The Promise and Peril of Multi-Agent Systems

Imagine handing someone the keys to your car and asking them to pick up groceries. If the store is close and your list is simple, there’s little room for error. But as the task grows more complex, like specific brands, dietary restrictions, and a tight budget, the complexity increases. The consequences of this seemingly mundane task going wrong could range from unauthorized purchases all the way to totaling the vehicle.

Many organizations currently face a similar situation in their implementation of AI agents. It’s difficult and expensive to create agents capable of performing all tasks in a workflow at an exceptional level, and until recently, communication between agents and tools lacked uniform standards; an AI equivalent of what HTTP represents for web connection.

Enter multi-agent systems (MAS), a new AI paradigm that distributes responsibilities across many highly specialized agents, working together to deliver more accurate, relevant results. MAS achieves this by intentionally limiting the scope, access, and domain expertise training of each agent, and increases scalability through modular task execution. The promise of MAS is compelling, but as organizations hand agentic AI the “keys to the castle,” that promise is matched by a deluge of security challenges. Behind the promise lies peril: an expansion of attack surfaces and the imperative to rethink security, trust, and accountability in agentic AI systems.

What are multi-agent systems?

Fundamentally, MAS is a framework for building distributed agentic AI systems. Instead of relying on monolithic AI agents capable of doing many tasks sub-optimally, MAS distributes tasks among agents specialized in only one or a few areas, often having hierarchies or clusters of sub agents. These agents act autonomously but cooperate to achieve individual and shared goals. There are a few key categories of agents to consider within MAS:

• Super agents – Workflow orchestrators within a MAS. Their level of centralization varies by use case, with some simple MAS workflows assigning equal autonomy across all agents.
• Triage agents – Resource allocators responsible for ensuring each agent have access to the tools and resources needed to execute tasks effectively.
• Guardian agents – Validators that act as layers of accountability, testing outputs for accuracy and ensuring adherence to user intent.

Why is MAS suddenly feasible?

The concept of a distributed system or panel of experts is not a new idea, but until recently, communication between AI agents lacked uniform standards to make it feasible. Thanks to the introduction of Anthropic’s Model Context Protocol (MCP), data retrieval and tool access across structured sources now have a universal standard, and thanks to Google’s Agent-to-Agent (A2A) framework, AI agents now have a model-agnostic framework for communicating with other agents via natural language. Put simply, MCP is agent-to-data communication while A2A is agent-to-agent communication.

Three reasons why MAS adoption is imminent

The most formidable roadblocks to producing positive ROI with agentic AI are accuracy, cost, and scalability. MAS, despite the inevitable complexities it will introduce, is one of the most promising mechanisms to optimize all three categories:

1. Accuracy – Specialized agents add a modular layer of risk reduction and quality assurance that can be customized to workflow needs. By narrowing the scope of responsibility for each agent, MAS reduces the risk of hallucinations or misinterpretations compared to monolithic models (Yang et al., 2025).
2. Cost – While training costs of many specialized agents compared to a generalist agent will vary, the cost of inference in a distributed MAS environment is likely reduced due to lower rates of redundancy and overprocessing (Gandhi, Patwardhan, Vig, & Shroff, 2024).
3. Scalability – MAS transforms how scalability works in AI ecosystems. Instead of replacing or retraining entire systems, agents can be added modularly to meet new business demands at lower costs

When MAS goes right

Let’s use the diagram below to explore a hypothetical use case. Imagine you are a financial advisor and your client, Alice, likes to receive custom reports on her portfolio’s performance.

The super agent receives the prompt, establishes the global intent, and calls the triage agent to determine necessary resources. The triage agent or rules-based engine decides to call the CRM agent for user-specific context, the localization agent for Alice’s country/region, and the portfolio agent for the trading platform data. The compliance agent validates what data and tools are allowed to be accessed for this task before the triage agent proceeds with these calls.

Multi-agent systems are likely to be adopted for the same reasons most organizations rely on hybrid environments: flexibility outweighs most other considerations when balancing performance, security, and cost management.

Each of those downstream agents have additional hierarchies and clusters of sub-agents for specific tasks like personalization or analyzing news, some operating in an interconnected nature, while others are siloed.

Once a report is assembled, it is sent to the compliance agent to verify it meets all regulatory requirements before finally being sent to the guardian agent or human-in-the-loop to validate the output is accurate and meets the client’s intent. The result is accurate and customized delivery of a valuable asset.

What happens when MAS goes wrong?

Let’s imagine your MAS workflow doesn’t get the best-case treatment. Every connection between your agents is a standard API, a common attack vector many organizations are still exposed to.

