When Local Monitors Miss Compositional Harm: Diagnosing Distributed Backdoors in Multi-Agent Systems
Jul 14, 2026
A new preprint demonstrates that runtime monitors which check each step or message individually can fail to detect distributed backdoors in multi-agent LLM systems, where a harmful payload is split across agents so that each local check passes. The authors formalize an 'observability boundary,' proving that if fragments appear benign in the monitored view, no detector operating on that view can identify the attack. They show that while monitors trained only on benign traffic can recover attack structure (0.874 mean AUROC) and a decoded-view gate can block all tested attacks, even full-trace monitors fail unless they access the representation where the payload is exposed.
Why it matters: This work exposes a fundamental limitation in current safety monitoring for multi-agent AI systems, highlighting that local checks cannot guarantee global safety when harm is distributed across agents.
Full story at: arXiv Cryptography and Security ↗