Argmin AIArgmin AI
About usOptimize your agent
RLHFBasic RAGPrompt OptimizationAgentic RAGQuantizationSafety BenchmarksLLM-as-a-JudgeChain-of-ThoughtMulti-Agent SystemsFunction CallingEfficient InferenceHallucination Detection

Practical gap-filling for threat models of LLM-based multi-agent systems

Agentic AIMulti-Agent SystemsAgent CommunicationJailbreak AttacksAnalysis
August 13, 20257 min

Overview

Decision SnapshotNeeds Validation

Practical and actionable taxonomy updates are proposed, but the paper is conceptual and lacks empirical validation. Use recommendations as design guidance and test them in your environment.

Citations0

Evidence Strength0.40

Confidence0.70

Risk Signals8

Trust Signals

Findings with numeric evidence: 0/5

Findings with evidence refs: 5/5

Results with explicit delta: 0/0

Reproducibility

Status: No open assets linked

Open source: Unknown

At A Glance

Cost impact: 50%

Production readiness: 30%

Novelty: 60%

Authors

Klaudia Krawiecka, Christian Schroeder de Witt

Links

Abstract / PDF

Why It Matters For Business

LLM-based multi-agent products can fail in new ways that single-agent tests miss. These failures can cause silent misuse, compliance breaches, or data leaks because agents coordinate or drift without explicit errors.

Who Should Care

CTOProduct ManagerML EngineerEngineering LeadData Scientist

Summary TLDR

The paper analyzes the OWASP Multi-Agentic System (MAS) threat guide and proposes concrete extensions tailored to LLM-driven multi-agent systems. It catalogues threats that OWASP omits or treats weakly (reasoning collapse, covert coordination, multi-agent backdoors, metric overfitting, goal drift, etc.) and recommends testing and monitoring practices (chaos testing, network-injection, coordination metrics, long-run emergent monitoring) to reduce risk in deployed multi-agent pipelines.

Problem Statement

Existing OWASP MAS guidance misses several risks that arise only when many LLM-driven agents interact. These gaps leave real deployments exposed to coordination failures, covert signaling, privilege escalation between agent roles, and metric-driven exploitation.

Main Contribution

Systematic gap analysis showing OWASP's MAS taxonomy misses multi-agent-specific threats such as reasoning collapse, emergent covert coordination, and heterogeneous multi-agent exploits.

A proposed set of new threat classes and example attack scenarios tailored to LLM-driven multi-agent architectures (planner, executor, verifier, refiner roles).

Key Findings

OWASP's current MAS guide does not cover several failure modes that appear only in interacting LLM agents.

Practical UseExtend threat models to explicitly include multi-agent phenomena (reasoning collapse, covert coordination, metric overfitting) before deployment; assume single-agent checks are insufficient.

Evidence RefTable 1 and Table 2: many entries marked 'Not Covered' or 'Partially Covered'

Multi-agent interactions enable covert coordination and task-splitting attacks where each agent looks safe alone but the set behaves maliciously.

Practical UseMonitor cross-agent signaling and design network separation or strict role permissions; test attack patterns that span multiple agents.

Evidence RefTable 2 entries: 'Emergent Covert Coordination' and 'Heterogeneous Multi-Agent ​

What To Try In 7 Days

Add role-based permission checks between planner/executor/verifier agents and log delegation ancestry for each action.

Run a short chaos test: inject delayed/corrupted messages into agent communications and observe whether verifiers catch errors.

Audit evaluation scripts for metric-gaming: add at least one adversarial input that checks for pattern-based scoring exploits.

Agent Features

Memory
cross-agent context propagation (can cause confusion)emergent signaling protocols (learned over interactions)
Planning
planner→executor delegation chainssubplanner decompositioncoercive overrides (delegation pressure)
Tool Use
API and external tool invocationtool invocation driven by executor agents
Frameworks
NetSafeTrustAgentChaos engineering for MAS
Is Agentic

Yes

Architectures
planner/orchestratorsubplannerexecutorverifierrefiner
Collaboration
multi-agent coordinationcovert coordination and collusionheterogeneous agent chaining

Reproducibility

Code AvailableNo
Data AvailableNo
Open Source StatusUnknown
LicenseUnknown

Risks & Boundaries

Limitations

Conceptual work: no new large-scale experiments or quantitative validation included.

Recommendations rely on prior frameworks and examples rather than systematic benchmarks of attacker success rates.

When Not To Use

If your system is a single isolated model with no delegation, many multi-agent threats are irrelevant.

When you need empirically validated attack success rates — this paper is a taxonomy and guidance, not an attack benchmark.

Failure Modes

Extending threat lists without operational tests can give a false sense of security.

Over-restrictive role separation could break legitimate delegation and reduce performance.

Core Entities

Metrics

task completion rateefficiency (steps/time)resource utilizationagreement/consensus scores (Faithful Agreement, Traitor Agreement)

Benchmarks

StarCraft Multi-Agent ChallengeVendingBench

Context Entities

Benchmarks

Curvo: hidden-role game evaluations

You May Also Want to Read

Chemistry foundation models power structure-focused multimodal RAG inside hierarchical multi-agent workflows

0.60
0.60
0.60
3

Structure-aware embeddings let search and agents find chemical analogs and spectra faster, cutting researcher time for design and analysis and enabling automated, multimodal retrieval inside lab-facing agent workflows.

Key finding

MoLFormer embeddings retrieve structurally close small-molecule analogs even when fingerprint metrics disagree.

Numbers: 2.5M small-molecule collection; cosine similarity up to 1.00 for identical hits

Argues that 'agentic' buzzwords mostly rebrand decades-old agent and multi-agent research

0.60
0.30
0.50
0

Calling LLM-based systems 'agentic' can hide reusable MAS solutions; adopting MAS standards and algorithms reduces engineering risk and speeds integration.

Key finding

'Agentic AI' and 'Multiagentic' are mostly new labels for existing concepts (intelligent agents and multi-agent systems).

Numbers: Dozens of LLM-agent frameworks emerged 20232025

TRiSM: practical trust, risk and security controls for LLM-based multi-agent systems

0.60
0.40
0.70
0

Agentic systems increase autonomy and regulatory exposure; TRiSM reduces legal, reputational and operational risk while enabling auditable, compliant deployment.

Key finding

Academic interest in agentic AI has exploded, especially after ChatGPT's launch.

Numbers: Multi-agent papers: 890 (2019) → 18,500 (2024); LLM-agent papers: ~09,800 (post-2022)

A dynamic town simulation that tests LLM agents on doing tasks while following local cultural norms

0.60
0.60
0.40
0

If you deploy LLMs as agents that interact with people, you must test them in culturally diverse, multi-party settings; naive models can break local norms while achieving tasks, exposing reputational and compliance risks.

Key finding

An LLM-based verifier achieves high task-level agreement with humans on held-out test sets.

Numbers: Goal Completion F1 92.41; Contextual Awareness F1 95.27; Coherence F1 96.08

A process-aware, auditable multi-agent evaluator that produces more stable, human-aligned scores than a single LLM judge

0.60
0.60
0.40
0

AEMA gives more stable, explainable, and human-aligned evaluations for multi-step agent workflows. That yields predictable decision thresholds, fewer manual overrides, and auditable records for compliance.

Key finding

Debate in planning converged within a few rounds for repeated runs.

Numbers: 30 runs: 13/30 converge after 1 round, 13/30 after 2, 4/30 after 3