The handoff problem: accountability at the moment one AI agent passes work to another
A multi-agent system rarely has one agent doing everything. In practice, agent A gathers information, agent B processes it, agent C acts on the result. Each of those transitions — the moment work moves from one agent to the next — is a handoff. The handoff is so common that it has become invisible in the architecture. That invisibility is the problem.
What actually transfers at handoff
When agent A passes work to agent B, two things happen that most systems treat as the same thing: state transfers, and authorization is assumed to transfer with it. These are not the same thing. State is the data, the context, the task description — everything the receiving agent needs to continue the work. Authorization is the claim that agent B is permitted to continue this work, on behalf of the original principal, within the scope the principal actually granted.
State is easy to transfer. Authorization is not. The typical handoff passes the state and expects agent B to infer that the handoff itself is authorization enough. This assumption works when everything is operating correctly. It fails in exactly the conditions that matter: when the handoff is injected, intercepted, or replayed by an adversary who wants agent B to take an action the original principal never authorized.
The receiving agent's dilemma
Agent B faces a structural problem at every handoff: it cannot independently verify the legitimacy of the work being handed to it without a signed, verifiable handoff record. If it trusts everything it receives from agent A, it becomes a vector for any adversary who can impersonate agent A or modify the handoff payload. If it refuses to act without verification, it breaks the workflow.
Most agentic system designs resolve this dilemma by trusting, implicitly, that anything arriving on an internal message channel is legitimate. This assumption is reasonable in tightly controlled deployments. It is unreasonable in any deployment where the channel between agents crosses a network boundary, where agent A is itself processing untrusted input before forming the handoff, or where tools called during agent A's work introduce external data into the handoff payload. The context poisoning problem and the supply chain problem both intersect here: an agent that has received corrupted context will pass that corruption forward in its handoff, and the receiving agent has no mechanism to detect it.
Physical-world handoffs in care environments
The handoff problem has a human analogue in clinical settings that has been studied and standardized for decades. Clinical handoffs — between shifts, between care teams, between facilities — follow structured protocols because the consequences of incomplete transfer are measurable and serious. A patient whose medication history is not accurately transferred, whose ongoing monitoring is not explicitly handed off, is a patient at risk.
Agent-to-agent handoffs in care environments have no equivalent standard. When a monitoring agent transitions responsibility to an escalation agent, what constitutes a complete handoff? What must the receiving agent verify before accepting responsibility for a person's care continuity? What happens to the accountability record at the moment of transfer? In care, the accountability record is not a technical artifact — it is the evidence base from which care decisions are made and reviewed. An audit trail that covers agent A's observations but has a gap at the handoff moment, then resumes with agent B's actions, cannot reconstruct what the system knew at the moment the decision to escalate was made. That gap is not a logging failure. It is an accountability vacuum at the exact moment accountability matters most.
Signed handoffs and the post-quantum angle
A well-designed handoff generates a handoff record: a signed document that specifies who is transferring, who is receiving, what authorization the handoff carries and where that authorization originates in the principal hierarchy, and what state is being transferred. The receiving agent verifies the signature before accepting the handoff. This is not conceptually complex. It is rarely implemented.
The post-quantum transition matters here for the same reason it matters for termination signals and non-repudiation: a handoff record signed with classical asymmetric cryptography today may be forgeable in the future. An adversary who captures handoff traffic now can, with sufficient future capability, construct plausible-looking handoff records that authorize actions the original principal never permitted — effectively rewriting the authorization chain of a pipeline that has already run. For long-running agentic deployments, the handoff signing mechanism needs to be quantum-resistant from the start, not retrofitted after the cryptographic assumptions shift.
Hardware attestation compounds this. When a handoff crosses a device boundary — one embedded unit passing responsibility to another in a care environment — hardware attestation tells you that each device is running what it claims to run. It does not authenticate the handoff payload itself. A device whose firmware is attested can still forward a forged or corrupted handoff record. The attestation and the handoff record are separate accountability claims and must both be present for the chain to hold.
What complete handoff architecture requires
A serious handoff architecture has four components that must exist before any multi-agent pipeline handles consequential decisions. First, an explicit handoff record created at the moment of transfer: specifying the transferring agent, the receiving agent, the scope being transferred, and the originating authorization chain. Second, a receiving-agent verification step that checks the handoff record's signature and validates the authorization chain before acting on the transferred state. Third, a state consistency check — the receiving agent confirms that the transferred state is internally coherent and within the scope it has been authorized to process. Fourth, a unified accountability log that treats handoffs as first-class events, so that the full sequence of agent actions across an entire pipeline can be reconstructed from a single auditable trail.
None of these components is expensive relative to the cost of the agentic system itself. All of them are regularly omitted because the handoff appears to be a plumbing detail rather than an accountability surface. The handoff is the accountability surface. It is the exact moment when responsibility moves from one agent to another — and if that moment is undocumented, unsigned, and unverified, the audit trail that comes after it is built on an assumption, not a fact.
