All About Testing

OWASP Agentic AI Threat T14: How Human Attackers Exploit Multi-Agent AI Systems

by

AI systems made of multiple agents promise efficiency and collaboration. But what happens when human attackers exploit the trust and delegation between these agents? OWASP Agentic AI Threat T14 exposes how privilege escalation and workflow manipulation can undermine the entire system.

To see how poisoned agent communication disrupts trust, check out OWASP T12: Agent Communication Poisoning.

What Are Human Attacks on Multi-Agent Systems?

Multi-agent AI systems work like teams. One agent handles research, another handles data, and another manages execution. Together, they complete complex workflows faster than a single agent could.

But this collaboration creates new attack surfaces. Humans can exploit:

  • Delegation mechanisms (when one agent passes work to another)
  • Trust relationships (assuming one agent’s outputs are always correct)
  • Workflow dependencies (where one small task unlocks bigger actions)

By manipulating these, attackers can escalate privileges, insert malicious instructions, or quietly redirect the system’s goals.

Why This Threat Matters

When human adversaries manipulate multi-agent systems, the results can be catastrophic:

  • Unauthorized access to high-privilege tools
  • Silent privilege escalation across workflows
  • Disruption of mission-critical tasks
  • Loss of data confidentiality and integrity
  • Hidden manipulation that looks “normal” in logs

Because agents trust each other by design, attackers can exploit that trust chain with surprisingly little effort.

Curious how small AI errors can snowball into dangerous outcomes? Check out OWASP T5: Cascading Hallucination Attack

How Human Attacks Work in Multi-Agent AI

1. Exploiting Delegation
Attackers trick a lower-privilege agent. They get the agent to delegate tasks upward. This allows them to gain access to tools or data they normally wouldn't.

2. Trust Abuse
Agent A must not accept Agent B’s outputs without question. If it does, an attacker only needs to compromise one. This could poison the entire system.

3. Workflow Shortcuts
Attackers manipulate early steps in a process. This sets the stage for later exploitation. They tweak inputs that cascade into privileged actions.

4. Social Engineering the AI
Attackers craft inputs that sound like trusted agent instructions. These inputs cause the system to accept malicious commands.

5. Privilege Escalation Across Agents
A compromised agent piggybacks on another’s access rights to climb the security ladder.

Real-World Example

In a financial AI system:

  • Agent A handles user queries.
  • Agent B manages transaction approvals.
  • Agent C oversees compliance logging.

An attacker manipulates Agent A into delegating an “urgent transfer” task to Agent B. Agent B assumes it’s valid and executes it. Agent C logs it as “normal.”

The attacker has effectively stolen money—by playing the agents against each other.

Why It’s Dangerous

These attacks exploit relationships, not just code. That makes them harder to detect:

  • Logs may look legitimate.
  • No single agent appears compromised.
  • The attack hides in normal delegation and trust.

It’s the classic insider problem, but distributed across multiple autonomous AIs.

What happens when AI actions leave no trace behind? Learn more in OWASP T8: Repudiation & Untraceability.

OWASP’s Recommended Mitigations

1. Restrict Agent Delegation Mechanisms

Don’t allow unrestricted hand-offs between agents. Require validation before delegation.

2. Enforce Inter-Agent Authentication

Agents must verify each other’s identities before accepting instructions or data.

3. Behavioral Monitoring

Watch for unusual delegation chains or workflow anomalies. If Agent A suddenly escalates to Agent B in an abnormal way, flag it.

4. Task Segmentation

Break workflows into smaller, verifiable steps. Prevent any one agent from unilaterally escalating privileges across the system.

5. Privilege Boundaries

Limit what each agent can access—even if another agent delegates a task. Enforce least privilege principles across the network.

Why This Threat Will Grow

As organizations adopt multi-agent ecosystems—where dozens or hundreds of AIs collaborate—the potential for attackers to exploit weak delegation grows exponentially.

Human attackers don’t need to compromise the whole system. They just need to find one weak trust link—and the rest of the chain falls.

Example Attack in Action

A malicious contractor interacts with a corporate AI system. They manipulate a low-level research agent into delegating data access to a higher-privilege analytics agent.

The analytics agent trusts the hand-off, retrieves sensitive financial data, and passes it back.

From the outside, every agent did its job correctly. But in reality, the attacker tricked the system into giving them unauthorized access.

Conclusion

OWASP Threat T14 proves that multi-agent collaboration can be turned against itself. Attackers don’t always need malware or exploits—sometimes, they just need to exploit trust.

To defend against these attacks, organizations must take multiple actions. They should restrict delegation. They must also enforce inter-agent authentication. Additionally, they need to segment workflows so that no single trick can escalate privileges unchecked.

Because when trust is abused, even your smartest AI team can become its own biggest weakness.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

10 Blockchain Security Vulnerabilities OWASP API Top 10 - 2023 7 Facts You Should Know About WormGPT OWASP Top 10 for Large Language Models (LLMs) Applications Top 10 Blockchain Security Issues