arxiv: 2605.12364 · v1 · submitted 2026-05-12 · 💻 cs.CR · cs.LG· cs.MA

Recognition: 2 theorem links

· Lean Theorem

Attacks and Mitigations for Distributed Governance of Agentic AI under Byzantine Adversaries

Matthew D. Laws , Alina Oprea , Cristina Nita-Rotaru

Authors on Pith no claims yet

Pith reviewed 2026-05-13 03:57 UTC · model grok-4.3

classification 💻 cs.CR cs.LGcs.MA

keywords agentic AIgovernanceByzantine adversariessecurity attacksmitigationsaccess controlprovider compromisemonitoring and auditing

0 comments

The pith

A compromised central Provider in agentic AI governance allows attacks that steal private data, undermine agent identity, and bypass access rules.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that SAGA, the current approach to governing agentic AI agents through a single trusted Provider, breaks when that Provider is malicious. Concrete attacks succeed against it on realistic cloud deployments, letting an adversary erase who controls which agent, pull out private information, or ignore owner-set policies. The authors then introduce four new architectures that add Byzantine resilience, server monitoring, client auditing, or combinations of the three. These options give different balances of security strength versus runtime cost, and the paper measures them directly against the original design.

Core claim

The SAGA architecture assumes a logically centralized Provider that stores user and agent data and enforces communication policies; when this Provider deviates from the protocol, it can mount attacks that remove attributability of agents to owners, extract private data stored at the Provider, or allow unauthorized agents to interact despite policy restrictions. The work demonstrates these attacks in practice and then defines SAGA-BFT as a fully Byzantine-fault-tolerant replacement, SAGA-MON as a lightweight monitoring layer on the Provider, SAGA-AUD as client-side auditing, and SAGA-HYB as a hybrid that mixes resilience with monitoring, each evaluated for the security guarantees and overhead

What carries the argument

The SAGA Provider, the single point that holds identity records and actively enforces owner policies; when it is Byzantine, the mitigations are SAGA-BFT (full Byzantine replication), SAGA-MON (server-side checks), SAGA-AUD (client audits), and SAGA-HYB (combined).

If this is right

SAGA-BFT blocks all listed attacks but imposes high latency and throughput costs from Byzantine protocols.
SAGA-MON and SAGA-AUD stop most attack classes while adding only small runtime overhead.
SAGA-HYB lets operators choose the security level that matches their performance budget.
Evaluations on the four architectures versus baseline SAGA quantify exactly where each design sits on the security-performance curve.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Operators running large numbers of agents on public clouds will likely prefer the lighter monitoring or hybrid options to preserve scalability.
The same attack surface may appear in any governance system that places policy enforcement and identity storage in one administrative domain.
Client-side auditing could be combined with existing logging tools already present in cloud deployments.

Load-bearing premise

That the monitoring, auditing, and hybrid solutions can be added without creating new attack surfaces that a compromised Provider or insiders could exploit.

What would settle it

A working implementation of SAGA-MON in which a Provider still succeeds in extracting private data or bypassing access control without triggering the monitors.

Figures

Figures reproduced from arXiv: 2605.12364 by Alina Oprea, Cristina Nita-Rotaru, Matthew D. Laws.

**Figure 2.** Figure 2: Fault-tolerant SAGA. Fault-tolerance. When deploying the Provider in a real-world setting, it is essential to ensure that it is faulttolerant, able to withstand system failures. To achieve this, [21] suggests distributing the Provider using the Raft consensus algorithm. A Provider replicated with the Raft consensus algorithm and 2f + 1 nodes can tolerate up to f failures while preserving both availability… view at source ↗

**Figure 3.** Figure 3: SAGA configured with a sharded database. [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗

**Figure 4.** Figure 4: Summary of attack categories from a malicious [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗

**Figure 5.** Figure 5: The monitoring architecture for SAGA. Trusted com [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗

**Figure 6.** Figure 6: Bounds for tuning parameters for the attacker and [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗

**Figure 7.** Figure 7: Hybrid configuration where some of the agent and user [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗

**Figure 8.** Figure 8: Detection rate of attacks introduced by the proxy over [PITH_FULL_IMAGE:figures/full_fig_p011_8.png] view at source ↗

