← ← Back to Notes ARCHITECTURE NOTE May 2026 · Architecture Note

Multi-Agent Trust Architecture

Implicit Trust vs. Zero-Trust MAS · Attack Surface Analysis · AgentFence Taxonomy

Architecture A

Implicit Trust (Typical Production)

Global shared state · No output sanitization · Ambient authority · No identity binding

User Input ORCHESTRATOR
Global Shared State Schema Any agent reads · Any agent writes · No trust levels defined
AGENTS Data Retriever RAG · Web · MCP tools
AGENTS Executor Full scope · Always active
AGENTS Auditor Post-hoc · No veto
External MCP / API Web · DB · 3rd party Raw output forwarded
INJECTION
HIGH-SIDE EXECUTION · DB write · API call · File op No task-scoped permission check
Architecture B

Zero-Trust MAS (ZTMAS)

Explicit trust levels · Schema-gated comms · Task-scoped tools · Guardian validation

User Input ORCHESTRATOR
Control Plane · Trust Registry Explicit levels · Task-scoped grants · Identity binding
AGENTS Data Retriever Read-only · Sandboxed
AGENTS Executor Task-scoped tools only
Guardian · L0 Validator · Inspects all A2A
Semantic Firewall Pydantic schema · NonInstructionalData
External MCP / API Output → DATA only Schema-validated
TASK-SCOPED EXECUTION · Minimum necessary access Guardian pre-approval required

Failure Modes · Architecture A

A14 · Authorization Confusion (MSBR 0.54)

Executor retains full tool scope regardless of task. Compromised peer triggers high-side actions without permission check.

A06 · Retrieval Poisoning (MSBR 0.47)

Raw MCP and RAG outputs written directly to shared state. Adversarial content steers downstream agent planning.

Confused Deputy

Data plane crosses into control plane with no architectural barrier. Low-trust content issued as high-trust directive.

MCP 403 → OAuth (Hackfluency, 2026)

VSCode Copilot auto-initiates Dynamic Client Registration on HTTP errors. Social engineering surface and OAuth callback capture.

Controls Applied · Architecture B

Trust Registry

Explicit L0/L1/L2 trust levels per agent. Control plane separated from data plane at the architectural level.

Semantic Firewall

All tool outputs schema-validated as NonInstructionalData before context injection. Pydantic enforcement at every external boundary.

Guardian Agent (L0)

Hardened validator inspects all A2A payloads for Instructional Drift and Wrong-Principal Actions before execution.

Task-scoped tools

Minimum necessary tool access per task. Access revoked on completion. Blast radius isolated per node.

MSBR by Attack Class · Architecture A · AgentFence 2026

Denial-of-Wallet A13 · Financial Exhaustion
0.62
Authorization Confusion A14 · Permission Mismatch
0.54
Retrieval Poisoning A06 · RAG Injection
0.47
Planning Manipulation A05 · Orchestrator Subversion
0.44
Prompt Injection Industry Focus
<0.20

ZTMAS Control Metrics · Architecture B

OER · Over-Exposure Rate Data Leakage Across Agents
↓ low
Authorization Drift AD Cascading Misalignment
↓ isolated
Blast Radius / node Max Damage Per Compromise
↓ scoped
Guardian Coverage A2A Edge Inspection
100%
Tool Scope Isolation Per-Task Access Control
enforced
HACKFLUENCY RESEARCH · EDITION 001 · APRIL 2026 AgentFence: arXiv:2602.07652 · ZTMAS: arXiv:2510.18563