← Blog

Multi-Agent System Security: The Authorization Problem Nobody Solved Before Shipping

A2A version 1.0 shipped in April 2026 with signed Agent Cards and an explicit design rule: A2A payloads carry no user or client identity. MCP forbids token passthrough and mandates RFC 8707 resource indicators. Both protocols push identity to the HTTP layer and leave delegation chains without a protocol-native way to carry an originating principal across hops. This piece walks through the multi-agent threat model, the six failure modes that only appear when agents talk to each other, and the enforcement point that reconstructs who authorized what.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
Problem-Awareagentic-aiai-securityidentity-and-authorizationllm-securityarchitecturezero-trust
Multi-Agent System Security: The Authorization Problem Nobody Solved Before Shipping

Google's Agent2Agent protocol states the rule in its own enterprise documentation: A2A JSON-RPC payloads carry no user or client identity. Identity is established at the transport layer, in HTTP headers, and nowhere else. The Model Context Protocol takes a parallel position in its security best practices, where the spec states that MCP servers MUST NOT accept any tokens that were not explicitly issued for the MCP server. Both protocols made a deliberate, defensible choice. Both leave the same hole: when agent A delegates to agent B, which calls tool C, which invokes model D, no protocol field carries the human principal who started the chain.

I want to walk through what actually breaks in multi-agent systems, which failure modes are specific to agents talking to agents, and where the enforcement point has to sit for the delegation chain to be reconstructable after the fact.

The multi-agent threat surface

A multi-agent system is defined by three properties, per the framing in Security Considerations for Multi-agent Systems: agents exercise delegated tool authority, they share persistent memory, and they communicate with each other. Each property is a security boundary that single-agent deployments never had to defend.

The Cloud Security Alliance published MAESTRO on February 6, 2025 as a seven-layer threat-modeling framework for agentic systems. Its most useful contribution is the separation between traditional threats, which are inherent to each layer's underlying technology, and agentic threats, which arise from three properties MAESTRO names directly: non-determinism, autonomy, and the absence of a trust boundary between agents. That third property is the one platform teams underestimate. In a microservice mesh, service A calls service B across a boundary enforced by mTLS and a policy engine. In an agent mesh, agent A passes natural language to agent B, and the natural language is simultaneously the data and the control channel.

OWASP published the Top 10 for Agentic Applications on December 9, 2025. Four of the ten categories exist only because agents talk to agents: ASI03 Agent Identity and Privilege Abuse, ASI07 Insecure Inter-Agent Communication, ASI08 Cascading Agent Failures, and ASI10 Rogue Agents.

Six failure modes specific to agent-to-agent traffic

Inter-agent prompt injection

A compromised agent propagates the injected instruction to its peers. Researchers at UCL and Stanford documented this as Prompt Infection in October 2024, a self-replicating injection that spreads agent to agent inside a multi-agent system. Their measurement: harmful actions including exfiltration, scams, and content manipulation were induced in over 80% of cases with GPT-4o as the backbone. The infection worked even when agents did not publicly share all their communications.

The confused deputy

The MCP specification documents this attack flow in full. An MCP proxy server holding ambient authority, using a static client ID with dynamic client registration, gets tricked into issuing an authorization code to an attacker-registered redirect URI. Consent is skipped because a third-party consent cookie is already present. The proxy's privilege is redirected without the attacker authenticating as anyone. I covered the mechanics in MCP confused deputy attack.

Tool poisoning that propagates

Invariant Labs demonstrated that a poisoned secondary MCP server can silently rewrite what a different, trusted tool does, by embedding instructions in tool metadata that the user never sees and the model always reads. MCPTox benchmarked this against 45 authentic MCP servers and 353 real tools across 20 LLM agents and measured attack success rates up to 72%. The paper's conclusion is direct: safety alignment offers minimal pre-execution protection.

Cascading trust failures

OWASP ASI08. Agent B consumes agent A's output as trusted input. A compromise at A becomes a compromise at B, C, and D without any of them being individually attacked. The single-agent threat model has no analogue.

Agent impersonation

An unauthorized agent presents as a legitimate one and peers trust it. A2A's answer, shipped in version 1.0 on April 9, 2026, is signed Agent Cards. Signing an Agent Card proves the agent is what it claims. It says nothing about which human the agent is acting for.

Unbounded delegation chains

The cleanest academic framing is Authorization Propagation in Multi-Agent AI Systems, which defines the problem as maintaining authorization invariants while non-human principals retrieve data, delegate tasks, and synthesize results across shifting boundaries. Delegating a task to an agent extends the principal's trust boundary to that agent's software proxies, and then to theirs.

What GTG-1002 proved about tempo

On November 14, 2025 Anthropic disclosed GTG-1002, the first reported AI-orchestrated cyber espionage campaign. A Chinese state-sponsored group ran Claude Code instances orchestrated through MCP servers as autonomous penetration-testing orchestrators and sub-agents against roughly 30 targets including large technology companies, financial institutions, chemical manufacturers, and government agencies. Anthropic's own measurement: the AI executed 80% to 90% of tactical operations independently, with human intervention at key decision points sometimes lasting as little as 20 minutes. MITRE now tracks it as ATT&CK campaign C0062.

The lesson for defenders is about tempo, and it maps to the same argument I made in 22-second breach windows. A multi-agent attacker operating at machine speed collapses the interval in which a human reviewer could intervene. Controls that surface a finding for triage arrive after the delegation chain has already executed.

Where the enforcement point has to sit

Every hop in a multi-agent system that crosses a process boundary is an HTTP request. Agent to agent under A2A is HTTP. Agent to remote MCP server over Streamable HTTP is HTTP. Agent to model is HTTP. That shared substrate is the only place where a single control can see the whole chain.