Your initial prompt has been manipulated by an injection attack with instructions to send Alice’s final report to an attacker’s email address. This shouldn’t be an issue if the compliance agent catches it, but an unsecured API connection enables a spoofing attack. Impersonating the compliance agent, the attacker approves downstream agents to access Alice’s bank account and credit card information and lifts additional restrictions.

Without guardrails, agents see an exponential escalation of privilege so anything that can be accessed will be accessed. The personalization agent might decide Alice’s savings account balance is pertinent context now, or perhaps the financial analysis agent mistakes proprietary trading algorithms and partnership agreements as relevant inputs for neighboring agents.

Upon reaching the human-in-the-loop or guardian agent for validation, the output looks accurate and aligned to user intent, but we are left with a profuse propagation of trust, disclosure of information, and escalation of privilege across connections. With one simple request, we have eroded trust with our customers and our partners, and exposed countless vulnerabilities.

Reality is somewhere between precision and peril

The average-case operation of multi-agent systems is a middle ground between these two examples wherein the accuracy of outputs notably increases, but securing the attack surface becomes considerably harder. While entirely agentic apps are now technically possible, the most practical implementation of these systems is going to be largely hybrid—integrating both legacy infrastructure and AI components. This shift will not occur overnight, but the complexity of this issue will require proactive collaboration across stakeholders on how to create agentic systems that deliver business value without introducing more risk than reward.

Playbook for protection

Throughout the history of modern applications, we see a recurring cycle of consolidation and hybridization. Enterprises often begin with complete reliance on monolithic platforms but eventually shift toward hybrid portfolios that better balance functional needs and costs. Agentic AI will likely follow the same trajectory. Initial enthusiasm for monolithic platforms will give way to a distributed ecosystem of applications and APIs spanning on-prem, SaaS, edge, and the inevitable tool sprawl we see today. By anticipating this cycle, organizations can take proactive measures to prepare for MAS-driven workflows and the distributed future of AI.

1. Secure your APIs – The need for API security looms ever larger at the advent of MCP connections and agentic systems. Solutions need to be comprehensive across all known and unknown APIs, dynamically detect vulnerabilities, and offer continuous visibility.
2. Require explainability behavior – While the AI “black box” still exists, agents with intentionally limited scopes can be paired with programmable explainability behavior to improve traceability of hallucinations and harmful outputs. Agent outputs should be logged and flagged for problematic behavior during runtime and analyzed to prevent unauthorized proliferation.
3. Establish policies for human-in-the-loop (HITL) – Used for tasks where poor decisions result in high impact, human governance is required for compliance, and edge cases lack established protocols. Guardian agents are not a substitute for human intelligence and may present an enticing target for attackers. To prevent bottlenecks, traditional rules-based systems that incorporate HITL are still the most secure method to keep risk under a specific threshold. Beneath established thresholds, guardian agents are best used sparingly to further mitigate risk, but organizations will have to assess the risk mitigation an agent provides against the worst-case scenario of a compromised agent.
4. Enforce zero trust for sensitive data – Apply least privileged access principles to limit what data agents can access and share, continuously verify permissions to curb escalation of privilege, and assume breach for every stage and agent.
5. Consolidate disparate tools - As rapidly proliferating agents are introduced into today’s tool sprawl, observability can no longer be achieved through patchwork solutions. Organizations need to invest in unified security platforms that consolidate the tools and visibility security professionals need to maintain a strong security posture across the new expanded attack surface.

You can’t red team your way out of agentic proliferation

Systems with non-deterministic outputs cannot be secured with deterministic solutions. Conventional testing practices relying on deterministic outputs fail to address a technology that doesn’t yield consistent outputs from one iteration to the next. Combined with the reality that a single organization is unlikely to own or control the majority of APIs or agents in a workflow, MAS demands a more comprehensive approach to security.

Multi-agent systems amplify complexity in exchange for accuracy. Every new connection introduces risks, every trust boundary adds vulnerability, and every agent expands the attack surface. However, in many ways, the new rules are still the old rules—adherence is just more critical now. Securing APIs, enforcing zero trust, and monitoring system behaviors are foundational practices that grow more urgent as MAS adoption accelerates.

While we won’t see widespread adoption overnight, preparing your security stack for this eventuality positions your organization not just for MAS, but against the threats that modern systems increasingly face.

AI deployments have already introduced an expanded attack surface, and the systems you secure today will form the foundation of your defenses tomorrow. As you deploy AI applications at scale, explore how F5 delivers and secures AI applications everywhere.