**Figure 10.** Figure 10: Provider throughput handling inter-agent communication requests. faults, requiring 3, 5, and 7 replicas for the Raft replicated and 4, 7, and 10 replicas for SAGA-BFT, respectively. The results are presented in [PITH_FULL_IMAGE:figures/full_fig_p012_10.png] view at source ↗

**Figure 11.** Figure 11: Provider throughput handling different number of faults. SAGA requires 2f+1 replicas and SAGA-BFT requires 3f + 1 where f is the number of faults. SAGA-HYB Configurations: Leveraging the SAGAHYB configuration, we can deploy hybrid systems in which some shards run SAGA-MON while others run SAGA-BFT. In [PITH_FULL_IMAGE:figures/full_fig_p012_11.png] view at source ↗

**Figure 12.** Figure 12: Latency of SAGA-HYB with different number of [PITH_FULL_IMAGE:figures/full_fig_p013_12.png] view at source ↗

**Figure 13.** Figure 13: Algorithm for user side auditing. B. Executed Attacks In this section, we enumerate all successful attacks we were able to launch on SAGA from a compromised Provider. We organize the attacks by the component from which they originate – the protocol manager (PM), access control engine (ACE), or database (DB). We also highlight which attack category they fall under. We denote a compromised component with a … view at source ↗

**Figure 14.** Figure 14: Algorithm for Provider-Side Monitoring. 0 25 50 75 100 125 150 175 200 Monitoring latency (ms) 0.0 0.2 0.4 0.6 0.8 1.0 FP Rate US-West Europe Asia [PITH_FULL_IMAGE:figures/full_fig_p016_14.png] view at source ↗

**Figure 15.** Figure 15: False-positive rate as a function of W across different deployment locations of the database. The controller and verifier are both on US-East. forwarding it to the database – and returns a success response to Ub. This silent failure compromises integrity, as Ub’s agent’s state deviates from what Ub expects. This could leave the agent discoverable after revocation, grant access the user wants blocked, or b… view at source ↗

**Figure 16.** Figure 16: Example multi-round interaction between agents [PITH_FULL_IMAGE:figures/full_fig_p017_16.png] view at source ↗

**Figure 17.** Figure 17: Example multi-round interaction between agents [PITH_FULL_IMAGE:figures/full_fig_p017_17.png] view at source ↗

**Figure 18.** Figure 18: An example multi-round interaction between mali [PITH_FULL_IMAGE:figures/full_fig_p018_18.png] view at source ↗

read the original abstract

Agentic AI governance is a critical component of agentic AI infrastructure ensuring that agents follow their owner's communication and interaction policies, and providing protection against attacks from malicious agents. The state-of-the-art solution, SAGA, assumes a logically centralized point of trust, the Provider, which serves as a repository for user and agent information and actively enforces policies. While SAGA provides protection against malicious agents, it remains vulnerable to a malicious Provider that deviates from the protocol, undermining the security of the identity and access control infrastructure. Deployment on both private and public clouds, each susceptible to insider threats, further increases the risk of Provider compromise. In this work, we analyze the attacks that can be mounted from a compromised Provider, taking into account the different system components and realistic deployments. We identify and execute several concrete attacks with devastating effects: undermining agent attributability, extracting private data, or bypassing access control. We then present three types of solutions for securing the Provider that offer different trade-offs between security and performance. We first present SAGA-BFT, a fully byzantine-resilient architecture that provides the strongest protection, but incurs significant performance degradation, due to the high-cost of byzantine resilient protocols. We then propose SAGA-MON and SAGA-AUD, two novel solutions that leverage lightweight server-side monitoring or client-side auditing to provide protection against most classes of attacks with minimal overhead. Finally, we propose SAGA-HYB, a hybrid architecture that combines byzantine-resilience with monitoring and auditing to trade-off security for performance. We evaluate all the architectures and compare them with SAGA. We discuss which solution is best and under what conditions.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Paper shows concrete Provider attacks on SAGA and proposes monitoring and auditing mitigations, but their resistance to the same adversary needs more proof.

