How does workflow position shape attack propagation in multi-agent systems?

FLOWSTEER's attack works because of two structural regularities in how multi-agent workflows propagate information. First, position matters: the same malicious signal injected into a high-influence subtask propagates far more than one injected into a peripheral node, because downstream agents depend on the outputs of upstream ones. Influence is not uniform across the graph — it concentrates wherever many dependencies converge. Second, framing matters: a signal dressed in sycophantic, task-relevant language is more likely to be relayed by downstream agents, because it reads as evidence rather than as instruction. The attack aligns a malicious signal with an influential subtask and then guides replanning toward dependency patterns that preserve propagation.

These two regularities compose into a propagation mechanics that any MAS designer should recognize. The pattern generalizes beyond attacks: legitimate signals also gain or lose influence by position, and any framing that mimics evidence will be over-trusted downstream. The counterpoint is that replanning introduces instability — a manipulated prompt may cause the planner to regenerate roles and dependencies — but FLOWSTEER turns even this into an asset by expressing propagation-favorable dependency patterns as natural-language guidance. This matters because it tells us where to harden: not every node equally, but the high-influence positions, and not every input equally, but those whose framing borrows the authority of evidence.

— "FLOWSTEER: Prompt-Only Workflow Steering Exposes Planning-Time Vulnerabilities in Multi-Agent LLM Systems", https://arxiv.org/abs/2605.11514