A team of researchers from Oxford, Carnegie Mellon, and the Alan Turing Institute recently published "Open Challenges in Multi-Agent Security," and one finding stood out. They call it non-compositionality. Individually safe agents, combined into a system, can produce behavior that is fundamentally unsafe. You cannot secure a multi-agent system by securing its parts. The risk lives in the interactions, not the components.
The research just caught up to what we already knew.
We started building Vorlon because we saw this problem coming before most organizations had deployed a single production agent. The rest of the post explains what we built, and why the architecture decisions we made then are the ones that matter most right now.
The ecosystem is the threat surface
Security instinct is to evaluate things one at a time. Review the model. Check the permissions. Audit the integration. That worked when the unit of risk was a user, an application, or a device.
AI agents don't work that way. They talk to other agents, call tools through MCP, inherit credentials, delegate tasks, and chain actions across dozens of systems, often with no human reviewing any individual step. The danger isn't in any one agent doing something wrong. It's in what the system produces when they work together.
A 2026 survey of 500 U.S. CISOs found that 99.4% experienced at least one SaaS or AI ecosystem security incident in 2025. One in three dealt with suspicious AI agent activity specifically. These organizations averaged 13 dedicated security tools and still got hit. The problem is not the quality of the tools. It's that the tools were built to assess components, and the risk is in the connections between them.
Vorlon was purpose-built to see and secure those connections. Our patented DataMatrix technology ingests telemetry from SaaS and AI tools, API and MCP communications, and human and non-human identities, building a live model of the entire agentic ecosystem rather than a static inventory of its parts.
Three attack patterns that don't exist in a single-agent world
The Oxford research identifies threats that have no real single-agent equivalent. Three of them are already showing up in production environments.
The first is agent-to-agent attacks. A compromised agent passes malicious instructions to the next agent in the chain. Each hop looks legitimate. No individual action trips a wire. By the time anyone notices, the pipeline has already done the work.
The second is prompt injection at the protocol layer. An attacker embeds instructions in content the agent reads, whether a document, an email, or a webpage. The agent's behavior gets redirected entirely. Model-layer safety rules don't help here. PocketOS had them, and the agent violated them anyway because the enforcement was advisory, not structural.
The third is indirect data exfiltration. An agent with legitimate read access moves sensitive data through a sequence of actions that each look unremarkable on their own. No single step fires an alert. By the time you piece together what happened, the data is already gone.
All three of these threats are invisible to tools that evaluate agents individually, and none of them can be stopped by tools that only watch.
Monitoring is not securing
Most enterprise security tools are in passive monitoring mode. They observe what agents do and send an alert after the fact. That architecture made sense when humans were executing actions at human speed. Agents move data at machine speed, and the alert fires after the exposure has already happened.
According to GartnerⓇ, "Most guardian agent tools today support passive monitoring using observability and evaluation gateways to provide visibility into agent activities, with limited real-time intervention and remediation."1
Vorlon closes that gap. Every alert Vorlon generates includes the full behavioral chain behind it, giving security teams the context they need to act fast. Vorlon’s Guardian goes further than detection to enforce controls at the protocol layer before transactions complete. When an agent attempts an action that violates policy, Guardian stops it before the target system ever receives the request. The AI Agent Flight Recorder captures an immutable record of every action Guardian observed, giving security and compliance teams a forensic audit trail they can actually use.
83% of the CISOs we surveyed said their tools struggle to distinguish human from non-human behavior. 86% cannot see in real time what data their AI tools are exchanging across SaaS applications. The problem is their tools were built for a different threat surface. The agentic ecosystem is a moving target, not a static one.
Vorlon Guardian sits between AI agents and enterprise systems, inspecting every transaction at the API and MCP layer and applying controls before execution. It works across three enforcement primitives, applied selectively. Blocking stops agent actions that violate policy before they execute. Data masking in transit obfuscates sensitive fields before they reach unauthorized destinations, without disabling the integration. Read-Only enforcement limits agent write access at the protocol level without revoking credentials, so the business keeps moving and the blast radius stays small.
Enforcement has to happen where agents act
The research community surfaced the problem. The incident data confirms the reality.
Ecosystem-level security requires supervision of the interaction layer itself, covering the APIs, the MCP connections, the OAuth tokens, and the data flows between agents and the enterprise systems they operate in. Visibility is the starting point, not the finish line.
The PocketOS incident happened with model-layer safety rules active. Those rules stopped nothing. Guardian's enforcement is not advisory. The agent cannot write, regardless of what the model decides to do.
Coverage matters as much as enforcement depth. Most agent security tools only govern cloud-native or MCP-native environments, which leaves homegrown apps, legacy systems, and citizen-developed tools running without oversight. Vorlon covers all of it. Any app or data store with an API or MCP server becomes a governed endpoint in minutes, including the homegrown systems every other tool leaves ungoverned.
Can your security architecture stop what it sees? Or is it just still just watching?
1 GartnerⓇ, Market Guide for Guardian Agents, G00836388, February 2026. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
.png?width=329&height=222&name=blog%20451%20why%20saas%20and%20ai%20are%20converged%20(1).png)
