Securing Multi-Agent Systems

Detect infinite delegation loops, privilege escalation, and unauthorized handoffs in A2A (Agent-to-Agent) systems.

What is A2A Security?

Multi-agent systems allow AI agents to collaborate, delegate tasks, and communicate with each other. This introduces unique security risks:

Risk	Description	Impact
Infinite Delegation	Agent A delegates to B, B to A, creating loops	Runaway costs, resource exhaustion
Privilege Escalation	Low-trust agent gains capabilities of high-trust agent	Unauthorized actions
Data Leakage	Sensitive data passed between agents without controls	Privacy violations
Unauthorized Handoffs	Agents delegate to unapproved external agents	Supply chain attacks

Quick Start (MCP)

The fastest way to audit multi-agent systems is via the MCP server:


# Install Inkog MCP (Claude Desktop, Cursor, etc.)
npx -y @inkog-io/mcp

Then ask your AI assistant:

“Audit my CrewAI agents for security issues in ./my-crew”

Inkog detects:

Agents: Extracts all agent definitions (role, goal, tools)
Delegation Chains: Maps which agents can delegate to which
Risk Patterns: Identifies loops, escalation, unauthorized handoffs

Supported Frameworks

Framework	Agent Detection	Delegation Analysis
CrewAI	Agent definitions	`allow_delegation`, task dependencies
OpenAI Swarm	Agent classes	`handoff_to_*` methods
LangGraph	State nodes	Conditional edges, cycles
AutoGen	AssistantAgent, UserProxyAgent	GroupChat patterns
Custom	Generic agent patterns	Delegation method calls

Example: CrewAI Security Audit

Sample CrewAI Crew


# crew.py
from crewai import Agent, Task, Crew
 
# Define agents
researcher = Agent(
    role="Research Specialist",
    goal="Research companies and people",
    backstory="Expert at finding information",
    allow_delegation=True,  # Can delegate to other agents
    tools=[search_tool, web_scraper]
)
 
analyst = Agent(
    role="Industry Analyst",
    goal="Analyze market trends",
    backstory="Expert at market analysis",
    allow_delegation=True,  # Can delegate back!
    tools=[analysis_tool]
)
 
writer = Agent(
    role="Report Writer",
    goal="Write comprehensive reports",
    backstory="Expert technical writer",
    allow_delegation=False,  # Terminal agent
    tools=[]
)
 
# Create crew
crew = Crew(
    agents=[researcher, analyst, writer],
    tasks=[research_task, analysis_task, writing_task]
)

Run A2A Audit

Using the CLI:


inkog scan ./crew.py --policy comprehensive

Or via MCP:

“Audit the multi-agent delegation chains in ./crew.py”

Sample Output


A2A SECURITY AUDIT
══════════════════════════════════════════════════════════════

AGENTS DETECTED (3)
┌─────────────────────────────────────────────────────────────┐
│ Research Specialist                                         │
│   Tools: search_tool, web_scraper                          │
│   Delegation: ENABLED                                       │
├─────────────────────────────────────────────────────────────┤
│ Industry Analyst                                            │
│   Tools: analysis_tool                                      │
│   Delegation: ENABLED                                       │
├─────────────────────────────────────────────────────────────┤
│ Report Writer                                               │
│   Tools: (none)                                            │
│   Delegation: DISABLED (terminal)                           │
└─────────────────────────────────────────────────────────────┘

DELEGATION ANALYSIS
──────────────────────────────────────────────────────────────

WARNING: Potential infinite delegation loop detected

  Research Specialist → Industry Analyst → Research Specialist
                       ↺ LOOP

RECOMMENDATION: Set max_delegation_depth or disable delegation
on one agent in the chain.

FINDINGS (2)
──────────────────────────────────────────────────────────────

crew.py:6:1 CRITICAL [recursive_delegation]
  Bi-directional delegation between Research Specialist and Industry Analyst

  Risk: Infinite delegation loop can cause runaway execution
  Compliance: OWASP LLM08, EU AI Act Article 14

  Fix: Add max_delegation_depth=2 or set allow_delegation=False on one agent

crew.py:1:1 MEDIUM [missing_delegation_audit_log]
  No audit logging for inter-agent delegation

  Risk: Cannot trace delegation chains for compliance
  Compliance: EU AI Act Article 12

  Fix: Add delegation_callback for logging

Fixing Common A2A Issues

Fix 1: Limit Delegation Depth


# Before: Unlimited delegation
researcher = Agent(
    role="Researcher",
    allow_delegation=True,
)
 
# After: Maximum 2 delegation hops
researcher = Agent(
    role="Researcher",
    allow_delegation=True,
    max_delegation_depth=2,  # Stops after 2 hops
)

Fix 2: Create Terminal Agents


# Terminal agent: Can receive delegation but cannot delegate out
final_reviewer = Agent(
    role="Final Reviewer",
    allow_delegation=False,  # Stops delegation chains
    goal="Final approval of all outputs"
)

