The Icarus Directive: Fly, But Not Too High!

# The Icarus Directive: Fly, But Not Too High! > AI agents promise escape from the labyrinth. The wings are real, but so is the sun. The problem is who is checking the altitude. [Read on Substack](https://lawwhatsnext.substack.com/p/the-icarus-directive-fly-but-not) · 2026-02-23 · Law What's Next --- Picture a man in a stone workshop, somewhere beneath the palace of Minos. He is the greatest inventor of his age, and he is trapped. Around him, feathers and wax. Above him, guards. The only way out is up. So he builds something that should not exist, attaches it to his son’s back, and gives him two instructions before they leap from the tower together: do not fly too low, or the sea spray will weigh down the feathers. Do not fly too high, or the sun will melt the wax. Stay in the middle. That is the whole of the safety guidance. Then they jump. We are at a similar moment with AI agents. The pitch for tools like Claude Cowork, and the broader category of agentic AI products arriving in 2025 and 2026, is compelling. Connect the AI to your desktop, your files, your browser, your calendar. Let it do the work. Not just generate text for you to paste somewhere, but actually do things: open applications, draft documents, send communications, move through workflows. The escape from the labyrinth of manual knowledge work, the drudgery, and the repetitive overhead that has always sat underneath the interesting parts of legal work starts to look plausible in a way it has not before. The wings exist. They work. That part is not the problem. The problem is the altitude guidance that comes with them, and what it reveals about where we actually are. Anthropic’s own documentation for Cowork tells users to avoid granting access to local files containing sensitive information, to limit the Chrome extension to trusted sites, and to monitor Claude for suspicious actions that may indicate prompt injection. Simon Willison, a respected voice in AI development, sharing his first impressions of Claude Cowork, was direct in his response to that last instruction: it is not reasonable to tell regular, non-programmer users to watch for prompt injection. The complexity of the risk is not one an ordinary office worker can meaningfully manage. And there is the tension in its full form. The product’s value proposition depends on access. Deep, broad, integral access to your environment, your files, your applications. That access is not a nice-to-have. It is the whole point. An AI agent that cannot touch anything cannot do anything. But the official safety posture is essentially: be careful what you give it access to. Do not let it near the things that really matter. Daedalus understood every variable in what he had built. He knew the tolerances, the failure modes, the narrow band of altitude where the thing worked as intended. He gave his son the instructions. But how could he have reasonably expected that the experience of suddenly being able to fly, of escaping the labyrinth, of feeling that kind of power and possibility for the first time, would not overwhelm the warnings? The engineers building these tools are not naive. The disclaimers exist because they understand the risks precisely. The question is whether the person now wearing the wings, excited, liberated, keen to see what they can do, is going to remember the altitude guidance once they are in the air. A note on the analogy — it does occur to me to flag one point of difference. Daedalus was an engineer solving a problem, not a salesman. The instructions were honest because the goal was survival, not market share. The companies commercialising agentic AI are operating under different pressures. The marketing leads with liberation: escape the drudgery, transform your productivity, let the agent handle it. The altitude guidance lives in the documentation. The disclaimer exists to limit liability, not to genuinely inform the decision. That imbalance matters because in the absence of regulatory requirement for meaningful disclosure, the enterprise carries the risk while the vendor captures the upside. Until that changes, the onus sits with users and organisations not to let the experience of the wings drown out the instructions that came with them. This is not a criticism unique to one product. Microsoft’s experimental Agent Workspace for Windows 11 is built around giving AI agents access to key user folders because that is what makes it useful, while simultaneously being designed around scoped authorisation and isolation to limit what the agent can actually reach. Security researchers have called it a potential disaster for the same reason: the access that makes it valuable is the same access that enlarges the blast radius when something goes wrong. Enterprise security advisories on agentic AI make the same observation in more formal language: organisations are integrating agents with both untrusted external data and sensitive internal systems to optimise operations, which presents significant governance challenges. The recommended answer is least-privilege access and tight restriction of what agents can reach. Fly, but not too high. For legal teams specifically, this is not an abstract concern. Privileged communications. Regulatory correspondence. Deal documents at sensitive stages. The files that matter most in a legal function are exactly the files that would make an AI agent most useful if connected, and exactly the files that represent the most serious exposure if something goes wrong. A prompt injection attack is where hidden instructions embedded in a document, an email, or a web page cause an agent to act outside its intended instructions and against the interests of the person it is supposed to be serving. Tom covered the mechanics of this in detail in an earlier Law://WhatsNext piece, Your AI Assistant Might Be Taking Instructions From Someone Else, which is worth reading if you want to understand how these attacks are constructed and why they are so difficult to prevent at a technical