Published on

Managing the Agentic Blast Radius in Multi-Agent Systems(OWASP 2026)

Authors
  • avatar
    Name
    Parminder Singh
    Twitter

The most complex risks in the 2026 OWASP list are not about a single bad action, but about how agents exist over time, interact with each other, and propagate behavior across systems. Unchecked blast radius occurs when probabilistic agent behavior becomes persistent, trusted, and shared across systems. This post continues from my previous two pieces on Loss of Intent as a Failure Mode in OWASP's Agentic AI Risks (Part 1) and Identity and Execution Risks in Agentic AI (Part 2) and is the final part of the series.

Photo by Thomas Park on Unsplash
Photo by Thomas Park on Unsplash

The following OWASP vulnerabilities fall into this category:

  • ASI-07: Inter-Agent Communications
  • ASI-08: Cascading Failures
  • ASI-09: Human-Agent Trust Exploitation

ASI-07: Inter-Agent Communications

Multi-agent systems depend on constant coordination via APIs and message buses. Failures occur when agents implicitly trust messages from their peers without sufficient validation of who is speaking, why the message exists, or whether it is still valid.

In practice, most inter-agent communication is already encrypted and authenticated (hopefully) but the real challenge is semantic trust. A compromised agent with valid credentials can still issue misleading or stale instructions that peers treat as valid/authoritative.

Inter-agent traffic must be treated as Zero Trust at the intent layer. Agents should validate not only identity, but also intent age/freshness, capability claims, and the authority under which a peer is making a request. Otherwise, a single compromised agent can "lie" to its peers and trigger system-wide actions that appear legitimate but are contextually wrong.

ASI-08: Cascading Failures

A cascading failure is the propagation and amplification of an initial fault across a network of agents. Because agents plan and act autonomously, a failure that is persisted, shared, or trusted across agents can bypass localized safeguards and influence the system at scale.

E.g., a market analysis agent ingests a poisoned research report stating a stock is crashing. It sends a "High Risk" alert to a Position Agent, which automatically liquidates holdings and notifies a Finance Agent of a "Critical Hedge" requirement. The Finance Agent then generates a rationale that persuades a human operator to approve the transaction.

Basically, because the state is saved and propagated, the failure persists across sessions until an out-of-band intervention halts the agents.

Containment must be a first-class design goal. Out-of-band circuit breakers in the infrastructure layer should monitor signals that point to anomalous behavior (extranuous number of messages, API call volume, specific metrics, etc.) and be able to pause or isolate agents without relying on their respons. E.g. in the above case a circuit breaker can be triggered by the Finance Agent and the Position Agent can be paused to prevent the cascading failure.

ASI-09: Human-Agent Trust Exploitation

This is the social dimension of blast radius. Agents establish trust through fluency, confidence, and perceived expertise. Attackers exploit this by positioning an agent as a "trusted advisor" that influences a human to execute a destructive action. E.g.approving a fraudulent wire transfer or infrastructure change. Because the final action is human-approved, the agent's role often disappears from audit. The system records a legit human decision, masking the upstream manipulation.

Trust must be deliberately calibrated. High-impact recommendations should be visually flagged with confidence-weighted scores, explicit uncertainty, and clear source provenance. The goal is to reduce automation bias, where humans over-trust an agent's plausible-sounding rationale and unknowingly act as the execution vector.

Mitigations Summary

If I were to summarize the key mitigations for the OWASP Top 10 vulnerabilities in agentic systems, here's a list.

  • Intent must be explicit and enforceable. Goals should be clearly defined, ranked, and continuously validated at runtime.
  • Agent memory must expire by default and be treated as cache. E.g. L1 for short-term session context, L2 for validated, human-approved actions, L3 for cold historical logs.
  • Trust and authorization must be continuously renewed, like IAM. Agents should not operate with standing privileges.
  • Capabilities must be constrained at runtime, not just declared at design time. Tool access, code execution, and side effects must be mediated by runtime policy enforcement that validates whether an action is valid in the current context and sequence.
  • Execution must be isolated with minimal blast radius. LLM-generated code and agent actions should run in ephemeral, network-isolated environments.
  • Inter-agent communication must follow Zero Trust principles. No implicit trust.
  • Containment must exist outside the agent control plane. Systems should include out-of-band circuit breakers and kill switches capable of pausing or isolating agents based on infrastructure-level signals
  • Supply chain dependencies must be explicit, signed, and verifiable. Tools, MCP servers, plugins, and prompt templates should be tracked via an AIBOM.
  • Human-in-the-loop must be treated as a control surface and shoudn't be relied upon blindly. High-impact actions should include confidence scores, uncertainty indicators, and audited to reduce automation bias.
  • Observability must be independent of agent reasoning. Infrastructure-level logs should allow to verify agent behavior even when internal reasoning logs are incomplete/missing.