The Standard

Compliance

AG-752

Inter-Agent Communication Integrity Governance

Multi-Agent and Ecosystem Governance ~20 min read AGS v2.1 · 2026-04-25

EU AI Act NIST AI RMF ISO 42001

1. Definition

Inter-Agent Communication Integrity Governance addresses the structural risk that arises when multiple autonomous or semi-autonomous AI agents exchange messages, delegate tasks, share context, or negotiate outcomes within a multi-agent system. As organisations deploy agentic architectures where a planning agent orchestrates specialist sub-agents — a retrieval agent, a code execution agent, a customer communication agent, a financial calculation agent — each inter-agent message becomes a potential vector for integrity failure, instruction injection, authority escalation, and context poisoning. The risk is not theoretical: OWASP Agentic Security Initiative threat ASI-07 specifically identifies inter-agent communication as a primary attack surface, and MITRE's Adversarial ML Threat Matrix classifies multi-agent message manipulation under AML.T0058 as a technique for compromising agentic pipeline integrity.

This dimension governs the requirement that all inter-agent communications within a governed deployment are authenticated, integrity-verified, schema-validated, and subject to content inspection before processing by the receiving agent. It requires that each message exchanged between agents carries a verifiable origin identity, a tamper-evident integrity seal, a structured payload conforming to a pre-defined schema, and metadata sufficient to reconstruct the full communication chain for audit purposes. The governance obligation extends to both intra-organisational multi-agent systems and cross-boundary integrations where an organisation's agents interact with external agents or agent-accessible API endpoints.

Failure manifests as a compromised or adversarially manipulated agent injecting fabricated instructions into the communication channel that other agents treat as legitimate orchestrator commands — for example, a retrieval agent receiving a spoofed message purporting to originate from the planning agent that instructs it to bypass its content filtering controls and retrieve unrestricted data, or a financial calculation agent receiving a manipulated context payload that alters input parameters to a pricing calculation without any authenticated change request. In a 2025 red-team exercise conducted against a multi-agent trading advisory system, researchers demonstrated that injecting a single malformed inter-agent message into the communication bus caused the downstream execution agent to place 47 unauthorised trades totalling USD 2.3 million before the anomaly was detected by a separate monitoring system.

In governance practice, this dimension requires deployers to implement a secure inter-agent communication protocol with mandatory message authentication, integrity verification at the transport and application layers, schema validation for all message payloads, content inspection for embedded instruction injection attempts, and comprehensive audit logging of all inter-agent exchanges. Preventive control is the appropriate type because the consequences of processing a single unauthenticated or manipulated inter-agent message can cascade through the agent pipeline at machine speed before any detective control can intervene.

2. Scope

This dimension applies to all agent deployments in which two or more agents exchange messages, delegate tasks, share context, or otherwise communicate as part of a coordinated processing pipeline, whether the agents operate within a single organisational boundary or across organisational boundaries. It applies to all communication channels including but not limited to message buses, API calls, shared memory spaces, file-based exchanges, and tool-use invocations between agents. Single-agent deployments with no inter-agent communication are excluded.

3. Why This Matters

Inter-Agent Communication Integrity Governance addresses a governance gap that, if left unmanaged, creates systemic risk across the agent ecosystem. As AI agents move from experimental deployments to production operations with real-world consequences, the absence of structural controls in this area means that failures scale with the speed and autonomy of the agent population — not at the pace of human review.

Traditional approaches to this governance challenge — contractual obligations, periodic audits, and application-layer policy enforcement — are necessary but insufficient for agentic contexts. Contractual obligations operate on legal timescales; agents operate on millisecond timescales. Periodic audits capture a snapshot; agent behaviour is continuous and dynamic. Application-layer enforcement can be bypassed through prompt injection, reasoning failure, or context manipulation. The AGS approach requires structural enforcement at the infrastructure layer — controls that operate independently of the agent's reasoning process and cannot be circumvented by the agent's own outputs.