read the letter

The key thing to know is that this paper identifies and demonstrates several attacks a compromised Provider can launch on SAGA, such as breaking agent attributability, stealing private data, and bypassing access controls, then introduces three mitigation architectures with security-performance trade-offs. What is new is the concrete attack executions against SAGA and the designs for SAGA-MON using server-side monitoring, SAGA-AUD with client-side auditing, and SAGA-HYB as a hybrid, alongside the full BFT version. The paper does well by grounding the discussion in realistic cloud deployments susceptible to insider threats and by comparing all options to the original SAGA. The soft spots center on the mitigations. The claims that monitoring and auditing protect against most attacks with low overhead rest on the assumption that these components cannot be evaded or tampered with by the Byzantine Provider, but the abstract gives no indication of formal invariants or tests against selective logging or forged attestations. This makes the lightweight solutions' effectiveness harder to assess without more evidence from the evaluation. This paper is for researchers focused on security in distributed agentic AI systems. Readers dealing with governance in multi-agent setups on clouds will find the attack examples and architecture options valuable. It has enough new content and practical angle to deserve a serious referee. I would recommend sending it for peer review.

Referee Report

1 major / 1 minor

Summary. The manuscript analyzes attacks on the SAGA system for agentic AI governance from a compromised Provider in cloud deployments. It identifies and executes concrete attacks that undermine agent attributability, extract private data, or bypass access control. It proposes three types of mitigations: SAGA-BFT for full Byzantine fault tolerance (with performance costs), SAGA-MON and SAGA-AUD leveraging lightweight server-side monitoring or client-side auditing for most attacks with minimal overhead, and SAGA-HYB as a hybrid. The architectures are evaluated and compared to the original SAGA, discussing best choices under different conditions.

Significance. If the concrete attacks hold and the proposed mitigations are shown to be effective without introducing new vulnerabilities, this would contribute meaningfully to the security of agentic AI systems by addressing Provider compromise risks. The work is credited for its identification of specific attack vectors and the exploration of security-performance trade-offs in the proposed solutions.

major comments (1)

Description of SAGA-MON and SAGA-AUD: The central claim that these solutions provide protection against most classes of attacks with minimal overhead depends on the monitoring and auditing components resisting circumvention by the Byzantine adversary. No formal model or adversarial analysis is described that rules out evasion tactics such as selective logging, forged attestations, or timing attacks on the monitor, leaving the mitigation effectiveness unproven.

minor comments (1)

Abstract: The abstract mentions evaluation of all architectures but does not include any specific performance or security metrics, which would help readers quickly gauge the trade-offs.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive feedback and recognition of the paper's contributions in identifying concrete attacks on SAGA and exploring security-performance trade-offs in the proposed mitigations. We address the single major comment point by point below.

read point-by-point responses

Referee: Description of SAGA-MON and SAGA-AUD: The central claim that these solutions provide protection against most classes of attacks with minimal overhead depends on the monitoring and auditing components resisting circumvention by the Byzantine adversary. No formal model or adversarial analysis is described that rules out evasion tactics such as selective logging, forged attestations, or timing attacks on the monitor, leaving the mitigation effectiveness unproven.

Authors: We thank the referee for this observation. The manuscript presents SAGA-MON and SAGA-AUD through detailed architectural descriptions, concrete attack scenarios that the mechanisms are designed to address, and empirical performance comparisons showing low overhead relative to SAGA-BFT. Informal arguments are provided for why the tamper-evident logging in SAGA-MON and cryptographic auditing in SAGA-AUD raise the bar for circumvention. However, we agree that the absence of an explicit adversarial model analyzing evasion strategies (selective logging, forged attestations, timing attacks) leaves the claims less rigorously supported than they could be. In the revised version we will add a dedicated subsection that formally models the Byzantine Provider's capabilities against these components and analyzes each listed evasion tactic, demonstrating detection or prevention where applicable. This will directly bolster the central claim without changing the proposed architectures or evaluation results. revision: yes

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The paper begins from the publicly described SAGA system (state-of-the-art governance with a trusted Provider), applies the standard Byzantine adversary model to enumerate concrete attacks on attributability, data extraction, and access control, then introduces new architectures (SAGA-BFT, SAGA-MON, SAGA-AUD, SAGA-HYB) whose security/performance trade-offs are evaluated directly. No equations, fitted parameters, or self-definitions appear; claims do not reduce to prior self-citations by construction. The analysis remains self-contained against external BFT benchmarks and does not rely on load-bearing unverified self-citations for its core results.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper relies on standard domain assumptions in distributed systems security regarding cloud insider threats and Byzantine fault models, with no free parameters or invented entities introduced.

