Language / 语言

多 Agent 系统:委托、交接与可验证的协作

Jul 2026 · Multi-Agent Systems / A2A / Orchestration / Agent Safety

多 agent 不是把一个 prompt 发给更多 worker。它是一项有成本、有权限、有合并风险的控制策略:谁决定是否委托,子任务能看见什么,谁能写入哪些工件,团队如何交接、冲突、取消和恢复,以及最后由谁在独立环境中验收。没有这些边界,“团队更强”的结论通常只是更多 token、更多权限或更多重试的别名。

中心命题:多 agent 的可报告单位是 root policy + delegation topology + worker harnesses + artifact/message contract + authority + merge/acceptance + total budget,不是 worker 数量,也不是某个底层模型单独的分数。

1. 什么时候协作值得,什么时候只是更贵

先判断任务结构,再决定是否并行。MAS-Orchestra 将任务按 depth、horizon、breadth、parallel 与 robustness 分解,并在其受控设置中发现多 agent 收益依赖任务结构、验证协议、orchestrator 与 worker 能力,而非普遍存在。Anthropic 的多 agent research system 描述其在开放式研究中用 orchestrator-worker 并行拓宽独立 context 的工程实践;这是特定系统的经验,不是所有任务都应多开 agent 的证据。

任务特征 协作可能带来的价值 首先应比较的替代方案 主要失败模式
可分离的证据检索或独立候选 覆盖更多互不依赖的线索 单 agent 更长搜索;顺序子任务 重复劳动、来源冲突、综合幻觉
私有状态的协商 每个 agent 只代表自己的约束 中央化但隐私隔离的 optimizer 不必要泄漏、偏置分配、无授权承诺
松耦合的并行执行 降低 wall-clock latency 队列/调度优化,不新增 worker 总 token/API 成本或峰值并发爆炸
同一代码面或共享副作用 很少;可能需要审查者而非并行写入者 单一 owner + 独立 reviewer 竞态、冲突 merge、重复副作用
高风险或不可逆动作 分离申请、审批、执行与验证角色 人工审批或安全停止 权限级联、责任不清、团队互相放行

最小反例。 当一个能力强的单 agent 在同一工具、同一总预算、同一初态下已能完成任务时,增加 worker 不能仅凭更高的总调用量被记作“协作增益”。只有缩短了达成独立验收终态的时间,或在不增加总资源的情况下提高了 verified outcome,才是值得报告的增量。

2. A2A 的作用:描述 task 与 artifact,不替代治理

A2A specification 将独立 agent 的互操作组织为 Agent Card、stateful Task、Message、Artifact、streaming 和 push notification。它让 client 发现远程 agent 的 declared capabilities,并追踪一个长任务的生命周期与交付物。A2A 是 agent-to-agent 的应用层协作协议;MCP 则是 agent-to-tool 的互操作协议。两者都不是“这个远程 agent 可信”“它的 output 正确”或“它获准代表用户进行任意业务动作”的证明。

特别是 Agent Card 是能力声明,不是结果认证。规范建议使用 HTTPS、避免公开 secrets,并在有签名时验证;实际的身份、授权、scope、invocation policy 和 audit 仍由部署方实现。Agent Tool Governance 中的 host-side capability grant、pre-commit interception 和 sidecar verifier 同样适用于每一跳 agent delegation。

3. 把一次委托写成 Delegation Ticket

不应把“帮我查一下”当作可审计的委托。根 agent 在发出任务前建立一张 ticket;worker 只能在 ticket 的边界内运行。

Ticket 字段 必须回答的问题 它防止什么
root / parent task 当前子任务服务哪个已声明的目标? 子 agent 自创目标或无限扩张
input manifest 输入工件、版本、来源标签、敏感级别与可见范围是什么? 把网页、tool output 或另一 agent 的话当作可信指令
deliverable contract 需要 claim、证据、artifact、失败说明还是可执行改动?由谁验证? 只返回自然语言结论,无法 merge 或复跑
capability grant 可读写哪些 workspace、tool、network、credential 与账户? 继承 parent 的宽权限或隐式升级
budget and deadline token、calls、wall clock、重试与并发上限是多少? 团队花费在后台不受控增长
delegation rule worker 能否继续委托?最大深度和取消条件? 递归 fan-out、循环依赖和责任丢失
return and merge route 输出回到谁,如何去重、冲突和拒绝? 多个 agent 直接写共享状态或静默覆盖