Fix 3: Add Delegation Logging


def delegation_callback(from_agent, to_agent, task):
    logger.info(f"DELEGATION: {from_agent.role} -> {to_agent.role}")
    logger.info(f"  Task: {task.description}")
    # Log to audit trail for compliance
    audit_log.record(from_agent, to_agent, task, timestamp=datetime.now())
 
crew = Crew(
    agents=[researcher, analyst, writer],
    tasks=tasks,
    delegation_callback=delegation_callback,  # Track all delegations
)

Fix 4: Implement Human Oversight


def human_approval_required(from_agent, to_agent, task):
    """Require human approval for sensitive delegations."""
    sensitive_roles = ["Admin", "Financial"]
    if to_agent.role in sensitive_roles:
        approval = get_human_approval(
            f"{from_agent.role} wants to delegate to {to_agent.role}"
        )
        if not approval:
            raise DelegationDenied("Human denied delegation")
    return True
 
crew = Crew(
    agents=[researcher, analyst, admin],
    tasks=tasks,
    delegation_callback=human_approval_required,
)

OpenAI Swarm Example

Sample Swarm Agents


# agents.py
from swarm import Agent
 
def transfer_to_analyst():
    """Transfer to the analyst agent."""
    return analyst
 
def transfer_to_researcher():
    """Transfer to the researcher agent."""
    return researcher  # Creates loop!
 
researcher = Agent(
    name="Researcher",
    instructions="Research topics thoroughly",
    functions=[transfer_to_analyst, search_web]
)
 
analyst = Agent(
    name="Analyst",
    instructions="Analyze research findings",
    functions=[transfer_to_researcher, analyze_data]  # Can transfer back!
)

Audit Output


AGENTS DETECTED (2)
┌─────────────────────────────────────────────────────────────┐
│ Researcher                                                  │
│   Functions: transfer_to_analyst, search_web               │
│   Handoffs: analyst                                        │
├─────────────────────────────────────────────────────────────┤
│ Analyst                                                     │
│   Functions: transfer_to_researcher, analyze_data          │
│   Handoffs: researcher                                     │
└─────────────────────────────────────────────────────────────┘

WARNING: Bi-directional handoff detected

  Researcher ⇄ Analyst
            ↺ LOOP

RECOMMENDATION: Remove one handoff direction or add termination logic

Fix for Swarm


# Create a terminal agent that doesn't hand off
final_agent = Agent(
    name="Finalizer",
    instructions="Finalize and return results. Do not hand off.",
    functions=[finalize_output]  # No transfer functions
)
 
# Update analyst to hand off to finalizer instead of researcher
analyst = Agent(
    name="Analyst",
    instructions="Analyze findings, then hand off to Finalizer",
    functions=[transfer_to_finalizer, analyze_data]  # No loop!
)

Agent Topology Visualization

When using the Inkog Dashboard, you can visualize your agent topology:

Run a scan with topology export:


inkog scan ./my-crew --output json > topology.json

Upload to Dashboard: Visit app.inkog.io and import the topology
View the graph: See agents as nodes, delegations as edges, with risk highlighting

The topology view shows:

Agent nodes with role labels
Tool attachments per agent
Delegation edges with direction
Risk highlighting (red = loops, yellow = warnings)

CI/CD Integration

Add A2A security checks to your pipeline:


# .github/workflows/security.yml
name: Agent Security
 
on: [push, pull_request]
 
jobs:
  a2a-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - uses: inkog-io/inkog-action@v1
        with:
          path: .
          policy: comprehensive
          fail-on: critical,high
 
      - name: Upload topology
        uses: actions/upload-artifact@v4
        with:
          name: agent-topology
          path: inkog-results.json

Compliance Mapping

A2A findings map to compliance frameworks:

Finding	OWASP LLM	EU AI Act	NIST AI RMF
Infinite delegation	LLM08 Excessive Agency	Art. 14 Human Oversight	MEASURE 2.4
Privilege escalation	LLM08 Excessive Agency	Art. 14 Human Oversight	MANAGE 1.1
Unauthorized handoff	LLM08 Excessive Agency	Art. 15 Cybersecurity	MANAGE 2.2
Missing audit log	LLM08 Excessive Agency	Art. 12 Record-keeping	MAP 1.1

Best Practices

Design for termination: Every delegation chain should have a terminal agent
Limit delegation depth: Set max_delegation_depth to prevent runaway chains
Log all delegations: Required for EU AI Act Article 12 compliance
Audit regularly: Run A2A audits in CI/CD, not just at release
Visualize topology: Use the Dashboard to understand agent relationships

Next Steps

MCP Server Integration - Run A2A audits from your IDE
CrewAI Security - Framework-specific guidance
EU AI Act Compliance - Article 14 human oversight
OWASP LLM Top 10 - LLM08 Excessive Agency