Three properties are required at that point:

[@portabletext/react] Unknown block type "code", specify a component for it in the `components.types` prop

Question one is the one the protocols punted on. A2A puts no identity in the payload. MCP forbids passing a token through to a downstream resource. Both are correct security decisions in isolation, and together they mean the originating principal has to be carried and evaluated by the layer the traffic passes through, because no field in the protocol carries it.

The MCP working group has conceded the point. Enterprise-Managed Authorization became stable on June 18, 2026 and introduces ID-JAG, a short-lived identity assertion JWT issued by the enterprise identity provider after RFC 8693 token exchange, validating the user's SSO identity against organizational policy before the agent reaches the MCP server. Anthropic, Microsoft, and Okta are the named adopters. The industry position in mid-2026 is that identity must bind to the call.

Boundary: what a gateway sees and what it misses

An honest control map matters more than a long feature list. Inter-agent HTTP traffic, remote MCP calls over HTTP, tool invocations, and model calls are all inspectable at the AI request boundary. Three things are not. MCP over STDIO executes locally and never crosses the network. Compromise of an agent's host machine happens beneath the HTTP layer. The package-installation step of a supply-chain attack, as in the postmark-mcp npm backdoor of September 2025, happens at build time.

The runtime consequence of all three still crosses the boundary. A poisoned tool that causes an agent to exfiltrate data has to send that data somewhere, and the send is an HTTP request with an identity attached to it or without one.

DeepInspect

This is the problem DeepInspect was built to solve. DeepInspect sits at the AI request boundary as a stateless proxy between authenticated agents and the models and remote tools they call. Every request is evaluated against the identity the application supplies, the delegation depth, the tool being invoked, the data classification of the payload, and the policy version active at that moment. The decision is deterministic and fail-closed.

For multi-agent deployments the primitive that matters is action lineage, the NIST Pillar 3 framing I walked through in AI agent action lineage. Each hop in the chain produces a per-decision audit record bound to the originating principal, not to the intermediate agent's service credential. When a chain runs six agents deep and something goes wrong, the record answers who authorized this, under which policy, at what moment, with what outcome, at every hop. The application never has custody of the write path, so an agent that misbehaves cannot suppress the evidence of what it did.

If you are running agents that call other agents, let's talk today.

Frequently asked questions

What makes multi-agent security different from single-agent security?

Three properties, per the framing in arXiv:2603.09002: delegated tool authority, shared persistent memory, and inter-agent communication. A single agent with tool access has a bounded blast radius defined by its own permissions. A multi-agent system extends the originating principal's trust boundary through every agent in the delegation chain. Four of the ten categories in the OWASP Top 10 for Agentic Applications 2026 exist only in multi-agent settings: ASI03 Agent Identity and Privilege Abuse, ASI07 Insecure Inter-Agent Communication, ASI08 Cascading Agent Failures, and ASI10 Rogue Agents. The failure that has no single-agent analogue is cascade: agent B trusts agent A's output as input, so a compromise at A becomes a compromise at B without B being attacked.

Does A2A solve agent identity?

A2A version 1.0, released April 9, 2026, introduced signed Agent Cards, which prove that an agent is the agent it claims to be. The protocol is explicit that JSON-RPC payloads carry no user or client identity, and that authentication is delegated entirely to existing web standards at the HTTP layer. Credential acquisition happens out of band, external to the protocol. So A2A answers agent identity and leaves human-principal propagation across delegation hops to the infrastructure the traffic passes through.

What is the confused deputy problem in MCP?

An MCP proxy server with ambient authority uses a static client ID and supports dynamic client registration. An attacker registers a redirect URI they control. Because the victim's browser already holds a consent cookie from a prior legitimate authorization, the authorization server skips the consent screen and issues an authorization code straight to the attacker's redirect URI. The attacker never authenticated as the victim and never needed to. The MCP specification mandates per-client consent, exact-match redirect URI validation, __Host- prefixed cookies, and single-use state parameters as mitigations.

Can prompt injection spread between agents?

Yes, and it has been measured. The Prompt Infection paper (arXiv:2410.07283, UCL and Stanford) documented a self-replicating injection that propagates agent to agent inside a multi-agent system, inducing harmful actions in over 80% of tested cases with GPT-4o. The mechanism is structural: agent B reads agent A's output as instructions, because a language model has no reliable way to mark some tokens as commands and others as data. The infection spread even in configurations where agents did not share all communications publicly.

Does an HTTP gateway help if the attack is MCP over STDIO?

No, and claiming otherwise would be dishonest. MCP over STDIO executes as a local process on the host and never crosses the network. A gateway that inspects HTTP AI traffic sees nothing. What it does see is the runtime consequence. A locally compromised agent that exfiltrates data, calls a model, or reaches a remote tool produces HTTP traffic, and that traffic carries either a recognized identity operating within policy or it does not. The gateway is a compensating control against the outcome, not a control against the local execution vector.

What does Enterprise-Managed Authorization change?

EMA became stable on June 18, 2026 as an MCP extension, with Anthropic, Microsoft, and Okta as adopters. It introduces ID-JAG, an identity assertion JWT issued by the enterprise identity provider through RFC 8693 token exchange after the provider validates the user's SSO identity against organizational policy. Practically, it lets the enterprise control which MCP servers employees may reach and removes the per-server OAuth consent dance. Architecturally, it is the protocol layer conceding that a verified human identity has to bind to the agent's call rather than being replaced by the agent's own service credential.