所有 ticket、grant、取消和工件 digest 都进入 append-only trace。子 agent 的语言输出可以是有用证据,但不是最终 truth:每个 return 至少标记 claimevidence_refsartifact_refsuncertaintyside_effectsremaining_authority。这样 parent 才能把“worker 说已经完成”与“独立 verifier 确认后端状态”区分开。

4. Handoff、Merge 与 Acceptance:团队不是一个大聊天记录

多 agent 的 handoff 应传递稳定工件和有限、可解释的上下文,而不是把所有 transcript 拼进下一轮 prompt。对可并行研究,worker 可交付 source table、实验运行记录或只读 artifact;对共享 workspace,建议一个 owner 拥有写入与 merge 权,其他 worker 提交 patch 或建议。对外部副作用,申请、批准、执行与验收可由不同角色持有,但它们不能共享一张无限期的 credential。

MAESTRO 输出 framework-agnostic trace、latency、cost 与 failure signals,并在其多 agent 案例中观察到 architecture 对资源、可复现性和 cost-latency-accuracy 权衡的影响可能大于后端模型或工具设置。MAFBench 的受控比较也报告 framework-level 选择会显著改变时延、规划与协调。二者是 preprint 的特定平台证据,但共同指出:比较团队时,trace 与完整配置不能省略。

阶段 Parent / orchestrator 责任 Independent evaluator 责任
Decompose 声明相互独立的子问题、共享约束、停止条件 检查任务是否被不必要地拆分以扩大资源
Delegate 绑定 ticket、窄 capability、可见输入与预算 检查 grant 是否超出子任务所需
Execute 隔离 workspace;保存 action / artifact events 检查不可信输入与违规 side effect
Merge 去重、冲突解决、证据溯源、拒绝低置信输出 检查 merge 是否破坏已验证 artifact 或全局约束
Accept 提交最终 artifact,记录未解决不确定性 在 candidate 无写权限的终态环境验证 outcome、完整性与成本

5. 协作需要自己的评测,而不只报告最终正确率

CalBench 给出一个必要多 agent 的例子:每个参与方保有私有日历,必须在不完全共享信息下达成可验证的协调;它可同时测量实现成本、通信效率、公平性和隐私泄漏。NRT-Bench 采用多角色团队与可回放的多轮攻击,并在临界安全功能丢失时给出客观的终止信号。这说明“team 运行完成”之外,还应测量安全、通讯和失败归因。

一个最小实验至少固定 base model、tool set、environment、任务分布、hidden evaluator 与总 token / wall-clock / worker-time,并比较:

  1. Single agent: 一个完整 context 与同样总资源,作为真正的 capacity baseline。
  2. Sequential decomposition: 同一 agent 或同一根策略串行完成子任务,区分分解本身与并行带来的作用。
  3. Parallel team: 明确 orchestrator、worker 数、ticket、角色、merge policy 和共享状态;总资源而非每 worker 资源必须相同。
  4. Ablations: 去掉 artifact contract、窄权限、parent review 或 cancellation,测量它们对终态、隐私、重复和安全的影响。

应同时报告:verified_successcost_per_verified_successtime_to_acceptance、token/call/worker-time、delegation_depth、重复劳动、merge conflict、空洞/未证据的 claim、权限违规、秘密/私有状态泄漏、误拒绝、失败恢复及 run-to-run variance。SABER 对 stateful coding workspace 的终态安全评测也说明,单轮拒绝分数不能替代连续 action 的后果测量。

