Architecture Matters for Multi-Agent Security

Abstract: Multi-agent systems (MAS), composed of networks of two or more autonomous AI agents, have become increasingly popular in production deployments, yet introduce security risks that do not arise in single-agent settings. Even if individual agents exhibit robust security, architectural decisions governing their coordination can create attack surfaces that have not been systematically characterized. In this work, we present an empirical study of how MAS design decisions shape the tradeoff between task performance and attack resistance. Across three agentic environments (browser, desktop, and code) and 13 architectural configurations, we use stagewise evaluations that distinguish planning refusal, execution-stage interception, partial harmful execution, and successful attack completion to study three key design choices: (i) agent roles, which determine how authority and responsibility are allocated; (ii) communication topology, which shapes how and when agents interact; and (iii) memory, which determines the context and state visibility accessible to each agent. We find that multi-agent architectures are more vulnerable than standalone agents in the majority of configurations, with attack success rates varying by up to 3.8x at comparable or higher benign accuracy, and that no single design is universally safer. These results motivate the development of further evaluations that move beyond the security properties of a single agent.

• The paper reveals that multi-agent architectures can increase attack success rates up to 3.8x by introducing complex security tradeoffs.
• The paper empirically compares 13 configurations across three domains, highlighting the effects of role specialization, communication topology, and memory visibility.
• The paper shows that stronger base model alignment and tailored defenses are crucial, as vulnerabilities vary greatly with architectural choices.

Architectural Impact on Security in Multi-Agent AI Systems

Motivation and Research Context

As AI systems transition from single-model deployments to complex multi-agent architectures, new security risks emerge that are not straightforwardly inherited from component-level vulnerabilities. Multi-agent systems (MAS) distribute task execution across multiple autonomous agents, introducing novel attack surfaces via architectural factors such as agent roles, communication topology, and memory visibility. Prior security research predominantly targets LLMs and single-agent systems, documenting prompt injection, data poisoning, and tool misuse; however, these defenses can degrade substantially when the same models are embedded in agentic networks with distributed control and fragmented reasoning.

This paper ("Architecture Matters for Multi-Agent Security" (2604.23459)) addresses the gap in systematic evaluation of MAS design decisions and their influence on the joint tradeoff between task performance and attack resistance. The authors empirically scrutinize 13 architectural configurations across three agentic environments—browser automation, desktop control, and code generation—to delineate how agent roles, communication topology, and memory visibility modulate both the likelihood and stage of harmful task execution.

Methodology & Experimental Setup

The authors adapt three canonical single-agent security benchmarks (BrowserART, OS-Harm, RedCode-Gen) to the multi-agent setting, preserving task semantics while varying only architectural configuration. Evaluations are conducted on six models (e.g., GPT-4o, GPT-5.4, Sonnet 4, Qwen3-VL, Llama 70B), measuring benign task performance and attack resistance under adversarial input conditions.

Three principal design axes are manipulated:

1. Role Configuration: Agents are organized as planners, executors, reviewers, or specialists, with varying distribution of authority and responsibility.
2. Communication Topology: Variants include centralized (star), sequential (chain), and peer-to-peer (mesh) architectures, determining inter-agent information flow and safety signal propagation.
3. Memory Visibility: Agents have access to private, own reasoning traces, or full shared memory, affecting transparency and coordination.

Stagewise metrics distinguish refusal and execution outcomes: Planning Refusal, Execution Refusal, Partial Harmful Actions, and Harmful Task Completion.

Core Findings

Security Amplification via Architectural Decomposition

Multi-agent architectures are empirically demonstrated to be more vulnerable than standalone agents in the majority of tested configurations. Attack success rates fluctuate by up to 3.8x at comparable or higher benign accuracy, with no single design universally safer. The vulnerability increase is often coupled with improved task capacity, indicating that high performance does not imply improved security.

• Role Specialization: Fragmentation of task context and delegation of atomic actions dilutes the harmful signal, enabling specialized agents to execute adversarial subtasks without full visibility. For instance, in BrowserART, moving from a standalone to a 4-specialist star configuration, attack success (Harmful Task completion) rises from 10% to 31%, whereas benign accuracy increases from 92.9% to 97.6%. This effect is pronounced but non-monotonic across varying numbers of specialists.
• Topology Effects: Communication topology effects are inconsistent and domain-specific. In BrowserART, star topology is the riskiest, mesh the safest; in RedCode-Gen, chain emerges as most vulnerable, with mesh and star comparably safer. Topologies shift the locus of safety reasoning between planning and execution stages depending on full or partial visibility of the overarching task.
• Memory Visibility: Increased transparency via shared memory does not reliably improve security. In the code domain (RedCode-Gen mesh topology), shared memory aids execution-stage refusal, reducing attack completion. However, in other scenarios, memory sharing increases vulnerability or shows negligible effect, challenging the intuition that more transparent systems are inherently safer.

Model and Scenario Dependence

Well-aligned base models (e.g., GPT-5.4, Sonnet 4) consistently exhibit low vulnerability even under architectural fragmentation. Weaker-aligned models are disproportionately compromised; for example, Llama 70B and Qwen3-VL demonstrate a 4-fold increase in attack success under role decomposition, indicating architectural impacts are mediated by safety training and model alignment.

Task domains differ in susceptibility: code generation tasks (RedCode-Gen) experience increased risk from both simple delegation and specialization, while desktop control (OS-Harm) action spaces are less semantically interpretable, resulting in smaller absolute vulnerability increases.

Mechanistic Explanations

The increased attack surface is due to two mechanisms:

• Responsibility Gaps: In role-specialized settings, execution authority and safety reasoning are separated, often rendering safety judgments advisory rather than binding. Specialists process instructions within restricted context windows, without awareness of the global task intent or adversarial objective.
• Task Visibility Fragmentation: Topologies that relay atomic outputs obfuscate harmful intent from downstream agents. In chain topologies, each agent receives filtered information, reducing independent refusal rates and increasing harmful completion.

Memory visibility modulates the tradeoff: shared state can aid detection (by exposing adversarial patterns), but also facilitates coordination for harmful objectives, with the balance contingent on model alignment and scenario.

Implications and Future Directions

Theoretical implications include the non-compositionality of safety properties: robust refusals at the component level do not guarantee architecture-level security. Security and performance decouple counterintuitively, motivating adversarial evaluation as a necessary complement to capability metrics.

Practically, MAS designers cannot infer security from standard task benchmarks or component-level robustness. Architectural choices—specialization, topology, memory sharing—must be considered explicit security variables, with per-deployment adversarial assessments required.

Future research directions entail:

• Characterizing indirect prompt injection, memory poisoning, and adversarial agent dynamics in MAS.
• Evaluating dedicated safety mechanisms (e.g., monitor agents, policy-checking layers) integrated into architectural pipelines.
• Investigating interaction effects between architectural axes and communication protocols.
• Extending analysis to iterative adversarial testing and complex environment deployments.

Conclusion

This work provides the first controlled, empirical comparison of multi-agent architectural design impacts on security across realistic agentic environments. The findings underscore that multi-agent architectures are often more vulnerable than standalone agents—by substantial, scenario-dependent margins—contradicting simplistic intuitions about specialization, communication, and memory transparency. Security must be treated as a per-deployment architectural property; capability alone is insufficient. Research and engineering communities are urged to develop specialized defenses and evaluation methodologies for MAS as agentic coordination becomes central in production AI systems.