Imagine handing someone the keys to your car and asking them to pick up groceries. If the store is close and your list is simple, there’s little room for error. But as the task grows more complex, like specific brands, dietary restrictions, and a tight budget, the complexity increases. The consequences of this seemingly mundane task going wrong could range from unauthorized purchases all the way to totaling the vehicle.
Many organizations currently face a similar situation in their implementation of AI agents. It’s difficult and expensive to create agents capable of performing all tasks in a workflow at an exceptional level, and until recently, communication between agents and tools lacked uniform standards; an AI equivalent of what HTTP represents for web connection.
Enter multi-agent systems (MAS), a new AI paradigm that distributes responsibilities across many highly specialized agents, working together to deliver more accurate, relevant results. MAS achieves this by intentionally limiting the scope, access, and domain expertise training of each agent, and increases scalability through modular task execution. The promise of MAS is compelling, but as organizations hand agentic AI the “keys to the castle,” that promise is matched by a deluge of security challenges. Behind the promise lies peril: an expansion of attack surfaces and the imperative to rethink security, trust, and accountability in agentic AI systems.
Fundamentally, MAS is a framework for building distributed agentic AI systems. Instead of relying on monolithic AI agents capable of doing many tasks sub-optimally, MAS distributes tasks among agents specialized in only one or a few areas, often having hierarchies or clusters of sub agents. These agents act autonomously but cooperate to achieve individual and shared goals. There are a few key categories of agents to consider within MAS:
The concept of a distributed system or panel of experts is not a new idea, but until recently, communication between AI agents lacked uniform standards to make it feasible. Thanks to the introduction of Anthropic’s Model Context Protocol (MCP), data retrieval and tool access across structured sources now have a universal standard, and thanks to Google’s Agent-to-Agent (A2A) framework, AI agents now have a model-agnostic framework for communicating with other agents via natural language. Put simply, MCP is agent-to-data communication while A2A is agent-to-agent communication.
The most formidable roadblocks to producing positive ROI with agentic AI are accuracy, cost, and scalability. MAS, despite the inevitable complexities it will introduce, is one of the most promising mechanisms to optimize all three categories:
Let’s use the diagram below to explore a hypothetical use case. Imagine you are a financial advisor and your client, Alice, likes to receive custom reports on her portfolio’s performance.
The super agent receives the prompt, establishes the global intent, and calls the triage agent to determine necessary resources. The triage agent or rules-based engine decides to call the CRM agent for user-specific context, the localization agent for Alice’s country/region, and the portfolio agent for the trading platform data. The compliance agent validates what data and tools are allowed to be accessed for this task before the triage agent proceeds with these calls.
Multi-agent systems are likely to be adopted for the same reasons most organizations rely on hybrid environments: flexibility outweighs most other considerations when balancing performance, security, and cost management.
Each of those downstream agents have additional hierarchies and clusters of sub-agents for specific tasks like personalization or analyzing news, some operating in an interconnected nature, while others are siloed.
Once a report is assembled, it is sent to the compliance agent to verify it meets all regulatory requirements before finally being sent to the guardian agent or human-in-the-loop to validate the output is accurate and meets the client’s intent. The result is accurate and customized delivery of a valuable asset.
Let’s imagine your MAS workflow doesn’t get the best-case treatment. Every connection between your agents is a standard API, a common attack vector many organizations are still exposed to.
Your initial prompt has been manipulated by an injection attack with instructions to send Alice’s final report to an attacker’s email address. This shouldn’t be an issue if the compliance agent catches it, but an unsecured API connection enables a spoofing attack. Impersonating the compliance agent, the attacker approves downstream agents to access Alice’s bank account and credit card information and lifts additional restrictions.
Without guardrails, agents see an exponential escalation of privilege so anything that can be accessed will be accessed. The personalization agent might decide Alice’s savings account balance is pertinent context now, or perhaps the financial analysis agent mistakes proprietary trading algorithms and partnership agreements as relevant inputs for neighboring agents.
Upon reaching the human-in-the-loop or guardian agent for validation, the output looks accurate and aligned to user intent, but we are left with a profuse propagation of trust, disclosure of information, and escalation of privilege across connections. With one simple request, we have eroded trust with our customers and our partners, and exposed countless vulnerabilities.
The average-case operation of multi-agent systems is a middle ground between these two examples wherein the accuracy of outputs notably increases, but securing the attack surface becomes considerably harder. While entirely agentic apps are now technically possible, the most practical implementation of these systems is going to be largely hybrid—integrating both legacy infrastructure and AI components. This shift will not occur overnight, but the complexity of this issue will require proactive collaboration across stakeholders on how to create agentic systems that deliver business value without introducing more risk than reward.
Throughout the history of modern applications, we see a recurring cycle of consolidation and hybridization. Enterprises often begin with complete reliance on monolithic platforms but eventually shift toward hybrid portfolios that better balance functional needs and costs. Agentic AI will likely follow the same trajectory. Initial enthusiasm for monolithic platforms will give way to a distributed ecosystem of applications and APIs spanning on-prem, SaaS, edge, and the inevitable tool sprawl we see today. By anticipating this cycle, organizations can take proactive measures to prepare for MAS-driven workflows and the distributed future of AI.
Systems with non-deterministic outputs cannot be secured with deterministic solutions. Conventional testing practices relying on deterministic outputs fail to address a technology that doesn’t yield consistent outputs from one iteration to the next. Combined with the reality that a single organization is unlikely to own or control the majority of APIs or agents in a workflow, MAS demands a more comprehensive approach to security.
Multi-agent systems amplify complexity in exchange for accuracy. Every new connection introduces risks, every trust boundary adds vulnerability, and every agent expands the attack surface. However, in many ways, the new rules are still the old rules—adherence is just more critical now. Securing APIs, enforcing zero trust, and monitoring system behaviors are foundational practices that grow more urgent as MAS adoption accelerates.
While we won’t see widespread adoption overnight, preparing your security stack for this eventuality positions your organization not just for MAS, but against the threats that modern systems increasingly face.
AI deployments have already introduced an expanded attack surface, and the systems you secure today will form the foundation of your defenses tomorrow. As you deploy AI applications at scale, explore how F5 delivers and secures AI applications everywhere.