Multi-agent consensus on high-impact actions

Supports: Foundational proof that consensus over N participants tolerates at most f < N/3 Byzantine (actively malicious) peers. Establishes the N ≥ 3f+1 quorum bound that agentic-AI deployments inherit when they require ≥2f+1 independent peers to agree.

Does not prove: Does not address LLMs, agentic AI, or hallucination. The paper treats a synchronous message-passing model; real agentic deployments are partially synchronous, so the bound is a lower bound on required diversity, not a deployment recipe.

Supports: T13 "Rogue Agents" names "Consensus Mechanism Exploitation" as one of four rogue-agent scenarios. The explicit threat description covers an attacker who fabricates artificial consensus among compromised agents to approve harmful actions, or who manufactures artificial disagreement to paralyse a quorum. Multi-agent N-of-M consensus over independent peers is the named countermeasure — raising the attack cost from "compromise one agent" to "compromise the quorum majority". T12 "Agent Communication Poisoning" and T5 "Cascading Hallucination Attacks" are also named in OWASP v1.1 and are additional coverage targets of this control.

Does not prove: The OWASP T&M document is not openly machine-readable; verbatim extract not pulled. T13 is an OWASP v1.1 ID (T1–T17 range); the "Model Inconsistency" scenario sometimes labelled T48 in Helmwart is a Helmwart-internal renumber from OWASP MAS T16 and is not from OWASP T&M v1.1.

Supports: Empirical demonstration that sampling multiple independent reasoning paths and selecting by majority vote (marginalizing out paths) reduces hallucination and improves accuracy. The self-consistency mechanism is the intra-agent analogue of inter-agent consensus: both use agreement across diverse reasoning traces as a reliability signal. Benchmarked improvements on GSM8K (+17.9%), SVAMP (+11.0%), AQuA (+12.2%) establish that diversity of paths materially improves correctness.

Does not prove: Self-consistency operates within a single language model (sampling from its own decoder); it does not directly address multi-agent coordination, Byzantine peers, or adversarial agents. Generalisation from intra-agent to inter-agent consensus is the Helmwart interpretation — the paper does not make this claim itself.

Supports: Establishes the model-as-verifier (critic-refinement) pattern: a second model critiques and revises the output of a first model. This is the lightweight, verifier-agent variant of the control — cheaper than full N-of-M peer quorum, applicable where a dedicated "critic" agent independently evaluates primary-agent output before execution. The pattern uses AI feedback to enforce policy compliance without full human labelling.

Does not prove: The paper focuses on harmlessness training and RLHF, not on multi-agent consensus or Byzantine-fault tolerance. The critic pattern is one-against-one (one critic reviews one output), not N-of-M quorum. It does not address adversarial peer agents.

Supports: Defines the human-review escalation path that a failed quorum should open onto. Explicitly calls for risk-proportionate oversight and "approval from multiple stakeholders diversified across multiple organizations" for high-consequence systems — the structural analogue of N-of-M consensus with organisational diversity.

Does not prove: Addresses human-in-the-loop, not automated peer-agent consensus. Does not specify how a consensus quorum fires or how peer diversity is achieved technically.

Supports: Segmentation is the structural prerequisite for meaningful consensus diversity: peers that share the same execution environment, memory, or retrieval corpus are not genuinely independent. Isolation between peer agents ensures that a compromise of one does not automatically corrupt the others, which is the condition under which N-of-M quorum retains its safety guarantees.

Does not prove: Does not address quorum logic or consensus algorithms. Segmentation is a necessary but not sufficient condition for consensus-based controls.

Supports: Names fail-safe behaviour when a system operates beyond its knowledge limits as a deployment-evaluation requirement. Multi-agent consensus is one mechanism that implements this: when peer agents disagree, the system has evidence of operating at the boundary of its reliable knowledge and should fail safely (reject the action or escalate) rather than proceed on one agent's uncertain output.

Does not prove: MEASURE 2.6 does not name multi-agent consensus, N-of-M quorum, or ensemble verification explicitly. The MDX independently evidence claim that NIST AI 600-1 names "ensemble-based verification under MAP-3.2" is not supported: MAP 3.2 does not exist in the document; MEASURE 3.2 (action MS-3.2-001) covers risk tracking for systems where measurement techniques are unavailable, not ensemble methods. The fail-safe framing in MEASURE 2.6 is the closest verifiable NIST citation for this control.