ML Security PapersSentinel Agents for Secure and Trustworthy Agentic AI in Multi-Agent Systems
Diego Gosmar 1,2, Deborah A. Dahl 3,2
Published on arXiv
2509.14956
Prompt Injection
OWASP LLM Top 10 — LLM01
Excessive Agency
OWASP LLM Top 10 — LLM08
Key Finding
Sentinel Agents successfully detected all 162 synthetic attack attempts across three attack families in a simulated multi-agent travel planning scenario, confirming practical feasibility of the distributed monitoring approach.
Sentinel Agents
Novel technique introduced
This paper proposes a novel architectural framework aimed at enhancing security and reliability in multi-agent systems (MAS). A central component of this framework is a network of Sentinel Agents, functioning as a distributed security layer that integrates techniques such as semantic analysis via large language models (LLMs), behavioral analytics, retrieval-augmented verification, and cross-agent anomaly detection. Such agents can potentially oversee inter-agent communications, identify potential threats, enforce privacy and access controls, and maintain comprehensive audit records. Complementary to the idea of Sentinel Agents is the use of a Coordinator Agent. The Coordinator Agent supervises policy implementation, and manages agent participation. In addition, the Coordinator also ingests alerts from Sentinel Agents. Based on these alerts, it can adapt policies, isolate or quarantine misbehaving agents, and contain threats to maintain the integrity of the MAS ecosystem. This dual-layered security approach, combining the continuous monitoring of Sentinel Agents with the governance functions of Coordinator Agents, supports dynamic and adaptive defense mechanisms against a range of threats, including prompt injection, collusive agent behavior, hallucinations generated by LLMs, privacy breaches, and coordinated multi-agent attacks. In addition to the architectural design, we present a simulation study where 162 synthetic attacks of different families (prompt injection, hallucination, and data exfiltration) were injected into a multi-agent conversational environment. The Sentinel Agents successfully detected the attack attempts, confirming the practical feasibility of the proposed monitoring approach. The framework also offers enhanced system observability, supports regulatory compliance, and enables policy evolution over time.
Key Contributions
- Dual-layered security architecture pairing distributed Sentinel Agents (semantic analysis, behavioral analytics, anomaly detection) with a Coordinator Agent for policy enforcement and threat containment in multi-agent LLM systems
- Layered monitoring deployment patterns (sidecar, proxy, continuous-listener, hybrid) for integrating security oversight into heterogeneous MAS without redesigning individual agents
- Simulation study with 162 synthetic attacks across prompt injection, hallucination, and data exfiltration families, demonstrating successful detection by Sentinel Agents in a conversational multi-agent environment