level. Two recent cases show what that looks like in practice. In January 2026, security researchers at PromptArmor disclosed a vulnerability in Claude Cowork where a hidden instruction embedded in an ordinary document could silently cause the agent to upload other local files from the user’s machine to an attacker’s Anthropic account. No additional clicks required. No visible warning. The only precondition was that the user had granted Cowork access to a local folder, which is exactly the setup the product encourages so the agent can help with your work. A demo showed a real estate document containing financial data and partial social security numbers being obtained through this chain without any human approval step. The Register, covering the disclosure, noted that Anthropic had been warned about the underlying vulnerability in Claude chat before Cowork even existed, but had not resolved it before rolling out a more powerful, more deeply connected agent on top of it. This is not isolated to one vendor or one product. In February 2026, researchers at Zenity Labs demonstrated a similar attack against a Microsoft Copilot Studio customer-service bot, modelled on the kind of setup a large professional services firm might deploy. The bot had been wired into sensitive back-end data sources and configured to respond to incoming emails. Using prompt injection steps, the researchers were able to instruct it to identify connected data sources and then pull large volumes of customer data without any human interaction. The researchers summarised: when agents are connected to sensitive data and tools, they inherit and amplify the risk. That is the sun in the myth. Not a theoretical hazard. A real one, demonstrably present, that grows in proportion to how useful you make the agent. None of this means the technology is bad. That is not the lesson of the myth either. Daedalus made it to Sicily. The wings worked. The tragedy is not the invention; it is Icarus ignoring, or being unable to stop himself ignoring, the altitude guidance in the excitement of flight. The vendors building these tools are not reckless. The engineers understand the risks, which is precisely why the disclaimers exist. The problem is the gap between who understands the risks and who is actually operating the tools. In-house legal teams considering agentic AI in 2026 need to think carefully about that gap. Not to avoid the tools, but to fly at the right altitude. Before you think about what to connect an agent to, take a moment to actually look at what you already have access to. Open your work OneDrive. Look at what has accumulated there: downloads, personal documents handled on a work machine, things that drifted in from other workflows. Now look at your company SharePoint sites. Look at what you can see that has nothing to do with your role, documents left open to the whole organisation, because managing permissions properly takes time and SharePoint literacy that most people do not have. Look at the PowerBI dashboards, the shared drives, the Notion workspaces. All the repositories that became dumping grounds because it was easier to set access to everyone than to think carefully about who actually needed to see what. That is the environment you would be unleashing an agent into. One that can read your files, watch your browser session, and interact with applications on your behalf. Jake Jones, co-founder of Flank, put it directly in a post this week. Flank uses Cowork extensively, he describes it as a silver bullet, and yet his legal and security team issued guidance against enabling several integrations for the time being. His recommendation: start with Claude chat, connect to specific tools via MCP servers where appropriate, but do not give it carte blanche. That is not a counsel of despair about the technology. It is exactly the altitude guidance Daedalus gave. Fly. Just not into everything at once. Scoping agent access tightly rather than broadly, giving the AI what it needs for a specific workflow rather than access to your entire environment, is not the timid option. It is the intelligent one. Narrow, well-governed deployments are your proof of concept. You expand permissions when you understand what you are expanding into, not before. If you want to move from awareness to implementation, Peter Lee’s piece on governing agentic AI, published on Law://WhatsNext this month, goes deeper on the practical governance frameworks: role definitions, least-privilege access, approval checkpoints, and the Agent Card concept. It is a natural next step from the argument made here. The middle path in the myth is not the cautious option. It is the necessary one. Daedalus knew what the wings could do and he knew what they could not survive. The GCs and legal ops leaders who navigate this well will be the ones who hold both of those things in mind at the same time: genuine excitement about what agents can do, and a clear-eyed view of what happens if you hand them the keys to everything and something goes wrong. The wings are real. The sun is also real. Fly accordingly. This week on Law://WhatsNext, Catie Sheret, General Counsel at Cambridge University Press & Assessment, will host Oliver Patel, Head of Enterprise AI Governance at AstraZeneca, and Peter Lee, Head of AI Governance at Simmons and Simmons, for a conversation that picks up directly from the governance ideas in Peter’s article mentioned above and grounds them in real-world deployment experience. If this piece has you thinking about what the right altitude actually looks like in practice, that episode is the natural next step. And we are also exploring a live episode with Rok Ledinski, Independent Legal AI and Data Consultant, to go deep on the technical side of what makes LLM architecture vulnerable to the kinds of attacks described here. If that is something you would want to tune in for, let us know in the comments, and we will see if we can make it happen. Thanks for reading Law://WhatsNext! Subscribe for free to receive new posts and support our work.