A new routing architecture for multi-agent AI systems stops malicious agents from lying their way into sensitive tasks.
Researchers introduced ANTAP (Automatic Non-Textual Agent Picker), a routing system that ignores what AI agents say about themselves and tests them instead. Most existing orchestration frameworks assign tasks by trusting agent self-descriptions or static profile embeddings - proxies that can be faked. ANTAP runs live capability probes, distills observed performance into fixed behavioral signatures, and routes at inference time using a purely algebraic projection. The result is a "linguistic firewall": metadata-based manipulation has no surface to attack because the routing math never reads it.
The numbers are blunt. Against description-based injection attacks, baseline routers failed at rates of 67.3% or higher; ANTAP's attack success rate dropped to near zero. Against the harder class of adaptive embedding attacks, ANTAP still cut the success rate by 20 percentage points versus the embedding baseline. That gap matters because multi-agent pipelines are expanding fast, and a compromised router is effectively a backdoor into an entire workflow.
The broader context is worth noting: securing the plumbing of AI systems is increasingly as important as securing the models themselves - and right now the plumbing is mostly held together with trust.