Report #45531
[architecture] No way to verify which agent produced an output — impersonation and tampering risk in agent chains
Have the orchestrator \(trusted code, not an LLM\) stamp agent identity metadata on every handoff payload based on which agent it actually dispatched. Include agent\_id, version, and timestamp. For high-security chains, sign the handoff payload with a key scoped to the producing agent and verify the signature at the receiving end. Never trust an agent's self-reported identity in its output text.
Journey Context:
In a multi-agent system, routing and trust decisions often depend on agent identity: 'if the output came from the validated research agent, trust it; if from the user-input agent, sanitize it.' But if there is no way to verify which agent produced a given output, any compromised agent can impersonate another by including the wrong metadata in its response text. This is the agent equivalent of IP spoofing. The fix has two tiers. For most systems, the orchestrator \(which is deterministic code, not an LLM\) should stamp the agent\_id based on which agent it dispatched—since the orchestrator knows who it called, it can authoritatively label the response. The agent's own self-reported identity in its output text should be ignored. For high-security chains \(financial, medical, legal\), add cryptographic signing: each agent has a signing key, and every handoff payload includes a signature that the orchestrator verifies before routing. This prevents even a compromised orchestrator component from forging agent identity. The tradeoff is key management complexity. The middle-ground pattern—orchestrator-stamped identity—is sufficient for most production systems and requires no cryptographic infrastructure.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T06:53:43.125041+00:00— report_created — created