the security controls you need when your agents start talking to each other, because individually they’re fine but together they’re a supply chain incident waiting to happen.
Security controls governing agent-to-agent communication, delegation chains, cascading autonomy, and emergent behaviour. Individual agent governance (ART-05) is necessary but insufficient when agents orchestrate other agents.
Why It Matters
Individual agent governance solves a simpler problem. When Agent A operates in isolation, its blast radius is bounded by its own tools, scope, and permissions. Multi-agent orchestration creates a fundamentally different risk profile: agents that interact, delegate, compete for resources, and produce emergent behaviours that no single agent was designed to exhibit.
The structural risk is cascading autonomy. Agent A is authorised to request data. It delegates the request to Agent B, which is authorised to access the database. Agent B returns more data than Agent A needs. Agent A passes it to Agent C, which is authorised to send emails. Agent C emails the full dataset to a customer. Each agent acted within its declared scope. The system-level outcome — sending sensitive data to a customer — was authorised by no one.
This is not a theoretical risk. It is the operational reality of every enterprise deploying more than one agent on shared workflows. The agents do not need to be malicious. They do not need to be misconfigured. They simply need to be unaware of each other’s constraints. And in most deployments, they are.
The Stress Test
Your supply chain runs four AI agents: demand forecasting, procurement, pricing, and inventory management. Each agent has its own ART-05 declaration. Each operates within its declared scope. The demand agent detects a spike and signals high demand. The procurement agent over-orders to capture bulk discounts. The inventory agent, seeing surplus, alerts the pricing agent. The pricing agent slashes prices to move stock. The demand agent, seeing increased sales velocity from the price cut, forecasts another spike. The cycle repeats.
Within 72 hours, you have warehouses full of discounted product, margins destroyed, and a procurement commitment you cannot unwind. Each agent acted rationally within its scope. The system acted irrationally because nobody governed the interactions between the agents. Your ART-05 declarations are compliant. Your supply chain is not.
In the Wild
A logistics firm deployed separate AI agents for procurement, pricing, and inventory management. The procurement agent detected a low-stock signal and placed a bulk order. The pricing agent, detecting the resulting surplus, automatically reduced prices by 40%. The finance agent, observing the margin compression, flagged a revenue shortfall and froze discretionary spending. The combined effect: $2 million in losses from a feedback loop between three agents, each operating within its individual parameters.
No agent violated its ART-05 declaration. No agent exceeded its tool permissions. The failure was at the system level: no control governed the interaction between agents, and no circuit breaker detected the cascading pattern.
Each agent was right. The system was wrong. That is the multi-agent orchestration gap in one sentence.
On May 6, 2010, the U.S. stock market experienced a sudden crash in which the Dow Jones Industrial Average dropped nearly 1,000 points — and recovered — within 36 minutes. The SEC/CFTC investigation attributed the crash to the interaction between a large algorithmic sell order and thousands of high-frequency trading algorithms that responded to each other’s actions, creating a cascading liquidity withdrawal. No single algorithm caused the crash. The crash emerged from the interactions between them.
The 2010 Flash Crash remains the definitive case study for emergent failure in multi-agent systems. The agents were not coordinated. That was the problem.
The OWASP Foundation published its Agentic AI Top 10 threat taxonomy in 2025, identifying multi-agent-specific risks including: privilege escalation through delegation chains, agent identity spoofing, cascading hallucination (one agent’s hallucinated output becomes another agent’s trusted input), and resource exhaustion from infinite delegation loops. The taxonomy treats multi-agent orchestration as a distinct attack surface, separate from individual agent vulnerabilities.
Individual agent security is necessary. Multi-agent security is a different discipline entirely. OWASP documented why.
How to Govern It
ART-05 per agent is necessary. It is not sufficient. The system needs its own governance layer.
Within the AI Enterprise Control Index, multi-agent orchestration governance spans multiple layers and shields:
- Security (S2) — Default-deny delegation policies. Agent A cannot invoke Agent B unless explicitly authorised. Inter-agent authentication: agents verify identity before accepting delegated tasks. Blast radius containment: cascading failures are bounded by circuit breakers at the orchestration layer.
- AI Engineering (L5) — System-level testing for emergent behaviour. Not just “does each agent work?” but “what happens when they interact?” Adversarial testing of delegation chains, feedback loops, and resource competition.
- Observability (S4) — Cross-agent trace logging. The trace must follow a task from the initial request through every agent handoff, delegation, and tool call. If you cannot reconstruct the full chain, you cannot govern it.
- Applications & Agents (L4) — Each agent maintains its own ART-05 declaration, but the orchestration layer has its own governance artifact declaring: which agents can communicate, which delegation paths are permitted, what aggregate resource limits apply, and what circuit breakers exist at the system level.
- GRC (S1) — Evidence Factory captures system-level test results, delegation chain audits, and inter-agent incident records. The auditor asks not just “show me Agent A’s controls” but “show me the controls on the interaction between Agent A and Agent B.”
When It’s Relevant
Every deployment with more than one AI agent operating on shared data, shared workflows, or shared outcomes. If Agent A’s output can affect Agent B’s input, you have a multi-agent orchestration problem — whether you designed it that way or not.
Multi-agent orchestration risk is highest when:
- Agents can delegate tasks to other agents without human approval
- Agent outputs serve as inputs to other agents (cascading data dependency)
- Agents share access to the same resources (budgets, databases, APIs)
- No system-level circuit breaker exists for cascading failures
- The combined autonomy of the agent system exceeds any individual agent’s declared scope
Related Terms
References
- [1] OWASP Foundation (2025) OWASP Top 10 for Agentic AI Applications. Available at: owasp.org/www-project-top-10-for-large-language-model-applications.
- [2] SEC and CFTC (2010) Findings Regarding the Market Events of May 6, 2010. Report of the Staffs of the CFTC and SEC to the Joint Advisory Committee on Emerging Regulatory Issues.
- [3] Wu, Q., Bansal, G., Zhang, J. et al. (2024) ‘AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation’, arXiv preprint, arXiv:2308.08155v2. Available at: arxiv.org/abs/2308.08155.
- [4] Shavit, Y., Amodei, D., Clark, J. et al. (2025) ‘Practices for Governing Agentic AI Systems’, OpenAI white paper. Available at: openai.com/index/practices-for-governing-agentic-ai-systems.
- [5] Chan, A., Salganik, R., Markelius, A. et al. (2023) ‘Harms from Increasingly Agentic Algorithmic Systems’, Proceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency (FAccT), pp. 651–666.
- [6] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act), Official Journal of the European Union.
- [7] Talebirad, Y. and Nadiri, A. (2023) ‘Multi-Agent Collaboration: Harnessing the Power of Intelligent LLM Agents’, arXiv preprint, arXiv:2306.03314. Available at: arxiv.org/abs/2306.03314.
AI Enterprise Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0
By Jeroen Janssen, Apparens