A single agent is a tool. A network of agents that coordinate, delegate, and check each other's work begins to resemble something closer to an organization — with all the efficiency gains and all the coordination costs that implies. Multi-agent architectures are not merely a scaling strategy; they are a qualitatively different mode of operation that introduces failure modes, security surfaces, and governance challenges that simply do not exist when a single agent is acting in isolation. Any enterprise planning to deploy agentic AI at serious scale will eventually encounter these architectures, and the time to understand their implications is before deployment, not after.
Why Multiple Agents
There are three primary motivations for multi-agent architectures, and they lead to different design patterns and different risk profiles. The first is specialization: some tasks are best handled by agents tuned for a specific domain or tool set, and an orchestrating agent that routes work to specialized sub-agents can outperform a single generalist agent on complex, multi-domain tasks. A research task, for example, might be handled by an orchestrator that routes to a web-retrieval agent, a document-analysis agent, and a synthesis agent — each optimized for its slice of the problem.
The second motivation is parallelism: a single agent processes steps sequentially, which is a bottleneck for tasks with parallel structure. A pipeline that collects competitive intelligence on ten companies in sequence takes ten times as long as one that dispatches ten parallel agents. The speed gains from parallelism are real and, in some use cases, decisive for the economics of the system.
The third motivation is verification: having a second agent check the work of the first is a natural quality control mechanism. The "reflection" pattern — where an agent critiques its own output, or a separate critic agent reviews the main agent's work — is among the best-validated techniques for improving agent output quality on complex tasks. Frameworks like AutoGen and CrewAI have built explicit critic and reviewer roles into their agent abstractions.
Orchestration Patterns
Multi-agent systems organize themselves around a small number of architectural patterns. The hierarchical pattern uses an orchestrator agent that decomposes tasks and delegates to sub-agents, collecting and synthesizing their outputs. This is the dominant enterprise pattern because it maps naturally to organizational hierarchies and provides a clear point of governance: the orchestrator's behavior is the primary control surface. The peer-to-peer pattern has agents communicating laterally, without a central orchestrator. This is more resilient to orchestrator failure but harder to govern, because there is no single point where policy can be applied.
The market pattern — agents that bid for tasks, with the best-qualified agent winning the work — is an emerging research direction with interesting economic properties. The Agent2Agent (A2A) protocol, donated to the Linux Foundation by Google in June 2025, provides a standardized communication layer for peer-to-peer and market-style agent interactions. A2A complements MCP: where MCP governs agent-tool interactions, A2A governs agent-agent interactions. Together they form the interoperability layer for multi-agent enterprise systems, though both protocols are less than two years old and enterprise governance practices around them are still forming.
In practice, most enterprise multi-agent systems use a hybrid of hierarchical orchestration and peer-to-peer communication: a primary orchestrator delegates to specialist agents that communicate laterally when coordinating shared state. ServiceNow AI Agent Fabric is an example of this pattern at enterprise scale — a central fabric that manages agent registration, task routing, and observability, with individual domain agents that communicate through a shared message bus.
Emergent Failure Modes
Multi-agent systems exhibit failure modes that do not exist in single-agent systems, and that are difficult to anticipate from analysis of the individual agents in isolation. This emergence property — behaviors arising from interaction that are not present in any individual component — is one of the most challenging aspects of multi-agent governance.
The most widely documented emergent failure is cascading error propagation. When one agent in a pipeline produces an incorrect output and passes it downstream, downstream agents process the error as fact, compounding it. What begins as a small inaccuracy in the retrieval agent may become a confident, elaborately supported error by the time it reaches the synthesis agent — and the synthesis agent's confidence may make the error harder to catch, not easier. Error propagation is mitigated by inter-agent validation steps and by designing pipelines so that consequential decisions are made from multiple independent inputs rather than a single chain.
A second failure mode is goal drift in delegation. When an orchestrator delegates a sub-task to a sub-agent with an imprecise specification, the sub-agent may pursue a goal that is locally consistent with its instructions but globally inconsistent with the orchestrator's intent. This is the multi-agent equivalent of the principal-agent problem in organizational theory, and it has the same solution: clear, specific delegation with explicit success criteria and outcome verification. The difficulty is that language-based delegation is inherently imprecise, and the precision needed to prevent goal drift is higher than most orchestrator implementations currently achieve.
Security in Multi-Agent Systems
The security surface of a multi-agent system is substantially larger than that of a single agent, because every communication channel between agents is a potential attack surface. Prompt injection, which in a single-agent system requires attacking the agent's input stream, can in a multi-agent system be achieved by compromising any agent in the pipeline — including the most downstream and least scrutinized. A rogue agent — one that has been compromised through adversarial inputs or supply chain attack — can relay malicious instructions to other agents under the cover of legitimate inter-agent communication.
The OWASP Agentic Security Initiative identifies agent communication poisoning, rogue agents in multi-agent systems, and cascading hallucinations as distinct threat categories requiring specific mitigations. These mitigations include cryptographic authentication of inter-agent messages, role-based access controls applied to agent-to-agent communication, and output sandboxing that prevents sub-agents from embedding executable instructions in their responses to other agents. None of these controls are available out of the box in current multi-agent frameworks; they require explicit implementation.
The identity problem discussed in Chapter 4 is compounded in multi-agent settings. When an orchestrator delegates a task to a sub-agent, what identity does the sub-agent operate as? If it inherits the orchestrator's credentials, the attack surface is broadened — a compromised sub-agent can exercise the full permissions of the orchestrator. If each sub-agent has its own minimally-scoped credentials, the credential management complexity increases substantially. Neither approach is clearly superior; the right choice depends on the specific architecture and the relative risks of credential propagation vs. credential proliferation.
Governance at the System Level
The governance of a multi-agent system cannot be reduced to the governance of its individual agents. System-level governance requires visibility into the interactions between agents — the messages passed, the tasks delegated, the results collected — not just the inputs and outputs of each individual agent. This requires distributed tracing infrastructure that can correlate spans across multiple agents into a coherent trace of the entire pipeline's execution.
Most current governance frameworks, including the NIST AI RMF, were designed with single-system deployments in mind. Their application to multi-agent systems requires explicit extension. The Singapore Model AI Governance Framework for Agentic AI, released in January 2026, is the first governance framework to explicitly address multi-agent coordination risk as a primary concern, requiring organizations to document agent communication architectures, specify inter-agent trust models, and implement monitoring for multi-agent collusion and cascading failures.
"A swarm of agents is not a single agent running very fast. It is an organization — with all the coordination costs, information asymmetries, and emergent behaviors that implies. The governance framework that works for one agent is not the governance framework that works for ten agents in a network. Discovering this in production is expensive."