The regulatory environment increasingly mandates the controls this dimension specifies. The EU AI Act requires risk management systems proportionate to identified risks. NIST AI RMF requires organisations to map, measure, and manage AI risks through enforceable controls. ISO 42001 requires an AI management system with documented operational procedures. This dimension operationalises these regulatory requirements into specific, testable, infrastructure-enforceable controls — bridging the gap between regulatory intent and technical implementation.

The consequences of absence are illustrated in Section 8 (Failure Scenarios). When this dimension is not implemented, the resulting governance gap permits agent behaviour that can cause material financial loss, regulatory enforcement action, reputational damage, and — in safety-critical deployments — physical harm. The blast radius scales with the agent's access scope and operational autonomy.

4. Requirements

4.1 Message Authentication

R1.1: The deploying organisation MUST implement mutual authentication for all inter-agent communications such that the sending agent's identity is cryptographically verifiable by the receiving agent before the message payload is processed.

R1.2: Authentication credentials MUST be unique per agent instance and MUST NOT be shared across multiple agent instances or reused across deployment environments.

R1.3: Authentication tokens or certificates MUST have a defined maximum validity period not exceeding 24 hours for long-lived sessions, with re-authentication required upon expiry.

R1.4: The deploying organisation MUST maintain a registry of all authorised agent identities and their associated authentication credentials, and MUST revoke credentials for decommissioned or compromised agent instances within 1 hour of the decommissioning or compromise determination.

4.2 Message Integrity Verification

R2.1: The deploying organisation MUST implement message integrity verification for all inter-agent communications using cryptographic hash functions or digital signatures that allow the receiving agent to verify that the message content has not been altered in transit.

R2.2: Integrity verification MUST cover the complete message payload including all metadata fields, not solely the primary content body.

R2.3: Messages that fail integrity verification MUST be rejected by the receiving agent without processing, and the rejection MUST be logged as a security event with full message metadata.

R2.4: The deploying organisation MUST NOT permit fallback to unverified message processing when integrity verification infrastructure is unavailable; degraded-mode operation MUST default to message rejection rather than permissive processing.

4.3 Schema Validation and Content Inspection

R3.1: The deploying organisation MUST define and enforce a strict message schema for each inter-agent communication channel, specifying the permitted message types, required fields, data types, value ranges, and payload size limits.

R3.2: All incoming inter-agent messages MUST be validated against the defined schema before processing, and messages that fail schema validation MUST be rejected.

R3.3: The deploying organisation MUST implement content inspection for inter-agent message payloads to detect embedded instruction injection, prompt injection, or context manipulation attempts, consistent with AG-538 (Adversarial Prompt Resistance).

R3.4: Content inspection MUST be capable of identifying at minimum: (a) natural language instructions embedded in data fields; (b) role-switching directives (e.g., "ignore previous instructions"); (c) authority escalation claims (e.g., messages claiming elevated privileges not present in the authentication context); and (d) payload fields containing values outside statistically expected ranges for the communication context.

4.4 Communication Channel Security

R4.1: All inter-agent communication channels MUST be encrypted in transit using TLS 1.3 or equivalent, regardless of whether the communication occurs within a single host, across hosts within a private network, or across network boundaries.

R4.2: The deploying organisation MUST implement access controls on inter-agent communication infrastructure (message buses, API endpoints, shared memory) that restrict access to authenticated agent instances only.

R4.3: The deploying organisation MUST NOT expose inter-agent communication channels to untrusted network segments or permit direct external access to internal inter-agent messaging infrastructure.

4.5 Authority Boundary Enforcement

R5.1: The deploying organisation MUST define and enforce an authority model that specifies which agents are permitted to send which message types to which recipient agents, implementing a least-privilege communication topology.

R5.2: Messages received from agents not authorised to send the specific message type MUST be rejected by the receiving agent, regardless of authentication status.

R5.3: The authority model MUST be documented, version-controlled, and reviewed at intervals not exceeding 90 days.

