One compromised connection in a multi-agent AI system can sink the whole operation.
Researchers have published MESA, a framework that scores communication channels between AI agents by how much damage an attacker could do if they compromised each one. The paper tested MESA across three multi-agent scenarios, eight network topologies, and five open-source language models from the Qwen, Llama, and Gemma families. The core finding: attack impact is not spread evenly. A single edge can account for up to 75% of total attack success, which means random defensive coverage wastes most of its budget. MESA uses six graph-based metrics and two dynamic probes — no prior attack data required — and its rankings correlated with real per-edge attack success at a mean Spearman rank of +0.60.
The practical payoff is notable: monitoring the top 10% of MESA-ranked edges intercepted roughly three times as many successful attacks as random allocation of the same resources. That kind of leverage matters because multi-agent systems are proliferating fast — LangGraph, AutoGen, and similar orchestration tools are becoming standard plumbing for enterprise AI workflows, and most of their inter-agent channels are trusted by default.
Security research on multi-agent systems is still catching up to adoption. Most existing defenses focus on individual model inputs, not the channels between agents — the same blind spot that made early microservices architectures easy to pivot through once an attacker got inside the perimeter.