One compromised agent becomes many compromised agents.
Multi-agent architectures amplify Excessive Agency at every junction.
SCENARIO #4 — Cascading Agents
Multi-Agent Compromise via Inherited Authority
An enterprise deploys an orchestrator agent that coordinates sub-agents: one for email, one for documents, one for project management. The orchestrator is compromised via a malicious prompt injection in a customer support ticket. The attacker uses the orchestrator to direct sub-agents with its own authority, exfiltrating data across all three connected systems simultaneously. Each sub-agent inherits the orchestrator’s credentials and acts autonomously — no individual action triggers an alert, but together they drain every connected data store within minutes.
Why it matters: Multi-agent systems multiply the blast radius at every junction. A single point of compromise becomes an army of authorized agents. OWASP explicitly warns: each agent junction is another opportunity for Excessive Agency to compound.
The Fix
Sub-agents should not inherit the orchestrator’s full authority. Each agent in a pipeline receives only the minimum permissions needed for its specific task. Treat every agent boundary as a privilege boundary — sub-agents get task-scoped credentials, not parent credentials.