Capability intent Maturity levels Common issues to watch for

Secure multi-agent orchestration

Multi-agent systems introduce coordination challenges that don't exist in single-agent architectures. Agents need to discover peers, share capabilities, delegate tasks, and exchange context across trust boundaries. Without proper identity verification and communication security, agent impersonation and message tampering can affect entire multi-agent workflows. Standardized protocols like Agent-to-Agent (A2A) and Model Context Protocol (MCP) provide interoperability across frameworks, but organizations must layer security controls on top of these protocols to maintain trust boundaries.

AGENTSEC06: How do you secure multi-agent orchestration and coordination?

Capability intent

Agents are segmented into trust zones based on role, capability, and risk profile, and inter-zone communication flows only along documented paths enforced at both the network and the application layer.
Inter-agent messages that cross trust boundaries or traverse intermediary services are signed and encrypted at the message level, so payload integrity persists beyond the transport.
Orchestration layers enforce schema validation, scoped IAM permissions, and circuit breakers, so a failure in one agent can't cascade through the workflow or divert it onto unexpected execution paths.
Coordination patterns are monitored continually against established baselines, so deviations are detected proactively rather than discovered after the fact.
Every coordination step is attributable to a verified agent identity and recorded for investigation. This includes agent card discovery (the A2A protocol mechanism by which one agent locates a peer and reads a JSON agent card describing its name, capabilities, supported skills, and authentication requirements), task delegation, and result collection.

Maturity levels

These levels summarize what each stage of maturity looks like for secure multi-agent orchestration as a whole.

Level	Name	What it looks like
1	Initial	Agents run in a flat network with no segmentation. Inter-agent messages rely on transport-level encryption alone, with no message signing or identity verification on the receiving side. Orchestration is unstructured, with broad IAM permissions on workflow APIs and no circuit breakers, and coordination patterns are not monitored.
2	Emerging	Basic network segmentation groups agents by trust tier, typically through separate security groups or Amazon VPCs. Amazon SQS server-side encryption helps protect queued messages with AWS KMS keys. AWS Step Functions orchestrates workflows with execution logging turned on, although IAM permissions remain broad and circuit breakers are not currently in place.
3	Defined	Message-level signing through AWS KMS asymmetric keys covers messages that cross trust boundaries or traverse queues and event buses, with separate keys per trust zone. Step Functions state machines are managed as code through AWS CloudFormation or the AWS Cloud Development Kit (AWS CDK), input validation and circuit breakers are in place, and AWS PrivateLink keeps cross-zone traffic on private paths.
4	Proactive	Amazon Bedrock AgentCore Runtime with A2A protocol support structures inter-agent discovery and task delegation, and Cedar policies in AgentCore Policy enforce trust boundaries at the tool layer. Coordination metrics are captured as Amazon CloudWatch custom metrics with baselines, and CloudWatch anomaly detection flags deviations. Amazon GuardDuty findings are correlated with coordination logs in AWS Security Hub CSPM.
5	Optimized	Trust boundary configurations are continuously validated through AWS Config managed and custom rules, with alerts on any configuration that creates unauthorized cross-zone connectivity. AgentCore Evaluations feed tool selection accuracy and correctness scores into coordination monitoring as an early-warning layer. Incident response runbooks for coordination anomalies are exercised regularly, and validated patterns are folded back into the organization's reference architecture.

Common issues to watch for

Multi-agent systems are deployed as a single trust zone, so an issue with any one agent can spread laterally across the entire network before the scope is understood.
Teams rely on transport-level encryption for inter-agent traffic and treat message-level signing as unnecessary, which means messages sitting in queues or event buses can't be verified at consumption time.
Orchestrator IAM permissions authorize any principal to start, stop, or modify any workflow in the account, rather than scoping access to the specific state machines each principal needs.
Monitoring covers infrastructure metrics and individual agent health but ignores coordination metrics, so inter-agent message rate spikes, unexpected communication paths, and topology changes go undetected.
Amazon GuardDuty findings and coordination logs are treated as separate data streams, leaving investigators without the context to tie an API anomaly to the specific multi-agent workflow it affected.

Best practices

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AGENTSEC05-BP02 Implement distributed tracing for agent interactions

AGENTSEC06-BP01 Encrypt and sign inter-agent messages