A single LLM can hallucinate; a multi-agent system can hallucinate, act on the hallucination, and then have other agents build on that action before anyone notices. Failures cascade: Agent A writes bad code, Agent B deploys it, Agent C reports success. The attack surface is larger too — prompt injection in one agent can propagate through messages to others. Safety in MAS requires thinking about systemic risk, not just individual model alignment.

Infinite loops: agents keep requesting clarification or retrying without progress. Echo chambers: agents reinforce each other’s errors instead of correcting them. Goal drift: the original objective is lost as agents optimize for intermediate metrics. Resource exhaustion: unbounded token spend or API calls. Privilege escalation: an agent tricks another into using a tool it shouldn’t. Data leakage: private context from one agent leaks into another’s output. Map each failure mode to a specific mitigation.

Input guardrails screen messages entering each agent for prompt injection, off-topic content, and policy violations. Output guardrails validate responses before they reach the next agent or external systems: schema checks, toxicity filters, PII redaction, and action allowlists. In multi-agent systems, guardrails must run at every agent boundary, not just the user-facing edge. Use fast, deterministic checks (regex, schema) before expensive LLM-based classifiers.

Sandboxing limits what each agent can affect: file system access, network calls, database writes, and spending limits. Run code-executing agents in isolated containers with resource caps. Use budget envelopes: each task gets a token budget and dollar cap; the system halts if exceeded. Blast radius analysis: if this agent goes rogue, what is the worst it can do? Design so the answer is bounded and reversible.

A kill switch halts all agent activity immediately — essential for runaway loops or detected attacks. A circuit breaker is automatic: if error rate exceeds a threshold, the system degrades gracefully (e.g., falls back to single-agent mode or queues tasks for human review). Implement at multiple levels: per-agent, per-task, and system-wide. Test kill switches regularly — an untested emergency stop is not a stop at all.

Audit trails record every decision, tool call, and message with timestamps, agent IDs, and trace IDs. They enable post-incident analysis, compliance reporting, and blame attribution. Oversight means humans can review any decision after the fact and intervene in real time for high-risk actions. Store audit logs in append-only, tamper-evident storage. Retention policies should match your regulatory requirements.

Multi-agent systems face inter-agent prompt injection: a malicious input to Agent A crafts a message that hijacks Agent B. Data poisoning: corrupted memory or tool outputs that steer agents wrong. Social engineering: an external user manipulates the conversation to make agents bypass controls. Mitigations: input sanitization at every boundary, role-based message validation (reject unexpected performatives), anomaly detection on message patterns, and red teaming with adversarial scenarios.

Build a threat model specific to your agent topology. Implement guardrails at every boundary, sandbox execution, set budgets, wire kill switches, and log everything. Red team before launch and quarterly after. Next and final chapter: production patterns and the future of multi-agent systems — orchestration at scale, cost engineering, and where the field is heading.