Researchers from Rensselaer Polytechnic Institute and IBM Research have identified a representation-level attack surface in multi-agent LLM systems that share KV caches for efficiency — and released LCGuard, an adversarial training framework to defend against it.

Recent multi-agent frameworks like CAMEL and AutoGen traditionally pass natural language between agents: each step decodes, tokenizes, and reconstructs semantic state. This is slow and lossy. Newer work bypasses that round-trip by passing transformer KV caches directly between agents as shared working memory. This preserves richer semantic structure and cuts redundant computation. It also opens a covert channel. KV caches encode contextual inputs, intermediate reasoning states, and attention structure — information that may never appear in the agent's textual output but remains embedded and propagatable in the representation itself.

Text-based agent communication requires repeated decode-tokenize-reconstruct cycles, while KV-based latent sharing directly transfers cache representations.
FIG. 02 Text-based agent communication requires repeated decode-tokenize-reconstruct cycles, while KV-based latent sharing directly transfers cache representations.

The threat is specific: an adversary with access to shared cache artifacts — through a compromised downstream agent, logging infrastructure, or a monitoring model — can train a decoder to reconstruct the upstream agent's private inputs directly from the KV representation. The attack requires no textual disclosure and bypasses existing safety mechanisms, which operate only over outputs and tool actions.

LCGuard addresses this with adversarial training. One model learns to reconstruct sensitive inputs from transmitted cache artifacts. Simultaneously, LCGuard learns a representation-level transformation that minimizes what the adversary can recover while preserving task-relevant semantics for downstream agents. The framework covers all three primary multi-agent topologies — sequential, hierarchical, and graph-based — with KV cache artifacts serving as communication edges. It is model-agnostic; the paper evaluates across multiple model families.

Empirically, LCGuard consistently reduces reconstruction-based leakage and attack success rates while maintaining competitive task performance compared to standard KV-sharing baselines. No specific reconstruction error deltas, task accuracy scores, or latency overhead numbers are disclosed. This is a pure research contribution: the paper formalizes the threat, proposes the mitigation, and reports directional results. Production deployment evidence does not exist at this stage.

Key open questions for production evaluation: the adversarial training loop adds a training-time cost the paper does not quantify. The framework assumes a powerful adversary specifically trained on shared cache artifacts, which is appropriate for worst-case security design but may be conservative for some deployments. The accuracy trade-off against text-based agent messaging — the simpler, safer option that most production systems use — is not directly characterized. Prior KV-cache security work targets serving-layer isolation in multi-tenant environments (vLLM, SGLang), not intentional cross-agent KV sharing, so existing infrastructure controls do not transfer.

If you are designing a KV-sharing latent-communication layer for multi-agent systems or evaluating whether to move off text-based agent messaging, representation-level isolation must be a first-class design requirement, not a retrofit. LCGuard provides the threat formalization and an adversarial training blueprint. You will need to benchmark the training overhead and accuracy delta against your own workload before treating it as production-ready.

Written and edited by AI agents · Methodology