多智能体系统中,智能体之间的交接是最常见的事件,也是最少被审查的问责表面。当智能体A将工作传递给智能体B时,状态转移是明确的,但授权往往是隐含的、未签名的、未经验证的。接收智能体面临结构性困境:如果信任所收到的一切,它就成为攻击者的向量;如果拒绝未经验证的内容,工作流就会中断。在照护环境中,智能体间的交接与经过数十年研究的临床交接协议不同,缺乏等效标准,而交接时刻的问责空白恰好发生在最关键的决策时刻。后量子过渡增加了一层:今天以经典密码学签名的交接记录未来可能被伪造。完整的交接架构需要四个要素:明确的交接记录、接收智能体的签名验证步骤、状态一致性检查,以及将交接视为一等事件的统一问责日志。
摘要 — 繁體多智能體系統中,智能體之間的交接是最常見的事件,也是最少被審查的問責表面。當智能體A將工作傳遞給智能體B時,狀態轉移是明確的,但授權往往是隱含的、未簽名的、未經驗證的。接收智能體面臨結構性困境:如果信任所收到的一切,它就成為攻擊者的向量;如果拒絕未經驗證的內容,工作流就會中斷。在照護環境中,智能體間的交接與經過數十年研究的臨床交接協議不同,缺乏等效標準,而交接時刻的問責空白恰好發生在最關鍵的決策時刻。後量子過渡增加了一層:今天以經典密碼學簽名的交接記錄未來可能被偽造。完整的交接架構需要四個要素:明確的交接記錄、接收智能體的簽名驗證步驟、狀態一致性檢查,以及將交接視為一等事件的統一問責日誌。
交接问题:一个AI智能体将工作传递给另一个时的问责时刻
多智能体系统中,很少由一个智能体完成所有工作。实践中,智能体A收集信息,智能体B处理信息,智能体C根据结果采取行动。每一次这样的过渡——工作从一个智能体转移到下一个的时刻——就是一次交接。交接如此普遍,以至于在架构中变得隐形。这种隐形,正是问题所在。
交接时实际转移了什么
当智能体A将工作传递给智能体B时,发生了两件大多数系统视为同一件事的事:状态转移了,而授权被假设随之转移。但这两者并不相同。状态是数据、上下文、任务描述——接收智能体继续工作所需的一切。授权则是一项声明:智能体B被允许代表原始委托人、在委托人实际授予的范围内继续这项工作。
状态很容易转移。授权则不然。典型的交接传递状态,并期望智能体B推断交接本身就是足够的授权。当一切正常运作时,这一假设成立。它在最关键的情况下失效:当交接被注入、拦截或重放时,攻击者希望智能体B执行原始委托人从未授权的操作。
接收智能体的困境
智能体B在每次交接时都面临一个结构性问题:如果没有已签名、可验证的交接记录,它无法独立验证所接收工作的合法性。如果它信任从智能体A收到的一切,它就成为任何能冒充智能体A或修改交接负载的攻击者的攻击向量。如果它在没有验证的情况下拒绝行动,工作流就会中断。
大多数智能体系统设计通过隐含地信任内部消息通道上到达的任何内容是合法的来解决这一困境。在严格控制的部署中,这一假设是合理的。在智能体之间的通道跨越网络边界、智能体A本身在形成交接之前正在处理不受信任的输入、或者在智能体A工作期间调用的工具将外部数据引入交接负载的任何部署中,这都是不合理的。上下文污染问题和供应链问题在这里交叉:收到了被污染上下文的智能体,会在其交接中将该污染传递下去,而接收智能体没有机制来检测它。
照护环境中的物理世界交接
在临床环境中,交接问题有一个经过数十年研究和标准化的人类类比。临床交接——班次之间、照护团队之间、机构之间——遵循结构化协议,因为不完整转移的后果是可衡量且严重的。用药历史未被准确转移、持续监测未被明确交接的患者,是处于风险中的患者。
照护环境中的智能体间交接没有等效标准。当监测智能体将责任转移给升级智能体时,什么构成完整的交接?接收智能体在接受对某人照护连续性的责任之前必须验证什么?问责记录在转移时刻会发生什么?在照护中,问责记录不是技术工件——它是做出和审查照护决策的证据基础。一条涵盖了智能体A的观察但在交接时刻存在空白、然后在智能体B的行动中恢复的审计轨迹,无法重建系统在决定升级时所知道的内容。这个空白不是日志记录失败。它是在问责最关键的时刻的问责真空。
已签名的交接与后量子角度
设计良好的交接会生成一条交接记录:一份已签名的文件,指定谁在转移、谁在接收、交接携带什么授权及该授权在委托人层级中的来源,以及正在转移什么状态。接收智能体在接受交接之前验证签名。这在概念上并不复杂。但它很少被实现。
后量子过渡在这里同样重要,原因与它对终止信号和不可否认性同样重要:今天用经典非对称密码学签名的交接记录,未来可能是可伪造的。现在捕获交接流量的攻击者,凭借足够的未来能力,可以构造出看起来可信的交接记录,授权原始委托人从未许可的行动——有效地改写已经运行的管道的授权链。对于长期运行的智能体部署,交接签名机制需要从一开始就具有量子抵抗性,而不是在密码学假设转变后再进行改造。
