Isolate agents and their memory and state so that compromise or failure of one agent cannot propagate to others, and enforce segmentation of agent-to-agent communication.
AI/ML / Multi Agent Refarch / Controls / DEV
Multi-Agent Isolation and Segmentation
CCC.MARefArc.CN14 · PREV
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.CP19 | MCP-interaction zero-trust guardrails | Enforces authentication and authorization for every MCP request and governs which agents may use which tools, applying rate limits and validating tool-call parameters. |
| CCC.MARefArc.CP07 | Unified sandboxed agent runtime | Secure, sandboxed environment where all agentic reasoning and execution occurs, providing task state management for pause/resume/handoff and intercepting and validating tool calls with credentials handled securely within the sandbox. |
| CCC.MARefArc.CP08 | Built-in trusted tools | A collection of bundled, trusted tools providing fundamental capabilities: the MCP client bridge to the external MCP layer, a sandboxed shell, workspace I/O, and web search. |
| CCC.MARefArc.CP09 | Agent memory | Short-term in-session context management (trimming and summarization to control length, cost, and latency) and durable long-term memory across sessions, including session summaries and user/task personalization. |
| CCC.MARefArc.CP11 | Adaptive learning | Generates learning signals based on execution outcomes to refine prompts, adjust agent configurations, or improve tool-selection strategies. |
| CCC.MARefArc.CP06 | Agent collaboration and orchestration patterns | Supports supervisor/worker decomposition, skills-based routing, and agent-as-a-tool handoff for decomposing and executing complex tasks across multiple agents. |
| CCC.MARefArc.CP03 | Agent registry and lifecycle management | Catalog of available agents with their capabilities, metadata, and configuration, supporting versioning, lifecycle management, and controlled onboarding of new agents. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.TH27 | Authorization bypass and tool-chain privilege escalation | Agents discover and invoke API endpoints outside their use case, chain individually authorized calls into unauthorized outcomes, circumvent segregation-of-duties workflows, or experience permission creep during operation, defeating intended authorization boundaries. |
| CCC.MARefArc.TH30 | Agent memory and state poisoning | Injected instructions or corrupted reasoning patterns are written into agent short- or long-term memory, learned behaviours are corrupted over repeated exposure, state storage is attacked directly, and malicious instructions persist across sessions and users. |
| CCC.MARefArc.TH31 | Multi-agent collaboration compromise | Malicious or compromised agents inject harmful data into agent-to-agent channels, contaminate shared resources, impersonate higher-privilege agents, inherit privileges through interaction, or propagate cascade failures across dependent agents. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.MARefArc.CN14.AR01 | Each agent's runtime, memory, and workspace MUST be isolated such that one agent cannot read or modify another's state without authorization. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.MARefArc.CN14.AR02 | Agent-to-agent communication MUST be authenticated and segmented to prevent privilege inheritance and cascade failures. | tlp-clear, tlp-green, tlp-amber, tlp-red |
Guideline Mappings
| Framework | ID | Remarks |
|---|---|---|
| finos-air | AIR-PREV-022 |