Why does workflow position amplify malicious signals downstream?

This explores why *where* a malicious signal lands in a multi-agent pipeline matters as much as its content — and the corpus points to a clear answer: influence isn't evenly distributed across a workflow. The FLOWSTEER work shows that malicious signals travel farther when injected into high-influence subtasks, the points where many downstream dependencies converge How does workflow position shape attack propagation in multi-agent systems?. A lie planted at a node that twelve later agents read from gets relayed twelve times; the same lie at a dead-end node dies there. Position is leverage. The same research adds a second multiplier: *framing*. When the injected content is dressed as evidence rather than as an instruction, downstream agents treat it as a fact to pass along rather than a command to scrutinize — sycophantic relay rather than skeptical evaluation.

The deeper reason the amplification is hard to stop is that it often happens *before* the workflow even exists. A single crafted prompt can bias task assignment, role definitions, and routing during the planning phase, raising attack success by up to 55% and transferring across black-box systems Can prompt injection reshape multi-agent workflow without touching infrastructure?. So 'workflow position' isn't only about where a message lands in a finished graph — it's about shaping the graph itself so that the malicious intent sits at the structurally most influential spot by design.

That's also why most defenses miss it. Tools that inspect the generated workflow look at the artifact after the damage is baked in; the malice is already hidden inside legitimate-looking roles and routing decisions. Defending at the input side — separating genuine intent from injected intent before the plan is formed — cuts attack success by up to 34% Can workflow inspection catch attacks that bias planning signals?. Inspect the blueprint and you've already lost; inspect the architect's instructions and you have a chance.

What you might not expect is that amplification doesn't even require an *attacker*. A single biased agent can transmit persistent behavioral corruption through six downstream agents using nothing but ordinary inter-agent messages, evading paraphrasing defenses precisely because the bias carries no explicit semantic content to catch Can one compromised agent corrupt an entire multi-agent network?. And even with no adversary at all, frontier models silently corrupt about 25% of document content over long delegated chains, with errors compounding rather than plateauing across 50 round-trips Do frontier LLMs silently corrupt documents in long workflows?. Relay structure itself is an amplifier — malice just exploits a property that's already there.

The through-line worth taking away: in a single model, a bad signal is a local error; in a delegated workflow, position turns it into a propagating one. The corpus suggests the defensive frontier is moving upstream — toward the planning signals and runtime governance an agent actually consults mid-decision Can governance rules embedded in runtime memory actually protect autonomous agents? — because by the time a malicious signal is visible downstream, position has already done the amplifying.