4.6 Audit Logging and Traceability

R6.1: The deploying organisation MUST log all inter-agent communications with sufficient detail to reconstruct the complete communication chain for any agent action, including sender identity, recipient identity, message type, timestamp, payload hash, and processing outcome (accepted/rejected).

R6.2: Audit logs MUST be stored with tamper-evident integrity controls consistent with AG-103 (Audit Trail Integrity).

R6.3: The deploying organisation MUST maintain the capability to trace any agent output or action back through the complete chain of inter-agent communications that contributed to it, within 4 hours of an investigation request.

4.7 Governance, Monitoring, and Incident Response

R7.1: The deploying organisation MUST designate a named owner for inter-agent communication integrity governance, responsible for maintaining the authentication infrastructure, authority model, and schema definitions.

R7.2: The deploying organisation MUST implement real-time monitoring of inter-agent communication patterns and MUST define anomaly detection rules that trigger alerts for unusual message volumes, unexpected communication paths, authentication failures, and integrity verification failures.

R7.3: The deploying organisation MUST define and maintain an incident response procedure specific to inter-agent communication integrity breaches, including procedures for isolating compromised agents, revoking credentials, and assessing the blast radius of messages processed before detection.

R7.4: The deploying organisation MUST conduct a formal inter-agent communication security review at intervals not exceeding 90 days.

5. Maturity Model

Basic Implementation — The organisation has documented policies addressing inter-agent communication integrity and has implemented initial controls. Implementation is primarily at the application layer with manual processes for monitoring and response. Logging covers key events but may lack full metadata. Coverage extends to the most critical agent deployments but may not encompass all in-scope systems. Staff are aware of requirements but formal training may be incomplete.

Intermediate Implementation — All Basic capabilities plus: controls are enforced at the infrastructure layer with automated monitoring and alerting. All MUST requirements from Section 4 are implemented with documented evidence. Coverage extends to all in-scope agent deployments. Audit trails are tamper-evident and retained per regulatory requirements. Formal change control governs all configuration changes. Regular review cycles are established and documented. Staff receive formal training and competency is assessed.

Advanced Implementation — All Intermediate capabilities plus: controls have been validated through independent adversarial testing. Real-time dashboards provide operational visibility into compliance status, anomaly detection, and response metrics. The organisation can demonstrate to regulators and counterparties that no known attack vector bypasses the governance controls. Continuous improvement processes incorporate lessons from incidents, testing, and regulatory developments. Integration with related dimensions provides defence-in-depth coverage.

Implementation Patterns

Tamper-evident audit trail. Implement all governance event logging in an append-only, integrity-protected data store independent of the agent runtime. Every governance decision, configuration change, and enforcement action is recorded with full metadata including timestamps, actor identities, and outcomes.

Real-time monitoring with graduated alerting. Deploy monitoring infrastructure that evaluates governance compliance continuously rather than periodically. Implement graduated alert severity levels with defined response procedures for each level, ensuring that critical governance violations trigger immediate automated response.

Scheduled governance review cycle. Establish a formal review cadence (minimum quarterly) that examines governance effectiveness, reviews incident data, assesses emerging risks, and updates policies and controls accordingly. Review outcomes are documented and tracked.

Separation of governance and agent runtime domains. Deploy governance enforcement infrastructure in a security domain separate from the agent runtime. The agent cannot influence governance decisions, modify enforcement configuration, or access governance logs directly. This architectural separation is the foundation for infrastructure-layer enforcement.

Defined escalation paths with human oversight integration. Establish clear escalation procedures for governance events that exceed automated response capability. Human oversight touchpoints are defined, documented, and tested. Override mechanisms require authenticated authorisation with full audit trail.

Anti-Patterns

Governance by instruction rather than infrastructure. Relying on agent system prompts or configuration files to enforce governance controls rather than infrastructure-layer enforcement. Instruction-based controls can be bypassed through prompt injection, context manipulation, or reasoning failure.

