturally safe precon agent looks like, schedule a demo.