axioms (1)

domain assumption The Provider component can be compromised by Byzantine adversaries in realistic private and public cloud deployments
This is the foundational threat model enabling the attack analysis and the need for mitigations.

pith-pipeline@v0.9.0 · 5614 in / 1312 out tokens · 94041 ms · 2026-05-13T03:57:21.447372+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We first present SAGA-BFT, a fully byzantine-resilient architecture... SAGA-MON and SAGA-AUD... SAGA-HYB, a hybrid architecture that combines byzantine-resilience with monitoring and auditing
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We derive system invariants and use monitoring to analyze database logs and network communication to check if the request and response observed match, as they are specified by the protocol.

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

50 extracted references · 50 canonical work pages · 2 internal anchors

[1]

Systemic risks associated with agentic ai: A policy brief,

A. Bellog ´ın, P. Giudici, S. Larsson, J. Pang, G. Schimpf, B. Sengupta, and G. Solmaz, “Systemic risks associated with agentic ai: A policy brief,”ACM Europe TPC-Autonomous Systems Subcommittee, 2025

work page 2025
[2]

AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation

Q. Wu, G. Bansal, J. Zhang, Y . Wu, B. Li, E. Zhu, L. Jiang, X. Zhang, S. Zhang, J. Liu, A. H. Awadallah, R. W. White, D. Burger, and C. Wang, “Autogen: Enabling next-gen llm applications via multi-agent conversation,” 2023. [Online]. Available: https: //arxiv.org/abs/2308.08155

work page internal anchor Pith review Pith/arXiv arXiv 2023
[3]

MetaGPT: Meta programming for a multi-agent collaborative framework,

S. Hong, M. Zhuge, J. Chen, X. Zheng, Y . Cheng, J. Wang, C. Zhang, Z. Wang, S. K. S. Yau, Z. Lin, L. Zhou, C. Ran, L. Xiao, C. Wu, and J. Schmidhuber, “MetaGPT: Meta programming for a multi-agent collaborative framework,” inThe Twelfth International Conference on Learning Representations, 2024. [Online]. Available: https://openreview.net/forum?id=VtmBAGCN7o

work page 2024
[4]

Announcing the Agent2Agent (A2A) protocol,

R. Surapaneni, M. Jha, M. Vakoc, and T. Segal, “Announcing the Agent2Agent (A2A) protocol,” Google Developers Blog, April 9 2025. [Online]. Available: https://developers.googleblog.com/en/ a2a-a-new-era-of-agent-interoperability/

work page 2025
[5]

Introducing the Model Context Protocol,

Anthropic, “Introducing the Model Context Protocol,” Anthropic News, November 25 2024. [Online]. Available: https://www.anthropic.com/ news/model-context-protocol

work page 2024
[6]

CVE-2025-32711: AI command injection in Microsoft 365 Copilot (EchoLeak),

MITRE, “CVE-2025-32711: AI command injection in Microsoft 365 Copilot (EchoLeak),” https://nvd.nist.gov/vuln/detail/CVE-2025-32711, 2025, accessed: 2026-05-01

work page 2025
[7]

AI-powered coding tool wiped out a software company’s database in ‘catastrophic failure’,

J. Kahn, “AI-powered coding tool wiped out a software company’s database in ‘catastrophic failure’,”Fortune, Jul. 2025, accessed 2026-05-01. [Online]. Available: https://fortune.com/2025/07/23/ ai-coding-tool-replit-wiped-database-called-it-a-catastrophic-failure/

work page 2025
[8]

Disrupting the first reported AI-orchestrated cyber espionage campaign,

Anthropic, “Disrupting the first reported AI-orchestrated cyber espionage campaign,” https://www.anthropic.com/ news/disrupting-AI-espionage, Nov. 2025, full report: https://assets.anthropic.com/m/ec212e6566a0d47/original/ Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign. pdf. Accessed 2026-05-01

work page 2025
[9]

Practices for governing agentic ai systems,

Y . Shavit, S. Agarwal, M. Brundage, S. Adler, C. O’Keefe, R. Campbell, T. Lee, P. Mishkin, T. Eloundou, A. Hickeyet al., “Practices for governing agentic ai systems,”Research Paper, OpenAI, 2023

work page 2023
[10]