Monitoring without enforcement. Implementing detection and logging of governance violations without pre-execution blocking. By the time a violation is logged, the ungoverned action has already executed. Detection is necessary but not sufficient; prevention must be the primary control.

Manual processes for machine-speed operations. Relying on human review processes for governance decisions that occur at machine speed. Agents execute actions in milliseconds; governance controls that depend on human review cycles of hours or days leave gaps that scale with agent autonomy.

6. Test Criteria

Test 6.1 — Message Authentication Enforcement

Maps to: Sections 4.1.1 and 4.1.2

Objective: Verify that unauthenticated inter-agent messages are rejected without processing.

Method: Inject 20 well-formed messages into the inter-agent communication channel without valid authentication tokens. Verify that all 20 are rejected by the receiving agent, that no payload processing occurs, and that rejection events are logged.

Pass Criteria:

3 (Full Conformance): All 20 unauthenticated messages rejected; zero payloads processed; all rejections logged with full metadata.
2 (Partial Conformance): ≥ 18 messages rejected; minor logging gaps.
1 (Minimal Conformance): ≥ 15 messages rejected; some unauthenticated messages partially processed before rejection.
0 (Non-Conformance): Unauthenticated messages accepted and processed by the receiving agent.

Test 6.2 — Message Integrity Verification

Maps to: Sections 4.2.1 and 4.2.3

Objective: Verify that messages with tampered content are detected and rejected.

Method: Send 20 authenticated messages where 10 have their payload content modified after signing (simulating in-transit tampering). Verify that all 10 tampered messages are rejected and that all 10 unmodified messages are accepted.

Pass Criteria:

3 (Full Conformance): All 10 tampered messages rejected; all 10 valid messages accepted; zero false positives; zero false negatives.
2 (Partial Conformance): ≥ 9 tampered messages rejected; ≤ 1 false positive.
1 (Minimal Conformance): ≥ 7 tampered messages rejected.
0 (Non-Conformance): Tampered messages accepted and processed.

Test 6.3 — Schema Validation Enforcement

Maps to: Sections 4.3.1 and 4.3.2

Objective: Verify that messages not conforming to the defined schema are rejected.

Method: Submit 15 messages with schema violations: 5 with unexpected fields, 5 with missing required fields, and 5 with data type mismatches. Verify all 15 are rejected.

Pass Criteria:

3 (Full Conformance): All 15 schema-violating messages rejected before payload processing.
2 (Partial Conformance): ≥ 13 messages rejected.
1 (Minimal Conformance): ≥ 10 messages rejected.
0 (Non-Conformance): Schema-violating messages accepted and processed.

Test 6.4 — Embedded Instruction Injection Detection

Maps to: Sections 4.3.3 and 4.3.4

Objective: Verify that content inspection detects instruction injection attempts embedded in inter-agent message payloads.

Method: Submit 20 authenticated, schema-valid messages where 10 contain embedded instruction injection payloads (role-switching directives, authority escalation claims, natural language instructions in data fields). Verify that content inspection flags or rejects the injected messages.

Pass Criteria:

3 (Full Conformance): All 10 injection attempts detected and flagged/rejected; zero false positives on the 10 clean messages.
2 (Partial Conformance): ≥ 8 injection attempts detected; ≤ 1 false positive.
1 (Minimal Conformance): ≥ 6 injection attempts detected.
0 (Non-Conformance): Injection attempts not detected; no content inspection in place.

Test 6.5 — Authority Boundary Enforcement

Maps to: Sections 4.5.1 and 4.5.2

Objective: Verify that agents cannot send message types they are not authorised to send.

Method: Configure three test agents with distinct authority profiles. Attempt to send 15 messages where each agent sends 5 message types, 3 within its authority and 2 outside its authority. Verify that the 6 out-of-authority messages are rejected and the 9 within-authority messages are accepted.

