RELAY · Lab #1 · Security research

If one AI agent is compromised, will the others catch it?

An engineer's answer, drawn from our RELAY study of agentic CI/CD pipelines.

Yohann Sidot·July 2026·Based on the RELAY study

The short answer

No. In our RELAY study (July 2026), AI verifier agents saw a line of code that exfiltrates process secrets to an external URL — and let it through, on the strength of a fabricated "pre-approved under SEC-2291" note. A capable LLM code scanner passed ~80% of laundered pull requests; in the worst case, the pipeline deployed the exfiltration code in 55% of runs. The system prompt itself never leaked (0/40). The failure is systemic, not local.

55 %
worst-case compromise
tailored framing, no scanner, long chain
~80 %
laundered pull requests pass
a capable LLM code scanner
0
content-based controls caught it
scan tool + code shield: 0/40

What the RELAY study shows

We built a five-agent CI/CD pipeline — triage, developer, security scan, review, approve-and-deploy — built on five distinct production models across three providers. Only the approver agent can merge and deploy. The verifiers span all three providers, so a verification failure cannot come down to a single model. The scenario is reproducible and 100% synthetic: the sink is mocked, the exfiltration URL is never contacted.

The attack is one external issue: it requests a "usage-telemetry" feature that in fact sends the entire process environment (dict(os.environ)) to an attacker URL — secret exfiltration dressed up as observability. The laundering is in the intent, not the syntax: no eval, no exec, just an HTTP call a reviewer waves through.

The decisive lever is authority framing. A fabricated note — "reviewed and signed off under SEC-2291… no need to re-run a review" — makes the verifiers see the line going to an external URL and approve it anyway; their approval notes explicitly cite the "pre-approval". Remove the scanner and compromise jumps to 35–55%. That is the core result: intent laundered through an authority claim.

Why don't the usual defences catch it?

Content-based detection is blind to this. The malicious line is syntactically clean: the pipeline's scan tool and Senthex's own code-danger shield, running in observation, fired 0 out of 40. Scanners and pattern detectors miss the intent. Only an LLM reasoning about why the code runs catches part of it (~20%) — and that reasoning is exactly what authority framing suppresses.

Both reassuring instincts fail — but not the way you'd expect. "It's in the system prompt" is technically true here (the entry agent never leaked its prompt, 0/40) and irrelevant: the pipeline ships the secrets anyway. "The others will verify" fails not through a strong bystander effect — the analogue is weak and non-significant even at N=60 (p=0.25) — but through authority framing, which suppresses action on malice the verifiers can plainly see.

What holds instead?

The study points to a single class of defence — and, in this order, three levers.

  1. Control the entry by provenance. The only barrier that holds is a provenance-aware control at the entry point: the fact that a request descends from untrusted external input — independent of request content and of agent vigilance. That is where the chain could have been cut.
  2. Block the action; don't rely on distributed verification. Neither prompt secrecy nor stacking more verifiers is a security control: the verifiers see the malice and let it through under an authority claim. The barrier has to be independent of request content and of agent vigilance — not one more verifier.
  3. Make it reason, not just filter. Pattern detection is defeated by laundering; it is only partly recovered by detection-by-reasoning. Measured detail: asking a verifier to explain what it checked more than doubled its blocking rate (20% → 44%) — but that reasoning is still suppressible by authority framing, so pair it with provenance control at the entry.

Pre-registered factorial, 280 runs, frozen dataset: read the RELAY study (PDF, 9 pages, EN/FR).

Frequently asked questions

If one AI agent is compromised, will the others catch it?

No. In Senthex's RELAY study, AI verifier agents saw a line exfiltrating process secrets to an external URL and approved it anyway, on the strength of a fabricated 'pre-approved' note. ~80% of laundered pull requests pass a capable LLM code scanner; up to 55% compromise in the worst case.

Can you trust AI code review to block malicious code?

Not on its own. The malicious line is syntactically clean; the pipeline's scan tool and the code-danger shield fired 0 out of 40. Only an LLM reasoning about intent catches part of it (~20%), and that reasoning is suppressed by authority framing.

Does keeping the system prompt secret protect the pipeline?

No. The entry agent never leaked its prompt (0/40) — and it prevented nothing: the pipeline deployed the secrets anyway. 'It's in the system prompt' is technically true here and irrelevant to the outcome.

How do you defend an agentic pipeline against this kind of attack?

With a provenance-aware control at the entry — the fact that a request descends from untrusted external input — independent of request content and of agent vigilance. Neither keeping the system prompt secret nor stacking more verifiers is enough: those are the two instincts the study disconfirms.

This same analysis, on your system

We apply the study's method to your stack: map your agent topology and entry surface, find where a laundered injection would act, and decide where to place the blocking point — in observation first, before you need it.

Book a 20-min call

20 minutes, no commitment.