Can fixed pipelines eliminate planning-time attacks by sacrificing adaptive coordination?

This explores whether freezing a multi-agent system into a fixed pipeline removes the window where attacks happen during planning — and what coordination you sacrifice in exchange. The corpus suggests the trade is more favorable than it first sounds, but only against one class of attack.

The attack the question targets is real and specific. FLOWSTEER shows that a single crafted prompt can bias task assignment, roles, and routing while the workflow is still forming — before any of the artifacts that existing defenses inspect even exist, raising malicious success by up to 55% and transferring across black-box setups Can prompt injection reshape multi-agent workflow without touching infrastructure?. Worse, the damage depends on where in the graph the injection lands: signals injected into high-influence subtasks, and framed as evidence rather than instruction, propagate much farther How does workflow position shape attack propagation in multi-agent systems?. A fixed pipeline attacks exactly this — if roles and routing are predetermined, there is no planning phase for an injected prompt to reshape, and no dynamic influence-concentration for a position-aware attack to exploit.

The surprising part is how little adaptive coordination you actually lose. One study finds that roughly 80% of multi-agent performance variance comes from token budget, not coordination intelligence — the flexible self-organization we assume is doing the work mostly isn't How does test-time scaling work at the agent level?. And the production evidence runs the same direction: teams that replaced protocol-mediated, agent-chooses-the-tool designs with explicit direct function calls and one tool per agent restored determinism and killed a class of non-deterministic failures, with 85% of surveyed production teams building custom agents rather than leaning on flexible frameworks Why do protocol-based tool integrations fail in production workflows?. MAKER pushes this to its limit — extreme decomposition into minimal subtasks with voting at each step achieves million-step error-free execution, and small non-reasoning models suffice once the structure is rigid enough Can extreme task decomposition enable reliable execution at million-step scale?. So "sacrificing adaptive coordination" may cost far less capability than the framing implies.

But here is what the question almost lets you forget: a fixed pipeline closes the planning-time door without closing the message-passing door. Subliminal prompt injection propagates behavioral bias through six downstream agents using nothing but normal inter-agent messages — it carries no explicit semantic content, so it survives paraphrasing and detection defenses regardless of whether the topology was fixed or dynamic Can one compromised agent corrupt an entire multi-agent network?. The same is true for manipulation that exploits long reasoning chains: more steps mean more corruption points, independent of how the agents were wired together Are reasoning models actually more vulnerable to manipulation?. Freezing the pipeline removes the attacker's ability to redesign the workflow; it does nothing about an attacker who simply rides the channels the workflow already provides.

So the honest answer is: yes, fixed pipelines can eliminate *planning-time* attacks, and the coordination you give up is cheaper than expected — but they don't buy general safety. The corpus points toward a complementary move rather than a substitute: embedding governance directly into the runtime memory the agent consults during operation, which proved more effective than after-the-fact external policy precisely because the agent actually accessed it mid-decision Can governance rules embedded in runtime memory actually protect autonomous agents?. Structure removes one surface; runtime-resident guardrails are what cover the ones structure leaves open.