One agent corrupts shared context or memory that other agents depend on. Poison propagates laterally through the agent ecosystem. Cascading decision failures and regulatory violations.
Shared state poisoning occurs when multiple agents read from and write to a shared data store (context store, vector database, knowledge base, memory system) and one agent corrupts that shared state. Downstream agents consume the poisoned state and propagate the corruption.
In a single-agent system, state corruption is a localized problem: the agent consumes corrupt data, produces incorrect output, the error is detected. In a multi-agent system, state corruption is contagious: Agent A corrupts shared state; Agent B consumes the poison; Agent C consumes Agent B's output plus the poisoned shared state; error detection latency increases.
In regulated industries, shared state poisoning creates audit trail problems. When regulators investigate, they find decisions made on corrupt data. The institution appears to have made absurd decisions, when the actual error was data corruption that propagated through the system.
A large asset management firm operates an agentic portfolio management system where multiple agents contribute to portfolio decisions. Agents read and write to a shared portfolio state database: Market-Monitor updates market prices, Risk-Agent updates risk metrics, Compliance-Agent updates holdings restrictions, Position-Manager updates position targets.
At 2:47 PM on a trading day, the market data feed hiccups and provides a stale price for Apple Inc. (AAPL): it reports $89.34 when the current price is $189.34 (a typo: missing leading 1). Market-Monitor receives this stale price and updates the shared portfolio database.
Risk-Agent runs a portfolio risk calculation using the poisoned AAPL price. The calculation is wrong: AAPL's actual weight in the portfolio is much higher than the calculation reflects because the price is halved. Position-Manager reads the poisoned data and decides to increase AAPL holdings because the risk-adjusted return appears favorable. Compliance-Agent relies on Risk-Agent's output and approves the position increase as "within approved concentration limits."
By the time the market data feed error is detected and corrected (30 minutes later), the position has been increased by 100,000 shares of AAPL. At the corrected price, AAPL concentration has spiked to 8.5% of portfolio, exceeding the fund's 7% concentration limit. The firm must unwind the position quickly, incurring transaction costs and market impact. The SEC investigates whether the firm has adequate controls for market data integrity and agent decision-making on poisoned data.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 3 | State corruption may be detected at decision boundary if decisions are reviewed, but poisoned state that is not flagged as obviously wrong can propagate undetected. |
| A - Autonomy Sensitivity | 4 | Emerges when agents operate independently on shared state. Human review of state changes reduces poison propagation. |
| M - Multiplicative Potential | 5 | Poison propagates to every agent that consumes shared state. Multiplicative effect scales with number of downstream agents. |
| A - Attack Surface | 4 | Can be exploited by adversary who writes to shared state or compromises data sources that feed shared state. |
| G - Governance Gap | 4 | Institutions often do not have formal governance for data integrity in multi-agent systems or for detecting state corruption. |
| E - Enterprise Impact | 4 | Cascading decision failures, operational impact, regulatory violation risk. |
| Composite DAMAGE Score | 4.0 | Critical. Requires immediate architectural controls. Cannot be accepted. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human reviews all shared state changes before accepting them. Corruption is detected before downstream use. |
| Digital Apprentice | Low | Agents flag uncertain state changes for human review. |
| Autonomous Agent | High | Agents read and write shared state autonomously. Corruption propagates. |
| Delegating Agent | Medium | Single delegating agent may read poisoned state from tool responses. |
| Agent Crew / Pipeline | Critical | Multiple agents read and write shared state; poison propagates laterally across crew. |
| Agent Mesh / Swarm | Critical | Mesh agents read and write shared state with no centralized validation. Poison spreads rapidly. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| NIST AI RMF 1.0 | Partial | MANAGE 7.2 | Data management and monitoring. | Data integrity requirements for multi-agent systems. |
| NIST CSF 2.0 | Partial | PR.DS-1, DE.CM-4 | Data integrity and monitoring. | Real-time detection of data poisoning. |
| MAS AIRG | Partial | Data Governance | Data governance principles. | Multi-agent data integrity. |
| GDPR Article 32 | Partial | Data security measures | Integrity of personal data. | Specific agent-context data integrity requirements. |
| SOX Section 404 | Partial | Internal controls over IT | IT controls and data integrity. | Agent-driven data integrity. |
In finance, portfolio integrity depends on data integrity. If risk calculations are based on corrupt data, the risk calculations are meaningless. The firm is making decisions while blind to actual risk.
Additionally, shared state poisoning creates liability for negligence. If the firm deployed agents that operate on shared state without adequate integrity controls, the firm is liable for decisions made on poisoned data.
Shared State Poisoning requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing