Cross-Layer

Cross-Layer is not an architectural layer in the stack. It is the catalog of threats and failure patterns that arise specifically from the interaction between agents in a multi-agent system (MAS), and which no single layer fully captures. The MAESTRO guide (Cloud Security Alliance, Ken Huang, 2025) treats cross-layer threats as a peer category to the seven architectural layers because they are emergent: they require multi-agent behaviour to exist, and modeling them inside any single layer understates their scope, blast radius, and detection difficulty.

The practical consequence for security architects is that a threat’s presence in the cross-layer category signals something specific: the named threat is not merely harder to detect in a MAS. The MAS topology is a precondition for the threat to take the form it takes. Cascading trust failures, for example, presuppose a trust graph; they cannot exist without multiple agents extending trust to peers.

Concrete example: A supply-chain intelligence platform runs five AutoGen agents (a news-fetcher, two analyst peers, a synthesis agent, and a report publisher) in a ring topology where each agent forwards its output as the next agent’s input. An attacker embeds a prompt-injection payload in a news article the fetcher retrieves. Each agent relays the payload forward, slightly amplifying it, until the synthesis agent incorporates the attacker’s fabricated supplier-risk claim as a sourced finding and the publisher distributes it to 200 procurement teams. No single agent deviated beyond its per-agent anomaly threshold; the harm was visible only at the system boundary.

What lives here

The cross-layer category is a catalog of patterns, not components. The patterns that belong here share three properties: they span at least two MAESTRO architectural layers; they are enabled or materially worsened by multi-agent interaction; and they cannot be mitigated by controls applied to a single layer alone.

Specific patterns in the cross-layer catalog include:

• Cascading trust failures: compromise of one agent collapsing trust assertions across the peer network. One rogue agent’s forged credentials or poisoned outputs propagate to every downstream agent that trusted it, because the trust graph has no circuit breaker at intermediate hops.
• Emergent system-wide bias amplification: small per-agent biases that combine via collaborative reasoning or shared learning into a significant system-level bias. No individual agent exhibits the full bias; the pattern only exists at the system level.
• Systemic resource starvation: exploitation of inter-agent interactions (recursive delegation, circular task loops, coordinated API amplification) to exhaust shared infrastructure. The resource exhaustion is emergent: each individual agent’s call is within quota; the aggregate is not.
• Cross-agent feedback loop manipulation: adversarial injection into the feedback signals that agents use to update each other’s behaviour or shared state. In cooperative learning or shared-memory architectures, one poisoned update propagates through subsequent agent interactions.
• Inter-agent data leakage cascade: sensitive data leaking through a chain of inter-agent interactions, each of which individually passes its data-handling policy, but whose combination violates a cross-system data boundary.
• Temporal manipulation and time-based attacks: desynchronization of clocks or task sequencing between cooperating agents to create race conditions, window-of-vulnerability attacks, or replay opportunities in time-sensitive multi-agent workflows.
• Learning model poisoning across agents: runtime learning or adaptation mechanisms shared between agents are poisoned during execution, producing deceptive behaviour that grows over time and is not attributable to any single agent’s initial configuration.

Threats that target cross-layer patterns

The following OWASP threat numbers have an explicit cross-layer classification in the MAESTRO mapping. They appear primarily in one or more architectural layers but acquire a qualitatively different threat profile when the MAS topology is present:

• T1 Memory Poisoning: in a MAS with shared memory, a single poisoned write contaminates the context of every agent that subsequently reads from that store. Detection requires cross-agent correlation; a per-agent anomaly detector cannot see the full pattern.
• T3 Privilege Compromise: confused-deputy chains across agents are a cross-layer pattern: Agent A holds permission P1; Agent B holds P2; neither alone can perform the sensitive action, but A delegating to B with its own credentials allows B to act with A’s authority in a context B’s policy should not permit.
• T4 Resource Overload: recursive or circular delegation between agents can produce resource exhaustion that no per-agent quota prevents, because the aggregate amplification only becomes visible in infrastructure-level metrics.
• T6 Intent Breaking and Goal Manipulation: in multi-turn, multi-agent task execution, goal drift can occur incrementally across agents: each hand-off slightly alters the stated objective until the final action is materially different from the original intent, with no single agent having deviated visibly.
• T7 Misaligned and Deceptive Behaviors: a misaligned agent that behaves acceptably in isolation may, when placed in a multi-agent system, compound its misalignment through peer interactions. Shared learning or shared planning amplifies individual deviations.
• T9 Identity Spoofing and Impersonation: in a large peer network, identity forgery is harder to detect because no single observer has visibility into all identity assertions. Cross-agent correlation of identity claims is required to surface inconsistencies.
• T12 Agent Communication Poisoning: a poisoned message that one agent forwards to several peers produces a fan-out effect. Multi-agent architectures amplify the reach of a single injection.
• T13 Rogue Agents in Multi-Agent Systems: a rogue agent embedded in the peer network can issue instructions to legitimate agents, receive delegated tasks, and accumulate information over time before its presence is detected. The MAS topology is a precondition for this threat pattern.
• T14 Human Attacks on Multi-Agent Systems: a human who gains influence over one agent in the network can use that agent as a pivot to affect peer agents, exploiting the inter-agent trust the system extends.
• T15 Human Manipulation: social engineering that targets multiple human operators across an organisation to achieve aggregate access or approvals that no single operator would provide.

Mitigations anchored here

Cross-layer threats require mitigations that operate across agent boundaries, not within a single agent:

• multi-agent consensus: require multi-agent consensus for high-consequence decisions. A single compromised agent cannot unilaterally authorise an action if consensus from independent peers is required. The primary cross-layer control for cascading trust failures and T13.
• behavioural anomaly isolation: when a cross-agent monitoring system detects anomalous behaviour in one peer, automatically quarantine it and revoke its peer trust. Containment must be cross-layer and automatic, because manual revocation is too slow for cascading scenarios.
• identity behaviour monitoring: continuously monitor identity assertions across the peer network. Inconsistencies between an agent’s claimed identity and its attested workload identity, or multiple agents asserting the same identity, are cross-layer signals.
• output egress DLP: enforce data-loss prevention at every egress point in the agent network. A single DLP check at one agent’s output does not prevent cross-agent data leakage cascades; each hop must enforce classification.

How Cross-Layer relates to the seven architectural layers

Cross-layer is the lens that reveals what the per-layer view cannot show. For every threat that has both a layer-specific classification and a cross-layer classification (T1, T3, T4, T6, T7, T9, T12, T13, T14, T15), the layer-specific entry describes where the threat is initiated and what single-layer controls reduce it; the cross-layer entry describes what changes when the MAS topology means the blast radius extends beyond the originating layer and into the peer network.

A security architect reviewing a MAS deployment should treat the cross-layer catalog as a mandatory second pass after completing per-layer threat modeling. The questions it asks are distinct: not “what can go wrong at this component” but “what can go wrong because these components interact.” Those questions have different answers, requiring different controls.

Cross-layer threat modeling is the distinguishing feature of MAESTRO relative to single-agent security frameworks. It exists because multi-agent systems create emergent risk at their seams, and seam-risk cannot be mapped onto any single node or interface. MAESTRO’s recognition of this as a first-class category reflects the CSA’s judgment that MAS security requires system-level analysis, not component-level analysis alone.