The blind spot in current AI guardrails

Guardrail middleware for AI agents is maturing fast. LangChain ships native guardrails. NeMo Guardrails and Guardrails AI are established. Between input filtering, output moderation, tool sandboxing, and audit logging, there’s a real defense-in-depth stack available today.

All four of those layers check one agent, one message, at one point in time. None of them ask a different question: is this same payload echoing across three different agents in my system right now?

That question — propagation across a mesh, not content within a single message — is exactly the mechanism a self-replicating prompt attack (the “Morris-II” class) exploits. An adversarial input tricks Agent A into mirroring that input into its own output. Any downstream agent that consumes A’s output re-triggers the same behavior. No file dropped, no code executed — the conversation itself is the propagation mechanism.

I built ImmuneMesh — a sandboxed research prototype — to test one idea: give a multi-agent mesh a shared memory, the way biological adaptive immunity works, so once one agent is fooled, the rest aren’t. 🧠