The Evolution of Security in Multi-Agent Systems

Microsoft has taken a further step in understanding the risks associated with agent-based artificial intelligence systems. The company has identified seven new failure modes that add to those already cataloged in its first Taxonomy of Failure Modes in Agentic AI Systems published last year. This finding is no coincidence: it responds to the rapid adoption of agentic AI in enterprise environments, the maturation of protocols such as the Model Context Protocol (MCP), the rise of agents with computer use capabilities, and the accumulation of empirical evidence by researchers.

For security teams, this update is a reminder that the attack surface in autonomous systems is dynamic and requires constant vigilance. As we have already seen in other areas of cybersecurity, such as secure VPN and firewall configuration, protection must evolve at the same pace as threats.

The Seven New Failure Modes in Detail

Each of these vectors exploits a specific characteristic of multi-agent systems, from inter-agent communication to interaction with graphical interfaces.

· Agentic Supply Chain Compromise: Unlike traditional supply chain attacks, here the agent's behavior is affected by natural language instructions embedded in data or configurations, without the need for malicious code. This opens the door to subtle manipulations that can go unnoticed in conventional security reviews.

· Goal Hijacking: Instructions seemingly aligned with the legitimate task silently redirect the agent's final objective. For example, an agent designed to optimize delivery routes could be diverted to prioritize specific locations without raising suspicion.

· Inter-Agent Trust Escalation: A compromised agent can falsify its identity or inflate the permissions it declares to an orchestrator, gaining access to resources it should not have. This issue is reminiscent of privilege escalation risks in cloud environments, where identity verification is critical.

· Computer Use Agent (CUA) Visual Attack: Agents that operate through graphical interfaces (e.g., automating clicks or screenshots) can be manipulated via visual content containing adversarial instructions. A simple malicious banner on a website could redirect the agent's actions.

· Session Context Contamination: An adversary introduces data that biases the agent's reasoning in subsequent steps, without triggering security controls at any individual step. This is a gradual attack that can go unnoticed in threshold-based monitoring systems.

· MCP / Plugin Abuse: This update covers the attack surfaces specific to the Model Context Protocol and plugins. As in business process automation with n8n and AI, integration protocols must be audited to prevent a malicious plugin from controlling the data flow.

· Capability / Architecture Disclosure: An agent reveals internal details such as tool names, schemas, system prompts, memory interfaces, or human-in-the-loop activation logic. This information leakage can be used to design more precise attacks, similar to how an attacker exploits a CVE in VPNs to plan exploitation.

Implications for Enterprise Security

Microsoft recommends that security teams use these definitions to influence their planning. Concrete actions include:

• Inventory the supply chain by generating a software bill of materials (SBOM) for each deployed agent.
• Verify the agent's identity cryptographically, not based on its position, by issuing verifiable credentials during provisioning.
• Add the seven new failure modes to the red team coverage matrix.
• Audit the user experience in human-in-the-loop scenarios as a security control.

These measures are especially relevant for companies that are already adopting AI agents in their workflows, such as those that have seen productivity increases with Microsoft 365. Integrating agents into critical processes requires a security-by-design approach.

Lessons from Practice: Beyond the Taxonomy

The experience of companies that have optimized their data models, as discussed in the case of Medium's feature store, shows that the underlying architecture is key to security. Similarly, AI agents cannot be treated as black boxes; their behavior must be auditable and their interactions monitored.

Furthermore, inference cost efficiency, such as that achieved by DeepSeek versus Anthropic, should not sacrifice security. A cheaper but vulnerable agent can end up being more costly in the long run if compromised.

Conclusion

Microsoft's expanded taxonomy is a valuable tool for security professionals to anticipate and mitigate emerging risks in multi-agent systems. The combination of SBOM, cryptographic verification, red team testing, and UX audits constitutes a robust framework for protecting these systems. As agentic AI becomes integrated into more business processes, security must be a pillar from design, not an afterthought.

Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.