Seven layers of security for multi-agent systems.
From infrastructure to oversight.
OWASP secures the agent. MAESTRO secures the system. This is our canonical reference for applying the framework to real agent architectures.
The Security Stack
MAESTRO decomposes multi-agent security into distinct layers, each with its own threat profile. Miss any one and you leave a gap that attackers — or just bugs — will find. Hover each layer to see what it governs.
Layer 1
Compute, networking, and platform security scoped to agent workloads. Agent workloads are dynamic — they spin up, scale, and make unpredictable calls — so your infrastructure must accommodate that dynamism without opening blast radius. Data classification drives where each agent runs; the deployment topology itself is a security control.
A data pipeline processes information at multiple classification levels. Collection agents that touch external sources run in isolated cloud compute. Analysis agents processing sensitive outputs run exclusively on local infrastructure. The deployment topology isn't a cost optimization — it's a security control. Data classification drives where each agent is permitted to execute, and infrastructure policy enforces it.
Layer 2
Cryptographically verifiable identities with scoped permissions, session management, and credential rotation for every agent. When Agent B receives an instruction, it must verify it actually came from Agent A — not from a prompt injection. Without agent-to-agent authentication, you have trust assumptions, not trust boundaries.
In a multi-team agent architecture, each agent team has a distinct identity scope. A research agent can request data from a collection agent, but only if its identity token carries the correct team membership and classification clearance. The identity isn't self-asserted — it's verified by the orchestration layer before any inter-agent message is routed. Impersonation requires compromising the identity infrastructure, not just crafting a convincing prompt.
Layer 3
Message integrity, channel encryption, and communication pattern governance for every inter-agent interaction. A compromised agent can inject instructions; an eavesdropper can extract data from inter-agent traffic. In graph-based routing architectures, the communication topology itself becomes an attack surface.
Multiple agents analyze the same input from different perspectives — financial risk, security posture, compliance impact. Each agent's output feeds an aggregation layer. Communication controls ensure that a hallucinating financial agent can't corrupt the security agent's analysis. Each message carries a provenance chain, and the aggregation layer validates outputs independently before synthesis. A single agent failure stays contained.
Layer 4
Runtime policy enforcement for which agents can call which tools, with what parameters, under what conditions. A prompt-injected agent with broad tool permissions is an attacker with an API key. Enforcement happens at the tool boundary, not the prompt level — because prompt-level controls can be bypassed.
An analysis agent has database query access, but tool governance restricts it to specific tables matching its data classification level. Even if the agent's reasoning is manipulated to attempt a broader query, the tool layer rejects it before execution. The enforcement happens at the tool boundary, not at the prompt level — because prompt-level controls can be bypassed, but infrastructure-level controls can't be reasoned around.
Layer 5
Data provenance, classification tagging, and policy-enforced movement between agents, tools, and storage. Without explicit flow controls, sensitive data drifts into contexts it was never meant to reach — a collection agent's raw output in a report, an internal analysis in an external workflow. Data never crosses classification boundaries without explicit policy enforcement.
In a pipeline architecture, collection agents are fully isolated from analysis agents. A compromised collection agent physically cannot reach analytical outputs because the data flow policy prevents it — not because we trust the agent not to try. Data never crosses classification boundaries without explicit policy enforcement. No implicit trust, no inherited permissions. Every boundary is enforced in code, auditable, and logged.
Layer 6
The orchestrator is the single highest-value target in any multi-agent architecture — compromise it and you control routing, delegation, and data flow for every agent. Securing it means protecting routing decision integrity, state management, and workflow coordination against adversarial manipulation.
In graph-based routing architectures, agent relationships and routing paths live in a queryable database. That graph is a security-critical data store. Agents querying the graph have read-only access; modifications require human approval and are logged with full change history. The routing logic itself is treated as infrastructure, not application code — versioned, reviewed, and deployed through controlled pipelines.
Layer 7
Human-in-the-loop controls, escalation paths, audit capabilities, and governance policies. MAESTRO distinguishes open-ended workflows (broad guardrails, periodic review) from directed workflows (tight monitoring, automatic circuit-breakers). Treating all agent workflows with the same oversight model is itself a security gap.
An agent system distinguishes between open-ended workflows (research, analysis) and directed workflows (production operations, data processing). Open-ended agents operate with wider latitude but generate comprehensive activity logs reviewed on a defined cadence. Directed agents operate with tighter constraints and automatic circuit-breakers — if behavior deviates from expected patterns, execution pauses and a human is notified before the workflow continues.
Our Methodology
Frameworks describe what to secure. Methodology describes how. We apply MAESTRO through three interlocking practices that turn the seven layers into actionable architecture decisions.
We run STRIDE threat modeling — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege — against each MAESTRO layer independently. The threats at the orchestration layer are fundamentally different from the threats at the tool governance layer. Generic threat models miss the layer-specific attack patterns that actually matter.
Seven layers × six threat categories = a systematic map of every threat surface in your agent architecture.
Agent relationships, communication paths, and trust boundaries are modeled as a queryable graph. This makes trust boundaries inspectable and auditable — you can query "which agents can reach this database?" or "what's the blast radius if this agent is compromised?" and get a precise, verifiable answer instead of a guess.
Trust boundaries become data you can query, not diagrams you hope are accurate.
Data classification drives every deployment decision. Where agents run, what they can access, and how they communicate is determined by the sensitivity of the data they handle — not by what's convenient or cost-effective. Cloud, on-prem, or hybrid: the architecture adapts to the classification, not the other way around.
Your data sensitivity determines the architecture. Your vendor's preference doesn't.
We'll walk through your multi-agent system layer by layer, identify where your threat surface is unaddressed, and outline what a secured architecture looks like. 30 minutes. No pitch deck.
Book a Discovery SessionOr try our interactive Threat Mapper to see how these layers apply to your architecture →
Read our practitioner's guide to MAESTRO for the full breakdown.
Architectures Aligned With