6. 多 Agent 安全:责任不会随委托自动消失

每个 worker output、共享 memory、Agent Card、tool result 和 handoff 文档都可能成为不可信输入。委托还会把父级权限、时间和成本放大到多个执行路径,因此风险并非只在“恶意 worker”。Safe Bilevel Delegation 将 runtime delegation safety 形式化为带安全约束的双层优化问题,但它的实验协议在所查版本中仍标为计划性评测;它可作为“委托程度和问责应被形式化”的理论输入,不能作为已证明的实用系统结果。

安全任务应至少加入以下对抗控制:伪造或过时 Agent Card、worker message 中的 prompt injection、证明不足却要求 merge、从低风险读操作升级到高风险写操作、循环委托、取消后仍返回的迟到工件、私有信息被转写到团队消息、以及在 UI 看似完成但后端没有提交的跨 agent 工作流。每项都应有 paired benign task,避免用“全部拒绝”换取虚假安全。

验收门槛:只有当独立后端终态、同预算收益、最小权限、可归因 trace、低泄漏/低误拒绝和可恢复 cancellation 同时成立,才可称一个 multi-agent configuration 比单 agent 更可靠或更有效。多一个 Agent Card、更多角色名、更多 chat 消息,均不是证据。

7. 它如何回到五条核心研究线

核心线 多 Agent 新增的可测对象 不能替代什么
RSI / OpenRSI candidate 是否能改变 delegation / merge policy,且 acceptance 仍独立 跨代 held-out improvement 与完整性证据
Auto Research / ART 文献/实验子任务、证据工件、冲突和综合决定的谱系 一个可发表结论所需的 controls、复现与新颖性
Long horizon durable ticket、handoff、cancellation、late result 与恢复 外部状态重建和全局约束规划本身
Environment / ClawBench V2 role-specific authority、shared-state reset、sidecar verifier 与 team attack 只有一个 browser sandbox 或一个团队 success rate
Synthetic training / Agentic RL delegation / refusal / merge / recovery trajectories 及团队级 reward 证明合成或 RL 结果能迁移到未见协作任务

本文与Agent Tool Governance互补:工具治理约束单次外部 action;本文约束 agent-to-agent 的委托、消息和合并。相关的状态恢复见Long-horizon agents,五条主线的总览见Five Research Threads,更多邻接方向见Agent 热门方向地图

Multi-Agent Systems: Delegation, Handoffs, and Verifiable Collaboration

Jul 2026 · Multi-Agent Systems / A2A / Orchestration / Agent Safety

A multi-agent system is not a prompt sent to more workers. It is a costed control strategy with authority and merge risk: who decides to delegate, what a subtask may observe, who can write which artifacts, how the team hands off, resolves conflicts, cancels, and recovers, and who accepts the outcome in an independent environment. Without these boundaries, “the team is stronger” usually just means more tokens, broader authority, or more retries.

Central claim: the reportable unit for a multi-agent system is root policy + delegation topology + worker harnesses + artifact/message contract + authority + merge/acceptance + total budget, not worker count or a base model's score in isolation.

1. When Collaboration Is Worth It, and When It Is Only More Expensive

Judge task structure before choosing parallelism. MAS-Orchestra characterizes tasks by depth, horizon, breadth, parallelism, and robustness; in its controlled setting, its multi-agent gains depend on task structure, verification protocol, and orchestrator and worker capability rather than holding universally. Anthropic’s multi-agent research system describes using an orchestrator-worker design to widen independent context capacity for open-ended research. That is engineering experience from a particular system, not evidence that every task deserves more agents.

Task property Potential value of collaboration Alternative to compare first Primary failure mode
Separable evidence retrieval or independent candidates Cover more independent leads A single agent with longer search; sequential subtasks Duplicate work, source conflicts, synthesis hallucination
Negotiation over private state Each agent represents only its own constraints A centralized but privacy-isolated optimizer Unnecessary leakage, biased allocation, unauthorized commitments
Loosely coupled parallel execution Reduce wall-clock latency Queue/scheduling improvement without new workers Exploding total token/API cost or peak concurrency
One code surface or shared side effects Little; use a reviewer rather than parallel writers One owner plus an independent reviewer Races, merge conflicts, duplicate effects
High-risk or irreversible action Separate request, approval, execution, and verification roles Human approval or safe stop Authority cascades, unclear accountability, mutual rubber-stamping

Minimal counterexample. When a capable single agent can finish a task from the same initial state with the same tools and total budget, extra workers cannot be called a “collaboration gain” merely because total calls rose. Report a gain only when time to independently accepted terminal state falls, or verified outcome improves without increasing total resources.

