Subscribe to the Non-Human & AI Identity Journal

Cross-Agent Propagation

Cross-agent propagation is the spread of compromised context, instructions, or decisions from one agent to others through trusted internal exchanges. It turns a single manipulated actor into a coordination risk, because downstream systems may treat the original output as valid input without sufficient verification.

Expanded Definition

Cross-agent propagation describes a failure mode in multi-agent systems where one agent’s compromised context, instructions, or conclusions are trusted by other agents and reused without enough validation. In practice, this can happen through shared memory, message buses, delegated tool outputs, or orchestration layers that assume internal traffic is already safe. The result is not just a single bad action, but a chain of reinforced mistakes that can spread quickly across autonomous workflows. This matters most in NHI security because the agents behind those workflows often depend on service accounts, API keys, and other secrets that can be reused across systems.

Industry usage is still evolving, but the control concern is clear: each agent needs to treat inbound context as untrusted unless it has been authenticated, scoped, and policy-checked. That aligns with guidance in the OWASP Top 10 for Agentic Applications 2026 and with NIST’s broader risk-based approach in the NIST AI Risk Management Framework. The most common misapplication is treating internal agent-to-agent handoffs as inherently trustworthy, which occurs when orchestration teams assume a private network removes the need for content validation and provenance checks.

Examples and Use Cases

Implementing cross-agent controls rigorously often introduces extra latency and governance overhead, requiring organisations to weigh faster automation against stronger validation and traceability.

  • A scheduling agent receives a poisoned instruction set from a planning agent and forwards it to a billing agent that executes the altered action without checking provenance.
  • An analyst agent summarizes a malicious prompt injection, and a downstream remediation agent treats the summary as authoritative instead of re-reading the original evidence.
  • A code-generation agent shares tool output through a message bus, and another agent uses that output to update infrastructure with overbroad privileges tied to a reused secret.
  • A customer-support agent passes ticket context to an escalation agent, but the original context included hidden instructions that change the priority and routing of the case.
  • A compromised NHI used by one agent becomes a propagation path for others when shared credentials and shared memory allow the same trusted channel to be reused across workflows, a pattern frequently discussed in the OWASP NHI Top 10 and in the MITRE ATLAS adversarial AI threat matrix.

Why It Matters in NHI Security

Cross-agent propagation turns one compromised execution path into a broader identity and control-plane event. When agents share credentials, cached context, or delegated authority, a single trusted but poisoned message can expand into unauthorized access, incorrect decisions, and hard-to-trace incident scope. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes propagation risk especially dangerous in agentic environments where those identities are already acting on behalf of systems rather than people. The NHI Mgmt Group has also reported that 97% of NHIs carry excessive privileges, a condition that amplifies the blast radius when bad instructions spread from one agent to another.

Governance teams need to pair provenance checks with least privilege, context isolation, and explicit re-validation at every agent boundary. The operational lesson is simple: internal trust should never substitute for verification, especially when the trusted sender is itself software acting under delegated authority. Organisaties typically encounter cross-agent propagation only after a downstream agent repeats a compromised decision at scale, at which point the term becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A2 Addresses agentic workflows where unsafe handoffs and trusted context can propagate across agents.
OWASP Non-Human Identity Top 10 NHI-02 Covers secret misuse and identity-driven compromise paths that enable cross-agent spread.
NIST AI RMF Uses risk governance to manage model and workflow failures that cascade through agent systems.

Validate every agent-to-agent handoff and reject inherited instructions without provenance checks.