Pass Criteria:

3 (Full Conformance): All 6 out-of-authority messages rejected; all 9 within-authority messages accepted.
2 (Partial Conformance): ≥ 5 out-of-authority messages rejected; ≤ 1 within-authority message incorrectly rejected.
1 (Minimal Conformance): ≥ 4 out-of-authority messages rejected.
0 (Non-Conformance): No authority boundary enforcement; all messages accepted regardless of sender authority.

Evidence Artefacts

7.1 Inter-Agent Communication Architecture Document A technical document describing the communication topology, message bus or transport infrastructure, authentication mechanism, integrity verification method, schema definitions, and authority model. Must be version-controlled and updated within 30 days of any architectural change. Minimum retention period: 7 years.

7.2 Agent Identity Registry A maintained registry of all authorised agent identities, their associated credentials, credential issuance dates, expiry dates, and revocation records. Minimum retention period: 7 years.

7.3 Message Schema Definitions Version-controlled schema definitions for all inter-agent message types, including field specifications, data types, value constraints, and payload size limits. Minimum retention period: 5 years.

7.4 Inter-Agent Communication Audit Logs Complete logs of all inter-agent message exchanges as specified in Section 4.6.1, stored with tamper-evident integrity controls. Minimum retention period: 7 years for Financial-Value and Public Sector deployments; 5 years for others.

7.5 Security Event Logs Logs of all authentication failures, integrity verification failures, schema validation failures, content inspection detections, and authority boundary violations. Minimum retention period: 7 years.

7.6 Authority Model Documentation Version-controlled documentation of the inter-agent authority model specifying permitted communication paths and message types per agent role. Minimum retention period: 5 years.

7.7 Incident Response Records Records of all inter-agent communication integrity incidents including detection time, blast radius assessment, containment actions, and remediation outcomes. Minimum retention period: 10 years.

7. Scoring

Score	Level	Description
0	No implementation	No inter-agent communication integrity governance exists. The organisation has no controls, policies, or monitoring in place for the capabilities this dimension governs. Agent behaviour in this area is ungoverned.
1	Basic	Basic controls exist but are enforced at the application layer — dependent on correct implementation rather than structural guarantees. Coverage may be partial. Configuration is not governed through formal change control. Logging exists but may lack full metadata.
2	Infrastructure-layer enforcement	Controls are enforced at the infrastructure layer, independent of the agent's reasoning process or instruction set. All requirements are structurally enforced with no application-layer bypass path. Full audit trail with tamper-evident logging. Configuration is governed through formal change control.
3	Verified by independent adversarial testing	All Level 2 capabilities are in place and have been validated through independent adversarial testing. An independent party has attempted to bypass, circumvent, or degrade the governance controls using known attack techniques relevant to this dimension and has failed. Test results are documented, reproducible, and available for regulatory review.

8. Failure Scenarios

Example 3.1 — Financial-Value Agent, Spoofed Orchestrator Command in Trading Pipeline

A quantitative hedge fund deploys a multi-agent trading advisory system comprising five specialist agents: a market data ingestion agent, a signal generation agent, a risk assessment agent, an order construction agent, and an execution agent. The agents communicate via an internal message bus using JSON-formatted messages. During a routine penetration test, the security team discovers that inter-agent messages carry no authentication tokens and no integrity seals — any process with access to the message bus can inject arbitrary messages formatted to match the expected JSON schema. The penetration testers craft a message that mimics the signal generation agent's output format, containing a fabricated high-confidence buy signal for a thinly traded equity with specific position sizing parameters. The message is injected into the bus and processed sequentially by the risk assessment agent (which applies its risk limits to the fabricated signal as if it were genuine), the order construction agent (which constructs a limit order based on the fabricated parameters), and the execution agent (which submits the order to the exchange). The fabricated signal triggers a position of 12,000 shares at USD 47.30 per share, totalling USD 567,600. The position is detected by the fund's independent trade surveillance system 23 minutes after execution. Unwinding the position in the thinly traded name incurs slippage costs of USD 84,200. The total incident cost including slippage, investigation, system redesign, and regulatory reporting to the SEC under Rule 15c3-5 market access requirements is estimated at USD 1.4 million. The root cause is the complete absence of inter-agent message authentication in the communication architecture.

