The Multi-Agent Security Blind Spot: Why Per-Message Monitoring Cannot Stop Distributed Attacks
OpenAI's Codex quietly started encrypting sub-agent prompts (GitHub issue, 215 HN points, 134 comments). The same day, two arXiv papers landed that explain why: (1) 'When Local Monitors Miss Compositional Harm' proves that splitting a harmful payload across agents in a multi-agent system defeats any monitor that checks messages one at a time — every local check passes while the assembled attack succeeds. (2) 'Agent Hacks Agent' introduces automated red-teaming specifically for production agents like Claude Code and Codex, acknowledging that current safety testing can't keep pace with deployed agents operating over untrusted content. Meanwhile, Nous Research (maker of Hermes agents) is in talks for $1.5B valuation — agents are being commercialized faster than they can be secured. Nobody has connected these threads into a single thesis: the multi-agent security model is fundamentally broken, and the industry knows it.
The Multi-Agent Security Blind Spot: Why Per-Message Monitoring Cannot Stop Distributed Attacks
Here is what the market sees: Nous Research, maker of the open-source Hermes agent, is in talks for funding at a $1.5 billion valuation 1. Robot Ventures and USV are leading the round. Agents are being commercialized at a pace that rewards capability and ignores fragility.
Here is what the market missed: on the same day that funding story broke, two research papers landed on arXiv that formally prove the dominant approach to AI safety monitoring has a structural hole 2.
Think of it this way. Airport security screens each bag individually. Split a bomb across five suitcases and each piece looks like a phone battery, a coil of wire, a clock. No bag fails inspection. The assembled device is the threat. This is the exact problem Yibo Hu and Ren Wang formalized for multi-agent AI systems, and they proved it is not a solvable detection problem at the local level 2.
They call it an "observability boundary" 2. A runtime monitor that checks each agent message, tool call, or step in isolation can only catch what it can distinguish from benign traffic in that single view. If a harmful payload is split across agents so that each fragment looks ordinary, the monitor is blind by construction. Their proof is absolute: once fragments look benign in the monitored view, "no detector on that view can catch them, however strong it is"
2.
The experiments confirm the theory collapses cleanly. Local monitors lost the attack signal exactly as local evidence disappeared 2. But a monitor trained only on benign traffic could still recover the attack's code structure at 0.874 mean AUROC when given the assembled view
2. A "decoded-view gate" that sees the reassembled payload, given the encoding family, blocked every tested attack
2. The signal exists. It just lives at a level the current architecture cannot see.
Their conclusion, stated without hedging: "Local safety is not global safety when harm is compositional" 2.
Xutao Mao, Xiang Zheng, and Cong Wang arrive at the same frontier from the offensive side. They built AHA, an automated red-teaming system that discovers reusable vulnerabilities in production agents including Claude Code and Codex 3. Their framing is itself an admission: production agents "operate over untrusted content, files, commands, and workspace state, making safety failures directly actionable," and existing testing cannot keep pace
3. Their Vulnerability Concept Graph outperforms the strongest frozen baseline by 14.2 percentage points and transfers across scenarios and attack channels
3. The vulnerabilities are structural. They repeat across models.
Both papers describe the same shape of failure from different directions. The safety apparatus is built for a world of single messages, and the attacks operate across messages.
OpenAI's engineering choices make the picture sharper. On June 5, 2026, the company merged a pull request into Codex that encrypts all sub-agent communication payloads 4. When one Codex agent delegates a task to another, the message between them is now stored as ciphertext
4. A GitHub issue filed June 13 reported the change as a regression: the audit trail for sub-agent communication had gone dark, and an engineer reviewing a system after the fact could not see what task a child agent was given or why a sub-agent thread existed without decrypting the payload
4. The reporter acknowledged the encryption as "privacy hardening" but flagged the cost
4. OpenAI has not publicly responded
4.
This is where the threads converge. If per-message monitoring is the dominant safety approach, and Hu and Wang proved it has a blind spot for compositional attacks, and OpenAI just encrypted the messages so that even the local view is now opaque, the monitoring window narrows in two directions at once. The architecture loses visibility at the assembled level by mathematical proof and at the message level by engineering choice.
The fix, as Hu and Wang's experiments suggest, requires cross-agent visibility into reassembled payloads 2. That is a fundamentally different architecture from what most teams have built. It may require decrypting the very payloads OpenAI just encrypted.
Meanwhile, Nous Research is raising at $1.5 billion 1. Hermes agents run autonomously on desktops and cloud servers, with hosted tiers from $20 to $200 a month
1. The investors writing checks are pricing in agent capability. The research is pricing in agent fragility.
The multi-agent security model is not underfunded or under-researched. It is structurally incomplete. The proof is on arXiv. The market has not noticed.