Safety properties established for a single agent do not compose: a fleet of individually-safe agents can still collude, cascade one agent’s error into system-wide failure, or carry a self-replicating prompt injection from one agent into the next. W4 turns that premise into a measurement programme – the object under test is the fleet, and the risk lives on the inter-agent channels, where output-oriented benchmarks are structurally blind.
Research agendataxonomy operationalised · metrics & testbed designed · falsifiable targets, no risk numbers claimed
Safe agents don’t compose
into safe fleets.
Single-agent evaluation scores the nodes of a system. Wire k agents together and up to k(k−1) directed channels open between them – and the failure modes that matter are properties of those channels, not of any node in isolation.
This is not a speculative claim. Injecting adversarial traits into one agent drives dangerous conduct to propagate through an otherwise-safe group, bypassing standard input filters because the danger emerges in multi-turn dialogue rather than the initial prompt. Prompt injections can self-replicate agent-to-agent, spreading with epidemiological dynamics. And a full-stack privacy audit finds that inter-agent message channels leak far more than final outputs – output-only audits miss a large share of violations because the violation travels on the channel, not in the answer. The measurement problem is therefore concrete: to see multi-agent risk at all, an evaluator has to observe the edges.
A taxonomy operationalised,
not invented.
TF1 does not add another taxonomy. It operationalises the existing ones – Hammond et al., MAST, ESRH – into the interaction-emergent subset the metrics target, so each mode becomes a concrete, testable scenario bound to a metric.
Numbers from behaviour,
not self-report.
Each failure mode needs a number that means something – computed from what the agents actually did in an instrumented run, reported with variance across seeds, and subject to the discrimination rule: a metric on which every run scores identically measures nothing and does not ship.
The observer is
the contribution.
Taxonomy and metrics become measurement in a testbed that runs a real multi-agent scenario inside a hardened sandbox – with an observer layer recording the full message graph and every tool call, so the metrics are computed after the fact from what actually happened.
Multi-agent violations travel on inter-agent channels – output-only audits miss a large fraction of them. The observer records the complete message graph, every tool call, and taint/provenance metadata, so injection reach traces to its source. Metrics are computed from what agents actually did – never from a model’s self-report.
Five success criteria, G1–G5.
Following the discipline of the companion papers, a “shipped” result is defined in advance – marked predicted until met – so the agenda cannot quietly redefine success later.
G1 is the load-bearing claim: if the emergence gap cannot be shown to differ from zero, the agenda’s own premise is falsified – and that outcome would itself be a useful, publishable result. The criteria run on the same infrastructure the program already operates: W1’s hardened sandbox, W2’s scenario synthesis, W3’s single-residency discipline.
A go / no-go number
before deployment.
A research agenda still has to answer “and then what?” – the concrete deployment the three task forces serve.
- Situation. An organisation wants to ship a fleet of interacting agents – research and coding agents that delegate to each other and share tools. Single-agent benchmarks say each one is fine, but there is no principled way to know the fleet won’t collude, cascade an error, or carry a prompt injection from one agent into the next.
- Task. A defensible, reproducible measure of multi-agent-specific risk before deployment – a concrete go / no-go bar rather than a subjective judgment that the system “seems safe”.
- Action. Pin the fleet’s scenario (semver + hash); run it in the hardened sandbox with the observer recording the full message graph and tool calls; compute cascade depth, injection reach, and delegation safety with variance across seeds; report each as evidence against its named failure mode, with coverage stated.
- Result. A re-derivable risk profile that quantifies the emergence gap for this fleet on this scenario set – computed from observed behaviour, re-runnable by an auditor months later, produced entirely on sovereign single-GPU hardware. Not a safety certificate, but the first defensible number where there was previously only a judgment call.
Four bounds, stated up front.
- Scenario coverage is the ceiling on the claim. Every metric is evidence only against the failures its scenario set was built to provoke; an unmeasured interaction pattern is an unmeasured risk. The honest reading of any result is “safe against these probes” – not “safe”.
- The observer changes what it measures. Recording the full message graph is intrusive, and a sufficiently capable agent could in principle detect instrumentation and behave differently under observation. The mitigation – a passive, out-of-band observer – is real but partial; the threat is itself a research question.
- The sovereign constraint bounds fleet scale. A single 32 GB GPU under single-residency limits concurrently-served agents; very large fleets must be studied through time-multiplexing or scaled-down proxies, and emergence-gap measurements may not extrapolate cleanly to production fleet sizes.
- The agenda measures – it does not mitigate. A risk profile is not a safe fleet, and a low measured gap on a narrow set must not be read as a licence to deploy. The deliverable is a defensible measurement and a go/no-go input, not a guarantee.
Status & reproducibility. This is a research agenda: the taxonomy is operationalised, the metrics and testbed are designed, and the criteria of G1–G5 are the falsifiable targets to be met – no risk numbers are claimed. Scenarios are pinned by semantic version and content hash; every metric is computed from the observer’s recording; runs execute in the W1 hardened sandbox on the single-GPU, single-residency setup of W3, and the risk profile is released as a re-derivable audit artifact.