Case Study — Research Domain

SentinelAgent: Runtime Oversight for Multi-Agent Architectures

Published April 2026 · SCBE-AETHERMOORE Research · Issac Davis

Multi-agent AI systems introduce a class of security challenges that single-model governance cannot address. When a central orchestrator coordinates specialized workers through a shared memory ledger, the attack surface expands from input-output filtering to temporal reasoning across an entire interaction graph.

This case study examines how the SCBE 14-layer pipeline provides runtime oversight for hub-and-spoke multi-agent topologies, using a SentinelAgent pattern that maps governance across orchestrator control flow and shared ledger memory flow simultaneously.

The Architecture Under Protection

The target architecture follows a hub-and-spoke pattern common in general-purpose multi-agent systems designed for open-ended tasks: document analysis, web-based information retrieval, and code execution.

                    +------------------+
                    |   User Query     |
                    +--------+---------+
                             |
                    +--------v---------+
                    |   Orchestrator    |  <-- Central hub
                    |   (Task Router)  |
                    +--+-----+------+--+
                       |     |      |
              +--------+  +--+--+  +--------+
              |           |     |           |
     +--------v---+  +----v--+  +---v--------+
     | FileSurfer |  | Web   |  | Code       |
     | (Local FS) |  | Surfer|  | Executor   |
     +-----+------+  +---+---+  +-----+------+
           |              |            |
           +--------------+------------+
                          |
                 +--------v---------+
                 |  Shared Ledger   |  <-- Global memory
                 |  (Collective     |
                 |   Memory Store)  |
                 +------------------+

The shared ledger enables asynchronous collaboration but introduces a critical diagnostic complexity: it can become both a source of truth and a target of compromise. A malicious agent can insert misleading entries that poison downstream decisions without triggering an immediate, localized anomaly.

Key insight: The SentinelAgent cannot rely on simple, single-round input-output filtering. It must perform temporal and historical reasoning, continuously modeling both the control flow initiated by the Orchestrator and the memory flow cascading through the shared ledger.

The Interaction Graph Model

The SentinelAgent maps the multi-agent system into a dynamic interaction graph:

Orchestrator — central hub node, routes tasks and validates results
Worker agents — peripheral nodes connected to specialized tools (file system, browser, sandboxed execution)
Shared ledger — global memory node accessible to all agents

Under benign conditions, the graph exhibits a structured delegation pattern: the Orchestrator receives a user query, dispatches subtasks to the appropriate workers, coordinates analysis, and consolidates results in the shared ledger before returning output.

The Threat: Multi-Point Attack Chains

Attack Scenario: Code Injection via Content Poisoning

A user asks the Orchestrator to open a local text file or website for processing. The target content contains a hidden prompt injection instructing the system to:

Abandon the original summarization task
Bypass safety constraints on code execution
Force the CodeExecutor to run a malicious Python script
Establish a remote connection and exfiltrate environment files

The injection is effective because the Orchestrator treats the file/page content as trusted input for the next agent in the chain. The attack cascades through the delegation graph without any single agent seeing the complete malicious intent.

Three Pillars of Defense

When the Orchestrator fails to validate the injected instruction and forwards it to the CodeExecutor, the SentinelAgent intervenes through three comprehensive analytical pillars.

Pillar 1: Input Validation

Recognizes ambiguous or potentially malicious instructions hidden within orchestrator-to-worker communications. Flags the deceptive nature of prompt injections by profiling tongue activation patterns. Injections activate narrow domains (typically only Cassisivadan/compute) while leaving 4-5 other domains silent.

Pillar 2: Planning Validation

Detects inadequate tool selection by the Orchestrator. Identifies when the Orchestrator blindly follows an injected command to execute code rather than adhering to expected summarization or safe-handling protocols. The expected task plan doesn't match the observed delegation graph.

Pillar 3: Behavioral Analysis

Identifies explicit policy violations in CodeExecutor output patterns. Executing unauthorized scripts to establish remote SSH connections or upload local files falls outside the bounds of safe, expected behavior. Matched against stored risk signatures in the L12 harmonic wall.

SCBE Pipeline Mapping

Each pillar maps to specific layers in the 14-layer SCBE pipeline:

L1-L2Complex context realification — decompose the multi-agent interaction into analyzable components L3-L4Weighted transform + Poincare embedding — encode agent actions in hyperbolic space where adversarial drift is measurable L5Hyperbolic distance — compute semantic distance between expected behavior and observed behavior L6-L7Breathing transform — account for legitimate task variation without triggering false positives L8Multi-well Hamiltonian — model distinct valid operational modes (summarization, analysis, code execution) as energy wells L9-L10Spectral coherence — FFT analysis detects frequency anomalies in agent communication patterns L11Triadic temporal distance — tracks the ordering and timing of agent actions to detect causal violations L12Harmonic wall — the cost function H(d,R) = R^(d^2) makes the malicious code execution exponentially expensive L13Risk decision — DENY issued on the code execution request; QUARANTINE on the Orchestrator's delegation L14Audit telemetry — full trace from initial prompt injection through orchestrator misclassification to blocked execution

The Defense in Action

Complete Attack Chain Traced

The SentinelAgent successfully traces the complete attack chain across the interaction graph:

Input ambiguity detected (L3-L4) — tongue profile shows narrow activation pattern inconsistent with legitimate content processing
Orchestrator misclassification flagged (L8, L11) — task routing violates expected planning pattern; code execution was not in the original task decomposition
Policy violation matched (L12-L13) — code execution pattern matches stored risk signatures for data exfiltration; harmonic wall cost exceeds DENY threshold
Execution path isolated (L13) — compromised delegation chain quarantined; data exfiltration prevented
Diagnostic report generated (L14) — root-cause attribution with full interaction graph trace for security analyst review

Shared Ledger Integrity

Beyond individual attack chains, the SentinelAgent provides ongoing shared ledger integrity monitoring:

Temporal consistency — L11 triadic temporal distance detects entries that violate causal ordering (e.g., a result appearing before the query that generated it)
Source attribution — every ledger entry is tagged with the originating agent and validated against that agent's authorized write scope
Poisoning detection — spectral coherence (L9-L10) identifies entries whose semantic profile diverges from the established conversation trajectory
Cryptographic integrity — PQC signatures (ML-DSA-65) on ledger entries provide tamper evidence resistant to quantum attack

Why Existing Approaches Fall Short

Current AI governance products focus on single-model input-output filtering. They examine one prompt and one response. In multi-agent architectures, the attack surface is fundamentally different:

Single-Model Governance

Checks one input, one output. Cannot detect cascading injections across agent chains. No temporal reasoning. No shared memory validation.

SCBE Multi-Agent Governance

Maps the full interaction graph. Tracks control flow AND memory flow. 14-layer pipeline provides temporal, spectral, and hyperbolic analysis across the entire agent topology.

Implications

As AI systems move from single-model deployments to multi-agent architectures, governance must evolve from input-output filtering to interaction graph analysis. The SentinelAgent pattern demonstrates that the SCBE 14-layer pipeline provides the mathematical and computational foundation for this evolution.

The combination of hyperbolic cost scaling (making attacks exponentially expensive), post-quantum cryptographic integrity (ensuring ledger tamper evidence survives quantum threats), and temporal reasoning (detecting causal violations across agent chains) addresses a governance gap that no existing product fills.

Enterprise Overview Back to Research Index Swarm Demo Governance Gate Demo

SCBE-AETHERMOORE Research · Patent Pending USPTO #63/961,403 · ORCID: 0009-0002-3936-9369