Why multi-agent AI security is broken (and the identity patterns that actually work)

Last Tuesday, a “harmless” coding agent in staging opened a PR, fetched secrets from the wrong environment, and kicked off a deploy it was never supposed to touch. Nothing “hacked” us. The agent did exactly what the system allowed. That’s the part I think a lot of teams miss with multi-agent setups: the problem usually isn’t model quality. It’s identity. Once you have more than one agent — planner, coder, reviewer, deployer, support bot, whatever — you need answers to very boring questions: Who is this agent, exactly? What is it allowed to do? Can it act on behalf of someone else? How do we prove what happened later? If you don’t answer those, your “AI fleet” becomes a shared root account with vibes. The pattern that breaks first: shared credentials A lot of agent systems still look like this: Agent A ----\ Agent B -----+----> same API key / same GitHub token / same MCP access Agent C ----/ It works great until: one agent gets prompt-injected one workflow needs narrower permissions you