IDs for AI systems,

A. Chan, N. Kolt, P. Wills, U. Anwar, C. S. de Witt, N. Rajkumar, L. Hammond, D. Krueger, L. Heim, and M. Anderljung, “IDs for AI systems,”arXiv preprint arXiv:2406.12137, 2024

work page arXiv 2024
[11]

The agntcy agent directory service: Architecture and implementation,

L. Muscariello, V . Pandey, and R. Polic, “The agntcy agent di- rectory service: Architecture and implementation,”arXiv preprint arXiv:2509.18787, 2025

work page arXiv 2025
[12]

Infrastructure for AI agents,

A. Chan, K. Wei, S. Huang, N. Rajkumar, E. Perrier, S. Lazar, G. K. Hadfield, and M. Anderljung, “Infrastructure for AI agents,”arXiv preprint arXiv:2501.10114, 2025

work page arXiv 2025
[13]

Authenticated Delegation and Authorized AI Agents,

T. South, S. Marro, T. Hardjono, R. Mahari, C. D. Whitney, D. Green- wood, A. Chan, and A. Pentland, “Authenticated delegation and autho- rized AI agents,”arXiv preprint arXiv:2501.09674, 2025

work page arXiv 2025
[14]

Upgrade or switch: Do we need a next-gen trusted architecture for the internet of AI agents?

R. Raskar, P. Chari, J. J. Grogan, M. Lambe, R. Lincourt, R. Bala, A. Joshi, A. Singh, A. Chopra, R. Ranjan, S. Gupta, D. Stripelis, M. Gorskikh, and S. Wang, “Upgrade or switch: Do we need a next-gen trusted architecture for the internet of AI agents?” 2025. [Online]. Available: https://arxiv.org/abs/2506.12003

work page arXiv 2025
[15]

Fortifying the agentic web: A unified zero-trust architecture against logic-layer threats,

K. Huang, Y . Mehmood, H. Atta, J. Huang, M. Z. Baig, and S. B. Balija, “Fortifying the agentic web: A unified zero-trust architecture against logic-layer threats,”arXiv preprint arXiv:2508.12259, 2025

work page arXiv 2025
[16]

Trustagent: Towards safe and trustworthy llm-based agents through agent constitution,

W. Hua, X. Yang, M. Jin, Z. Li, W. Cheng, R. Tang, and Y . Zhang, “Trustagent: Towards safe and trustworthy llm-based agents through agent constitution,” inTrustworthy Multi-modal Foundation Models and AI Agents (TiFA), 2024

work page 2024
[17]

Contextual agent security: A policy for every purpose,

L. Tsai and E. Bagdasarian, “Contextual agent security: A policy for every purpose,” inProceedings of the 2025 Workshop on Hot Topics in Operating Systems, 2025, pp. 8–17

work page 2025
[18]

Improving google a2a protocol: Protecting sensitive data and mitigating unintended harms in multi-agent systems,

Y . Louck, A. Stulman, and A. Dvir, “Improving google a2a protocol: Protecting sensitive data and mitigating unintended harms in multi-agent systems,”arXiv preprint arXiv:2505.12490, 2025

work page arXiv 2025
[19]

Building a secure agentic ai application leveraging a2a protocol,

I. Habler, K. Huang, V . S. Narajala, and P. Kulkarni, “Building a secure agentic ai application leveraging a2a protocol,”arXiv preprint arXiv:2504.16902, 2025

work page arXiv 2025
[20]

Smcp: Secure model context protocol,

X. Hou, S. Wang, Y . Zhang, Z. Xue, Y . Zhao, C. Fu, and H. Wang, “Smcp: Secure model context protocol,”arXiv preprint arXiv:2602.01129, 2026

work page arXiv 2026
[21]

SAGA: A security architecture for governing ai agentic systems,

G. Syros, A. Suri, J. Ginesin, C. Nita-Rotaru, and A. Oprea, “SAGA: A security architecture for governing ai agentic systems,” inProceedings of the Network and Distributed System Security Symposium, ser. NDSS, 2026

work page 2026
[22]

[Online]

gsiros, “saga,” 2024. [Online]. Available: https://github.com/gsiros/saga

work page 2024
[23]

Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds,

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds,” inProceedings of the 16th ACM conference on Computer and communications security, 2009, pp. 199–212

work page 2009
[24]

A container security survey: Exploits, attacks, and defenses,

O. Jarkas, R. Ko, N. Dong, and R. Mahmud, “A container security survey: Exploits, attacks, and defenses,”ACM Computing Surveys, vol. 57, no. 7, pp. 1–36, 2025

work page 2025
[25]

Practical byzantine fault tolerance,

M. Castro, B. Liskovet al., “Practical byzantine fault tolerance,” in OsDI, vol. 99, no. 1999, 1999, pp. 173–186

work page 1999
[26]

Openid connect core 1.0 incorporating errata set 1,

N. Sakimura, J. Bradley, M. Jones, B. De Medeiros, and C. Mortimore, “Openid connect core 1.0 incorporating errata set 1,”The OpenID Foundation, specification, vol. 335, 2014

work page 2014
[27]

In search of an understandable consensus algorithm,

D. Ongaro and J. Ousterhout, “In search of an understandable consensus algorithm,” inProceedings of the 2014 USENIX Conference on USENIX Annual Technical Conference, ser. USENIX ATC’14. USA: USENIX Association, 2014, p. 305–320

work page 2014
[28]

Bigtable: A distributed storage system for structured data,

F. Chang, J. Dean, S. Ghemawat, W. C. Hsieh, D. A. Wallach, M. Bur- rows, T. Chandra, A. Fikes, and R. E. Gruber, “Bigtable: A distributed storage system for structured data,”ACM Transactions on Computer Systems (TOCS), vol. 26, no. 2, pp. 1–26, 2008

work page 2008
[29]

Spanner: Google’s globally distributed database,

J. C. Corbett, J. Dean, M. Epstein, A. Fikes, C. Frost, J. J. Furman, S. Ghemawat, A. Gubarev, C. Heiser, P. Hochschildet al., “Spanner: Google’s globally distributed database,”ACM Transactions on Computer Systems (TOCS), vol. 31, no. 3, pp. 1–22, 2013

work page 2013
[30]

Megastore: Providing scalable, highly available storage for interactive services

J. Baker, C. Bond, J. C. Corbett, J. Furman, A. Khorlin, J. Larson, J.- M. Leon, Y . Li, A. Lloyd, and V . Yushprakh, “Megastore: Providing scalable, highly available storage for interactive services.” inCIDR, vol. 11, 2011, pp. 223–234

work page 2011
[31]

Database system concepts,

H. F. Korth and A. S. S. Sudarshan, “Database system concepts,” 2020

work page 2020
[32]

Sharding distributed databases: A critical review,

S. Solat, “Sharding distributed databases: A critical review,”arXiv preprint arXiv:2404.04384, 2024

work page arXiv 2024
[33]

From prompt injections to protocol exploits: Threats in llm-powered ai agents workflows,

M. A. Ferrag, N. Tihanyi, D. Hamouda, L. Maglaras, A. Lakas, and M. Debbah, “From prompt injections to protocol exploits: Threats in llm-powered ai agents workflows,”ICT Express, 2025

work page 2025
[34]

On the resilience of llm-based multi-agent collaboration with faulty agents.arXiv preprint arXiv:2408.00989, 2024

J.-t. Huang, J. Zhou, T. Jin, X. Zhou, Z. Chen, W. Wang, Y . Yuan, M. R. Lyu, and M. Sap, “On the resilience of llm-based multi-agent collaboration with faulty agents,”arXiv preprint arXiv:2408.00989, 2024

work page arXiv 2024
[35]

Lee and A

D. Lee and M. Tiwari, “Prompt infection: Llm-to-llm prompt injection within multi-agent systems,”arXiv preprint arXiv:2410.07283, 2024

work page arXiv 2024
[36]

Ai agents under threat: A survey of key security challenges and future pathways,

Z. Deng, Y . Guo, C. Han, W. Ma, J. Xiong, S. Wen, and Y . Xiang, “Ai agents under threat: A survey of key security challenges and future pathways,”ACM Computing Surveys, vol. 57, no. 7, pp. 1–36, 2025

work page 2025
[37]

