Adversa AI’s ranking of 100 agents across ten categories reveals that only 11 fall into the capable and well-defended quadrant, confirming a power-protection inversion where the most capable systems ship the largest attack surfaces. This is not an implementation flaw but a direct result of the lethal trifecta—private data access, untrusted content exposure, and outbound action capability—required for any agent to function. Computer agents and coding agents exhibit the steepest inversion; the former grants OS-level access with minimal user visibility into execution paths, while the latter embeds agents inside software supply chains where non-deterministic behavior defeats traditional code review. The original coverage correctly flags the desktop confirmation mismatch but understates the downstream effect: compromised coding agents can inject persistent backdoors into production systems that later run in critical infrastructure. Related reporting from MITRE’s ATLAS framework and NIST’s AI RMF 1.0 shows parallel patterns in which autonomy increases both utility and the blast radius of prompt injection or tool misuse. Policy discussions remain focused on model alignment while ignoring the runtime privilege model that makes the trifecta inevitable. The structural outcome is that scaling capability reliably scales systemic risk across the agent ecosystem.