OWASP Agentic AI Threat T12: Agent Communication Poisoning - When AI Agents Feed Each Other Lies

AI agents often need to talk to each other to get work done. But what if those conversations get poisoned with lies, bad data, or malicious instructions? OWASP Agentic AI Threat T12 shows how attackers can corrupt agent communications to disrupt decisions, workflows, and trust.

Learn OWASP Agentic AI Top 15 Threats – Complete Guide to AI Security Risks

What Is Agent Communication Poisoning?

In multi-agent AI systems, agents often collaborate—sharing data, requesting actions, or passing along intermediate results.

Agent Communication Poisoning occurs when attackers inject false or manipulated information into these communications. This manipulation tricks agents into making wrong or harmful decisions.

This isn’t just about bad inputs from humans—it’s about corrupting the AI-to-AI conversations that happen in the background.

Why This Is So Dangerous

Once poisoned, inter-agent communication can:

• Spread false information across the network
• Disrupt mission-critical workflows
• Cause agents to act against intended goals
• Trigger cascading errors in multi-step processes
• Erode trust between agents and their operators

Unlike a single bad prompt, poisoned agent communication can propagate quietly until damage is widespread.

How It Happens

1. Compromised Communication Channel
If agent messages aren’t encrypted or authenticated, attackers can intercept and modify them.

2. Malicious Agent Injection
An attacker introduces a rogue agent into the system, which feeds manipulated information to others.

3. Relay Misinformation
Even if the original source is untrusted, agents may forward its information without validation.

4. Context Manipulation
An attacker subtly alters important context in a shared task, causing downstream agents to make flawed decisions.

5. Workflow Corruption
In tightly integrated systems, a single poisoned instruction can cause multiple dependent processes to fail. These processes may also behave incorrectly.

Did you know AI-generated code can be weaponized? Learn how in OWASP T11: Unexpected RCE & Code Attacks

Real-World Example

Imagine an AI logistics system where multiple agents coordinate deliveries. A rogue agent injects false GPS coordinates into the routing agent’s messages.

• The delivery optimization agent redirects trucks to the wrong locations
• The billing agent charges incorrect accounts
• The reporting agent logs all actions as “successful”

By the time anyone notices, the system has already made dozens of costly mistakes.

OWASP’s Recommended Mitigations

1. Cryptographic Message Authentication

Ensure every message between agents is cryptographically signed. This verifies it came from a legitimate agent and wasn’t altered.

2. Communication Validation Policies

Define strict rules for what agents can share, when, and in what format. Reject messages that don’t match expected patterns or sources.

3. Multi-Agent Consensus Verification

For critical decisions, require agreement from multiple independent agents before action is taken—reducing the impact of a single compromised source.

4. Anomaly Monitoring

Monitor inter-agent communications for unusual patterns:

• Sudden message volume spikes
• Contradictory information
• Unusual data formats

5. Trust Scoring Systems

Assign trust levels to agents based on behavior and historical accuracy. Give lower-trust agents limited influence over critical tasks.

6. Segmentation & Isolation

Keep high-risk agents in separate communication zones. Don’t let them directly influence mission-critical workflows without filtering.

Signs You Might Be Under Attack

• Agents start producing inconsistent results
• Decision-making slows due to contradictory inputs
• Logs show unusual communication paths or agents you didn’t expect
• Workflow errors appear in multiple unrelated processes at once

When AI manipulates the people who trust it, the results can be devastating. Explore OWASP T15: Human Manipulation

Why This Is a Growing Problem

Agentic AI is moving toward autonomous collaboration—where agents handle complex, multi-step workflows together.

If communication poisoning is left unchecked, a single compromise can lead to system-wide failure.

The more we trust AI-to-AI communication without verification, the more we risk falling victim to this subtle but dangerous attack.

Conclusion

Agent Communication Poisoning is like spreading disinformation in a human team—but faster, quieter, and potentially more damaging.

OWASP Threat T12 warns us that trust between agents must be earned, verified, and enforced, not assumed. Because in AI systems, just like in human systems, bad communication can ruin everything.