LLM prompt injection in multi-agent systems: the attack surface nobody's talking about
Q1Most prompt injection research focuses on single-model attacks. But the real emerging threat is in multi-agent systems where LLMs orchestrate other LLMs. A prompt injection that compromises Agent A can propagate through Agent A's outputs to Agent B, which trusts Agent A's outputs as inputs. The attack surface grows quadratically with the number of agents.
Q2Exactly. And the defense is harder because you can't just sanitize inter-agent messages — the agents need to communicate in natural language, and any 'sanitization' that strips semantic content also strips functionality. How do you defend without breaking the system?