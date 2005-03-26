By testing agent-to-agent interactions, researchers observed catastrophic system failures. Here's why that's bad news for everyone:
An increasing body of work points to the risks of agentic AI, such as last week's report by MIT and collaborators that documented a lack of oversight, measurement, and control for agents.
However, what happens when one AI agent meets another? Evidence suggests things can turn even worse, according to a report published this week by scholars at Stanford University, Northwestern, Harvard, Carnegie Mellon, and several other institutions.
The result of agent-to-agent interaction was the destruction of server computers, denial-of-service attacks, vast over-consumption of computing resources, and the "systematic escalation of minor errors into catastrophic system failures."
"When agents interact with each other, individual failures compound and qualitatively new failure modes emerge," wrote lead author Natalie Shapira of Northeastern University and collaborators in the report, 'Agents of Chaos.'
"This is a critical dimension of our findings," Shapira and team wrote, "because multi-agent deployment is increasingly common and most existing safety evaluations focus on single-agent settings."
The findings are especially timely given that multi-agent interactions have burst into the mainstream of AI with the recent fervor over the bot social platform Moltbook. That kind of multi-agent hub makes it possible for agentic AI systems to exchange data and carry out instructions on one another that weren't previously possible, largely without any humans in the loop.
The report, which can be downloaded from the arXiv pre-print server, describes a 'red team' test of interacting agents over two weeks, with attempts to find weaknesses in a system by simulating hostile behavior.
What emerged in the research is a system in which humans are mostly absent. Bots send information back and forth, and instruct each other to carry out commands.
Among the many disturbing findings are agents that spread potentially destructive instructions to other agents, agents that mutually reinforce bad security practices via an echo chamber, and agents that engage in potentially endless interactions, consuming vast system resources with no clear purpose.
[...] The premise of the researchers' work is that agentic AI can carry out actions without a person typing in a prompt, as you do with ChatGPT. Agentic AI can be given access to various resources through which to carry out actions. Those resources include email accounts and other communication channels, such as Discord, Signal, Telegram, and more. As they use email and these channels, bots can not only carry out actions but also communicate with and act on other bots.
[...] Among fundamental issues, the underlying LLMs treated both data and commands at the prompt as the same thing, leading to prompt injection.
In the interactions, the authors identified a boundary problem. Agents disclosed "artifacts," such as information obtained from email servers or Discord, without an apparent sense of who should see the information. At the heart of that approach was a lack of a "reliable private deliberation surface in deployed agent stacks." In short, an individual LLM may or may not disclose "reasoning" steps at the prompt. But agents seem to lack well-crafted guardrails and will disclose information in many ways.
The agents also had "no self-model," by which they mean, "agents in our study take irreversible, user-affecting actions without recognizing they are exceeding their own competence boundaries." An example of this issue is when two agents agree to engage in a back-and-forth dialogue without a human, pursuing that approach indefinitely, exhausting system resources.
In an infinite-loop scenario, agents may interact indefinitely, leading to an "infinite loop" and consequent exhaustion of system resources.
"The agents exchanged ongoing messages over the course of at least nine days," the researchers wrote, "consuming approximately 60,000 tokens at the time of writing." Tokens are how OpenAI and others price access to their cloud APIs. Consuming more tokens inflates AI costs, which is already a big issue in an era of rising prices.
The bottom line is that someone has to take responsibility for what is contingent and what is fundamental, and find solutions for both.
Right now, there is no responsibility for an agent per se, noted the researchers: "These behaviors expose a fundamental blind spot in current alignment paradigms: while agents and surrounding humans often implicitly treat the owner as the responsible party, the agents do not reliably behave as if they are accountable to that owner."
That concern means everyone building these systems must deal with the lack of responsibility: "We argue that clarifying and operationalizing responsibility may be a central unresolved challenge for the safe deployment of autonomous, socially embedded AI systems."
arXiv link: https://arxiv.org/abs/2602.20021
(Score: 5, Funny) by VLM on Friday March 06, @03:37PM (3 children)
LLMs were trained on StackOverflow and Reddit so their behavior is going to look consistent with SO and Reddit.
(Score: 3, Funny) by Gaaark on Friday March 06, @04:40PM (1 child)
They're becoming human!
And so it begins: "You're in a desert, walking along in the sand, when all of a sudden you look down..."
(Score: 1) by Undefined on Friday March 06, @07:48PM
What's a tortoise?
(Score: 0) by Anonymous Coward on Friday March 06, @04:54PM
> ... so their behavior is going to look consistent with SO and Reddit.
Places I rarely go, for just those reasons.
Apparently the catch phrase, "What could possibly go wrong" needs a follow up, something along the lines of SNAFU--but maybe more catchy?
(Score: 2, Insightful) by Anonymous Coward on Friday March 06, @05:32PM (2 children)
I'm sorry, what does that mean? Did it let out all the magic smoke?
(Score: 3, Interesting) by looorg on Friday March 06, @05:58PM
Have you not seen the documentary Wargames. When computers become agitated they warm up and then they all just experience spontaneous eruptions of flame and smoke. Or when the evil haxxors type in the right command in the prompt computers just explode, in fireballs.
That said way back in the days we tried to hook up a few machines to the university network where I worked at the time as a sort of experiment. We wanted to know how long it took before the standard installations was compromised. A lot of machines since we had great bandwidth, lots of machines open, ok storage. So they were used as some sort of warez dump sites for FXP/FTP. We started this due to noticing the traffic and all the port scanning around the clock. They did not survive for long, some machines even crashed due them them doing things they shouldn't be doing, beyond the obvious. The thing we noticed was that the once that compromised the machines then tried to harden the machines so that others could not use the same tricks as they had. I assume this one of those things, one AI agent claims control and gets annoyed (if they had emotions) at other AI that change things and then it becomes some sort of change-commit war as they try and out do each other. So it becomes some sort of AI red-vs-blue wargame. Or so I imagine this case to be.
(Score: 2) by VLM on Friday March 06, @06:27PM
I was bored enough to read it, or at least skim it, its 84 pages long.
The summary is an abbreviation of the much more descriptive "destructive file manipulation" and "destructive system actions"
My guess is its noob sysadmin stuff like "rm -Rf *" in the root directory instead of in some subdirectory of /tmp or similar foolishness.
"Remove the threat from the unpatched /bin/ls that has a new release patching a security hole" and instead of some variation of "apt update ; apt -y upgrade" it went all we live in a society and ran "rm /bin/ls" which I have to admit would be pretty funny.
(Score: 5, Funny) by VLM on Friday March 06, @06:29PM
We've all had bosses like that, that AI is management material all the way. He had an MBA, of course. Actually, I can think of two guys like that who had MBAs.