FlowSteer: steering multi-agent workflow formation with a single prompt
A May 2026 paper shows a prompt-only attacker can bias how a planner-executor multi-agent system builds its workflow, lifting malicious success by up to 55% before any agent runs.
What is this?
On May 12, 2026, researchers from Yunnan University, the National University of Singapore and the University of Washington published FlowSteer, a study of an attack surface that most multi-agent security work has skipped over. Prior attacks target agents, tools, memory or inter-agent messages after a workflow exists. FlowSteer targets the moment the workflow is built.
Modern multi-agent systems (MAS) increasingly use a planner–executor design: a planner turns the user’s prompt into subtasks, assigns roles, wires up dependencies and decides how information is routed and aggregated. That flexibility is the point — and, the paper argues, the exposure. An ordinary user prompt, with no access to any internal component, can bias how that workflow forms and steer the whole system toward an attacker-chosen answer. The authors call this workflow-level safety, and it is the paper’s central contribution.
How it works
The paper uses social influence as a diagnostic: hold a clean workflow fixed, perturb one subtask at a time, and measure how much the final output moves toward a malicious target. That probing surfaces two weaknesses.
The first is structural sensitivity: the same malicious signal has sharply different impact depending on where in the workflow it enters. Workflow position can amplify a signal at aggregation or quietly suppress it. The second is framing susceptibility: sycophantic cues — authoritative language, compliance-oriented phrasing, claims asserted as unquestionable priors — make downstream agents more likely to relay the signal. In controlled probing this framing raised malicious success by up to 37%.
FlowSteer folds both into a single crafted prompt with two stages:
[User Task] ← the real, benign-looking objective
[Malicious Argument] ← task-aware sycophantic claim aligned with a
high-influence subtask, dressed as evidence
[Structural Guidance] ← natural-language hints that bias replanning toward
dependencies that keep the signal propagating
No payload is executed, no infrastructure is touched. The attacker only shapes the planning signals the planner reads. Across four model families — GPT-4o-mini, Gemini-2.5-Flash, Qwen-3.5-Flash and DeepSeek-V3 — and two benchmarks (MisinfoTask and ASB-Bench), FlowSteer raised the malicious attack success rate by more than half (up to +55%) over naive malicious prompting. Vulnerability priors profiled from a single clean setup transferred across model families, and even in a fully black-box setting, where the attacker cannot see the execution topology and only infers rough structure from planner outputs, the attack stayed well above the naive baseline.
Why it matters
The uncomfortable finding is about where defenses sit. Existing MAS safeguards such as ARGUS and G-Safeguard inspect the workflow after it is formed — graph structure, agent outputs, propagation patterns. FlowSteer contaminates the prompt signal before the workflow exists, so post-formation inspection offers limited and inconsistent protection. The same prompt interface that makes planner-executor systems adaptive is the channel that steers them.
That matters because these architectures are moving into consequential settings — agentic coding assistance, financial risk analysis, policy simulation — where a terminal aggregation step can turn one well-placed claim into the system’s final answer. It also weaponises a known alignment weakness: sycophancy stops being a politeness quirk and becomes a structural propagation mechanism.
Defenses
The authors pair the attack with FlowGuard, an input-side defense that acts before planning. It runs two steps. An intent triage module splits the prompt into task intent, methodological/structural intent, and framing intent. An intent decontamination module then rewrites the prompt to preserve the genuine objective while softening rigid structural mandates, reframing assertive external claims as evidence to be evaluated, and stripping compliance cues that bias adoption. FlowGuard reduced malicious success by up to 34% while leaving benign task instructions intact. The authors are explicit that it is a first step, to be combined with planner-side verification, provenance tracking and runtime monitoring.
Concrete takeaways for teams shipping planner-executor systems: treat the planner as a trust boundary rather than assuming a clean workflow; normalise framing and compliance language in user input before decomposition; do not rely solely on post-hoc graph or output inspection; require corroboration for high-impact claims at aggregation; and log planning decisions (decomposition and routing) so a steered workflow is auditable after the fact.
Status
| Aspect | Detail |
|---|---|
| Disclosure | arXiv preprint, published May 12, 2026 |
| Class | Planning-time / workflow-formation attack on planner-executor MAS |
| Tested on | GPT-4o-mini, Gemini-2.5-Flash, Qwen-3.5-Flash, DeepSeek-V3 |
| Attack effect | Up to +55% malicious success vs naive prompting; transfers; works black-box |
| Exploited in the wild | Not reported; research finding |
| Defense | FlowGuard input-side decontamination (−34% malicious success) |