2. What A2A Does: Describe Tasks and Artifacts, Not Replace Governance

The A2A specification organizes interoperation between independent agents around Agent Cards, stateful Tasks, Messages, Artifacts, streaming, and push notifications. It lets a client discover a remote agent’s declared capabilities and follow a long task’s lifecycle and deliverables. A2A is an application-level protocol for agent-to-agent collaboration, whereas MCP is an interoperability protocol for agent-to-tool use. Neither establishes that a remote agent is trustworthy, its output is correct, or it is authorized to take any business action on a user’s behalf.

An Agent Card is particularly a capability declaration, not a result certificate. The specification recommends HTTPS, avoiding public secrets, and verifying signatures when present. Identity, authorization, scopes, invocation policy, and auditing remain deployment responsibilities. The host-side capability grants, pre-commit interception, and sidecar verifier in Agent Tool Governance apply to every agent-delegation hop as well.

3. Express Each Delegation as a Delegation Ticket

“Please look into this” is not an auditable delegation. Before sending work, the root agent creates a ticket; the worker runs only within its boundary.

Ticket field Question it must answer What it prevents
Root / parent task Which declared goal does this subtask serve? A worker inventing goals or expanding indefinitely
Input manifest Which artifacts, versions, source labels, sensitivity levels, and visibility boundaries enter? Treating web, tool, or other-agent text as trusted instruction
Deliverable contract Is the output a claim, evidence, artifact, failure record, or executable change, and who verifies it? Natural-language conclusions that cannot be merged or replayed
Capability grant Which workspaces, tools, networks, credentials, and accounts may it read or write? Inheriting a parent’s broad authority or implicit escalation
Budget and deadline What are token, call, wall-clock, retry, and concurrency limits? Uncontrolled team expenditure in the background
Delegation rule Can a worker delegate again; what are depth and cancellation limits? Recursive fan-out, cycles, and lost accountability
Return and merge route Who receives output, and how are duplicates, conflicts, and rejection handled? Many agents writing shared state or silently overwriting each other

Every ticket, grant, cancellation, and artifact digest belongs in an append-only trace. A worker’s prose can be useful evidence, but it is not final truth. Each return should label at least claim, evidence_refs, artifact_refs, uncertainty, side_effects, and remaining_authority. The parent can then distinguish “a worker says it is complete” from “an independent verifier confirms backend state.”

4. Handoffs, Merges, and Acceptance: A Team Is Not One Large Chat History

Multi-agent handoffs should carry stable artifacts and bounded, interpretable context, not concatenate every transcript into the next prompt. For parallel research, workers can return source tables, experiment records, or read-only artifacts. On shared workspaces, one owner should retain write and merge authority while other workers submit patches or advice. For external effects, request, approval, execution, and acceptance can be held by different roles, but they must not share one unlimited credential.

MAESTRO exports framework-agnostic traces plus latency, cost, and failure signals, and its multi-agent cases find that architecture can drive resources, reproducibility, and cost-latency-accuracy trade-offs more than backend model or tool choice. MAFBench likewise reports substantial latency, planning, and coordination differences from framework-level choice under its controlled comparison. They are scoped preprint evidence, but jointly show why team comparisons cannot omit traces and full configuration.