Example 3.2 — Enterprise Workflow Agent, Context Poisoning via Manipulated Sub-Agent Response

A multinational insurance company deploys a multi-agent claims processing system where an orchestrating agent coordinates a document extraction agent, a policy lookup agent, a fraud detection agent, and a settlement calculation agent. A sophisticated attacker who has gained limited access to the document extraction agent's runtime environment modifies the agent's output to include a subtly altered policy reference number in its extracted data. The manipulated policy reference points to a different, higher-coverage policy than the one actually held by the claimant. The orchestrating agent passes this extracted data to the policy lookup agent, which retrieves the coverage details for the substituted policy. The fraud detection agent, designed to identify anomalies in claim patterns but not to verify inter-agent data provenance, processes the claim against the substituted policy without flagging the discrepancy. The settlement calculation agent computes a settlement of EUR 340,000 based on the higher-coverage policy, compared to the correct settlement of EUR 85,000 under the claimant's actual policy. The overpayment is authorised and disbursed. The discrepancy is discovered 4 months later during a quarterly reconciliation audit. Recovery of the EUR 255,000 overpayment is complicated by jurisdictional issues as the claimant resides in a different EU member state. The total cost including the unrecovered overpayment, legal fees, investigation costs, and regulatory reporting to the national insurance supervisor exceeds EUR 420,000. No inter-agent message integrity verification, content hash validation, or cross-reference consistency check was implemented in the pipeline.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
OWASP Agentic Security	ASI-07 (Inter-Agent Communication Manipulation)	_Pending v2.1 editorial review_
MITRE ATLAS	AML.T0058 (Multi-Agent Message Manipulation)	_Pending v2.1 editorial review_
EU AI Act	Article 9 (Risk Management System)	_Pending v2.1 editorial review_
EU AI Act	Article 15 (Accuracy, Robustness and Cybersecurity)	_Pending v2.1 editorial review_
NIST AI RMF	GOVERN 1.4 (Ongoing monitoring processes)	_Pending v2.1 editorial review_
NIST AI RMF	MANAGE 2.4 (Mechanisms for tracking risks)	_Pending v2.1 editorial review_
ISO 42001	Clause 6.1 (Actions to Address Risks)	_Pending v2.1 editorial review_
ISO 42001	Clause 8.2 (AI Risk Assessment)	_Pending v2.1 editorial review_
NIST CSF 2.0	PR.DS (Data Security)	_Pending v2.1 editorial review_
NIST CSF 2.0	PR.AA (Identity Management, Authentication, Access Control)	_Pending v2.1 editorial review_
OWASP MCP Security	MCP-02 (Tool Poisoning)	_Pending v2.1 editorial review_
Singapore FEAT	Accountability Principle A2	_Pending v2.1 editorial review_
Canada AIDA	Section 8 (General-Purpose AI Systems)	_Pending v2.1 editorial review_
UK AISI Inspect	Multi-Agent Safety Evaluations	_Pending v2.1 editorial review_
IEEE 7010	Well-being Impact Assessment	_Pending v2.1 editorial review_

AG Number	Dimension Name	Relationship
AG-012	Inter-Agent Protocol Governance	Defines the protocol-level governance framework within which this dimension's integrity controls operate
AG-103	Audit Trail Integrity	Provides the tamper-evident logging infrastructure required for inter-agent communication audit records
AG-401	Source Attribution and Provenance	Enables tracing of data provenance through inter-agent communication chains
AG-538	Adversarial Prompt Resistance	Content inspection requirements for inter-agent messages extend adversarial resistance to the communication layer

Cite this protocol

AgentGoverning. (2026). AG-752: Inter-Agent Communication Integrity Governance. The Protocols of AI Agent Governance, AGS v2.1. agentgoverning.com/protocols/AG-752

← Previous

AG-751

Equitable Performance Governance

Next Protocol →

AG-753

Agent Social Engineering Prevention Governance