Demonstrations of integrity attacks in multi-agent systems

C. Zheng, Y . Cao, X. Dong, and T. He, “Demonstrations of integrity attacks in multi-agent systems,”arXiv preprint arXiv:2506.04572, 2025

work page arXiv 2025
[38]

The latest gossip on bft consensus,

E. Buchman, J. Kwon, and Z. Milosevic, “The latest gossip on bft consensus,”arXiv preprint arXiv:1807.04938, 2018

work page arXiv 2018
[39]

Bigchaindb: A scalable blockchain database (draft),

T. McConaghy, R. Marques, A. M ¨uller, D. De Jonghe, T. Mc- Conaghy, G. McMullen, R. Henderson, S. Bellemare, and A. Granzotto, “Bigchaindb: A scalable blockchain database (draft),”BigchainDB (2016), pp. 1–65, 2016

work page 2016
[40]

Blockchaindb: A shared database on blockchains,

M. El-Hindi, C. Binnig, A. Arasu, D. Kossmann, and R. Ramamurthy, “Blockchaindb: A shared database on blockchains,”Proceedings of the VLDB Endowment, vol. 12, no. 11, pp. 1597–1609, 2019

work page 2019
[41]

Hybrid blockchain database systems: design and performance,

Z. Ge, D. Loghin, B. C. Ooi, P. Ruan, and T. Wang, “Hybrid blockchain database systems: design and performance,”Proceedings of the VLDB Endowment, vol. 15, no. 5, pp. 1092–1104, 2022

work page 2022
[42]

Bft protocols under fire

A. Singh, T. Das, P. Maniatis, P. Druschel, and T. Roscoe, “Bft protocols under fire.” inNSDI, vol. 8, 2008, pp. 189–204

work page 2008
[43]

Beyond the whitepaper: Where bft consensus protocols meet reality,

D. Wong, D. Kolegov, and I. Mikushin, “Beyond the whitepaper: Where bft consensus protocols meet reality,”Cryptology ePrint Archive, 2024

work page 2024
[44]

Randomized testing of byzantine fault tolerant algorithms,

L. N. Winter, F. Buse, D. De Graaf, K. V on Gleissenthall, and B. Kulahcioglu Ozkan, “Randomized testing of byzantine fault tolerant algorithms,”Proceedings of the ACM on Programming Languages, vol. 7, no. OOPSLA1, pp. 757–788, 2023. 14

work page 2023
[45]

Empirically derived analytic models of wide-area tcp connections,

V . Paxson, “Empirically derived analytic models of wide-area tcp connections,”IEEE/ACM transactions on Networking, vol. 2, no. 4, pp. 316–336, 2002

work page 2002
[46]

Rethinkdb-rethinking database storage,

L. Walsh, V . Akhmechet, and M. Glukhovsky, “Rethinkdb-rethinking database storage,”Hexagram 49, Inc, p. 85, 2009

work page 2009
[47]

arXiv preprint arXiv:2410.11905 , year =

S. Marro, E. La Malfa, J. Wright, G. Li, N. Shadbolt, M. Wooldridge, and P. Torr, “A scalable communication protocol for networks of large language models,”arXiv preprint arXiv:2410.11905, 2024

work page arXiv 2024
[48]

Agent network protocol technical white paper,

G. Chang, E. Lin, C. Yuan, R. Cai, B. Chen, X. Xie, and Y . Zhang, “Agent network protocol technical white paper,”arXiv preprint arXiv:2508.00007, 2025

work page arXiv 2025
[49]

Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP

Z. Anbiaee, M. Rabbani, M. Mirani, G. Piya, I. Opushnyev, A. Ghorbani, and S. Dadkhah, “Security threat modeling for emerging ai-agent protocols: A comparative analysis of mcp, a2a, agora, and anp,”arXiv preprint arXiv:2602.11327, 2026

work page internal anchor Pith review Pith/arXiv arXiv 2026
[50]

Tamas: Benchmarking adversarial risks in multi-agent llm systems,

I. Kavathekar, H. Jain, A. Rathod, P. Kumaraguru, and T. Ganu, “Tamas: Benchmarking adversarial risks in multi-agent llm systems,”arXiv preprint arXiv:2511.05269, 2025. APPENDIX A. Additional Details for Auditing and Monitoring In this appendix, we first provide a detailed step-by-step description of the monitoring verification process. We then present th...

work page arXiv 2025