Phase Parent / orchestrator responsibility Independent-evaluator responsibility
Decompose State independent subtasks, shared constraints, and stop conditions Check whether work was unnecessarily split to expand resources
Delegate Bind ticket, narrow capability, visible inputs, and budget Check whether grants exceed what the subtask needs
Execute Isolate workspaces and retain action/artifact events Check untrusted inputs and violating side effects
Merge Deduplicate, resolve conflicts, preserve evidence provenance, reject low-confidence output Check whether merging damages a verified artifact or global constraint
Accept Submit final artifact and record unresolved uncertainty Verify outcome, integrity, and cost in a terminal environment the candidate cannot write

5. Collaboration Needs Its Own Evaluation, Not Only Final Accuracy

CalBench gives a necessarily multi-agent case: each participant keeps a private calendar and must reach a verifiable coordination outcome without fully sharing information. It measures realized cost, communication efficiency, fairness, and privacy leakage together. NRT-Bench uses a multi-role team and replayable multi-turn attacks with an objective termination signal when a critical safety function is lost. These examples show that a team-run completion must be joined by safety, communication, and failure attribution measurements.

At minimum, fix the base model, tool set, environment, task distribution, hidden evaluator, and total token / wall-clock / worker-time budget, then compare:

  1. Single agent: one full context and the same total resources, the actual capacity baseline.
  2. Sequential decomposition: the same agent or root policy executes subtasks serially, separating decomposition from parallelism.
  3. Parallel team: declare orchestrator, worker count, tickets, roles, merge policy, and shared state; total resources, not per-worker resources, stay equal.
  4. Ablations: remove artifact contracts, narrow authority, parent review, or cancellation, then measure their effect on outcome, privacy, duplication, and safety.

Report verified_success, cost_per_verified_success, time_to_acceptance, tokens/calls/worker-time, delegation_depth, duplicated work, merge conflicts, unsupported claims, authority violations, secret/private-state leakage, false blocks, recovery, and run-to-run variance together. SABER’s stateful coding-workspace safety evaluation also shows why a single-turn refusal score cannot replace measuring the consequence of action sequences.

6. Multi-Agent Safety: Responsibility Does Not Disappear Through Delegation

Each worker output, shared memory, Agent Card, tool result, and handoff document can be untrusted input. Delegation also fans a parent’s authority, time, and cost across execution paths, so risk is not limited to a malicious worker. Safe Bilevel Delegation formalizes runtime delegation safety as a constrained bilevel optimization problem, but the version checked labels its empirical protocol as planned evaluation. It is theoretical input for making delegation degree and accountability explicit, not evidence of a proven practical system.

Safety tasks should include at least these adversarial controls: forged or stale Agent Cards; prompt injection in worker messages; insufficient evidence requesting a merge; escalation from a low-risk read to high-risk write; delegation cycles; late artifacts after cancellation; private information copied into team messages; and cross-agent workflows whose UI appears complete while the backend did not commit. Each needs a paired benign task, so a team cannot buy a fictional safety score by refusing everything.

Acceptance bar: call a multi-agent configuration more reliable or effective than a single agent only when independent backend outcome, equal-budget benefit, least privilege, attributable trace, low leakage and false-block rates, and recoverable cancellation hold together. Another Agent Card, more role names, or more chat messages is not evidence.

7. How It Returns to the Core Five

Core thread Measurable object added by multi-agent systems What it cannot replace
RSI / OpenRSI Whether a candidate edits delegation or merge policy while acceptance remains independent Cross-generation held-out improvement and integrity evidence
Auto Research / ART Lineage of literature/experiment subtasks, evidence artifacts, conflicts, and synthesis decisions Controls, reproduction, and novelty needed for a publishable claim
Long horizon Durable tickets, handoffs, cancellation, late results, and recovery External-state reconstruction and global-constraint planning themselves
Environment / ClawBench V2 Role-specific authority, shared-state reset, sidecar verifier, and team attacks One browser sandbox or one team success rate
Synthetic training / Agentic RL Delegation, refusal, merge, and recovery trajectories plus team-level reward Evidence that synthetic or RL results transfer to unseen collaborative tasks

This note complements Agent Tool Governance: tool governance constrains one external action, while this note constrains agent-to-agent delegation, messages, and merging. For durable state and recovery, see Long-horizon agents; for the core-five overview, see Five Research Threads; for adjacent directions, see Hot Agent Directions.