Securing LangGraph Multi-Agent Workflows: How to Enforce Tool-Level Permissions

Securing LangGraph Multi-Agent Workflows: How to Enforce Tool-Level Permissions If you are building multi-agent systems with LangGraph, you have almost certainly hit a glaring architectural wall: once one agent hands work to another, there isn't a great default story for scoped delegation and tool-level enforcement. In a standard setup, you give your Large Language Model (LLM) access to a tool, and suddenly, it has unrestricted "God Mode" over that function. It is an unsettling realization. Let's say you have a SupervisorAgent that delegates a customer service task to a BillingAgent . How do you ensure the BillingAgent doesn't hallucinate an extra zero on a refund, or get manipulated by a prompt injection attack passed implicitly through the user's initial message? Right now, developers usually fall into three distinct camps: Application-level checks only: Relying entirely on basic system prompts ("You are a helpful assistant. Do not refund more than $50.") and praying the probabilisti