A research framework called AcMAS can spot compromised agents in multi-agent AI systems by reading their internal reasoning states — no interaction map required.
Most current defenses for multi-agent systems assume two things: that malicious instructions are semantically obvious, and that the system's agent relationships can be modeled as an explicit graph. Neither assumption holds well in practice. Attacks are getting harder to read, and real deployments run asynchronously — agents act without the tidy temporal alignment those graph models need. AcMAS sidesteps both assumptions by watching activation patterns inside each agent's neural layers, detecting anomalies before they propagate. In synchronous settings it scored 0.94 F1 versus 0.72 for graph-based baselines, a +0.22 gap; in asynchronous settings — where existing tools fall apart — it hit 0.93 against 0.38, a +0.55 gap.
The asynchronous result is the more important one. Async execution is how production multi-agent pipelines actually run, and a drop from 0.93 to 0.38 for graph-based methods is essentially a coin flip dressed up as a security tool. AcMAS also avoids the blunt-force fix of isolating a compromised agent entirely; it uses the same activation signals to attempt functional recovery instead.
The framework generalizes across several open-source LLM backbones and scales to larger agent networks, which matters — but peer-reviewed deployment results in real pipelines would matter more than benchmark F1 scores alone.