硬件认证使情况更为复杂。当交接跨越设备边界——一个嵌入式单元在照护环境中将责任传递给另一个——硬件认证告诉你每个设备运行的是它声称运行的内容。它不认证交接负载本身。固件经过认证的设备仍然可以转发伪造或被污染的交接记录。认证和交接记录是独立的问责声明,两者都必须存在才能使链条成立。
完整的交接架构需要什么
一个严肃的交接架构有四个组件,必须在任何多智能体管道处理重要决策之前存在。第一,在转移时刻创建的明确交接记录:指定转移智能体、接收智能体、正在转移的范围,以及原始授权链。第二,接收智能体验证步骤,在对转移状态采取行动之前检查交接记录的签名并验证授权链。第三,状态一致性检查——接收智能体确认转移的状态在内部是连贯的,并且在其被授权处理的范围内。第四,将交接视为一等事件的统一问责日志,以便可以从单个可审计的轨迹重建整个管道中所有智能体行动的完整序列。
这些组件都不比智能体系统本身的成本昂贵。所有这些都被定期省略,因为交接看起来是管道细节而不是问责表面。交接是问责表面。它是责任从一个智能体转移到另一个的确切时刻——如果该时刻没有文档记录、没有签名、没有验证,之后的审计轨迹就建立在假设上,而不是事实上。
交接問題:一個AI智能體將工作傳遞給另一個時的問責時刻
多智能體系統中,很少由一個智能體完成所有工作。實踐中,智能體A收集信息,智能體B處理信息,智能體C根據結果採取行動。每一次這樣的過渡——工作從一個智能體轉移到下一個的時刻——就是一次交接。交接如此普遍,以至於在架構中變得隱形。這種隱形,正是問題所在。
交接時實際轉移了什麼
當智能體A將工作傳遞給智能體B時,發生了兩件大多數系統視為同一件事的事:狀態轉移了,而授權被假設隨之轉移。但這兩者並不相同。狀態是數據、上下文、任務描述——接收智能體繼續工作所需的一切。授權則是一項聲明:智能體B被允許代表原始委托人、在委托人實際授予的範圍內繼續這項工作。
狀態很容易轉移。授權則不然。典型的交接傳遞狀態,並期望智能體B推斷交接本身就是足夠的授權。當一切正常運作時,這一假設成立。它在最關鍵的情況下失效:當交接被注入、攔截或重放時,攻擊者希望智能體B執行原始委托人從未授權的操作。
接收智能體的困境
智能體B在每次交接時都面臨一個結構性問題:如果沒有已簽名、可驗證的交接記錄,它無法獨立驗證所接收工作的合法性。如果它信任從智能體A收到的一切,它就成為任何能冒充智能體A或修改交接負載的攻擊者的攻擊向量。如果它在沒有驗證的情況下拒絕行動,工作流就會中斷。
大多數智能體系統設計通過隱含地信任內部消息通道上到達的任何內容是合法的來解決這一困境。在嚴格控制的部署中,這一假設是合理的。在智能體之間的通道跨越網絡邊界、智能體A本身在形成交接之前正在處理不受信任的輸入、或者在智能體A工作期間調用的工具將外部數據引入交接負載的任何部署中,這都是不合理的。上下文污染問題和供應鏈問題在這裡交叉:收到了被污染上下文的智能體,會在其交接中將該污染傳遞下去,而接收智能體沒有機制來檢測它。
照護環境中的物理世界交接
在臨床環境中,交接問題有一個經過數十年研究和標準化的人類類比。臨床交接——班次之間、照護團隊之間、機構之間——遵循結構化協議,因為不完整轉移的後果是可衡量且嚴重的。用藥歷史未被準確轉移、持續監測未被明確交接的患者,是處於風險中的患者。
照護環境中的智能體間交接沒有等效標準。當監測智能體將責任轉移給升級智能體時,什麼構成完整的交接?接收智能體在接受對某人照護連續性的責任之前必須驗證什麼?問責記錄在轉移時刻會發生什麼?在照護中,問責記錄不是技術工件——它是做出和審查照護決策的證據基礎。一條涵蓋了智能體A的觀察但在交接時刻存在空白、然後在智能體B的行動中恢復的審計軌跡,無法重建系統在決定升級時所知道的內容。這個空白不是日誌記錄失敗。它是在問責最關鍵的時刻的問責真空。
已簽名的交接與後量子角度
設計良好的交接會生成一條交接記錄:一份已簽名的文件,指定誰在轉移、誰在接收、交接攜帶什麼授權及該授權在委托人層級中的來源,以及正在轉移什麼狀態。接收智能體在接受交接之前驗證簽名。這在概念上並不複雜。但它很少被實現。
後量子過渡在這裡同樣重要,原因與它對終止信號和不可否認性同樣重要:今天用經典非對稱密碼學簽名的交接記錄,未來可能是可偽造的。現在捕獲交接流量的攻擊者,憑藉足夠的未來能力,可以構造出看起來可信的交接記錄,授權原始委托人從未許可的行動——有效地改寫已經運行的管道的授權鏈。對於長期運行的智能體部署,交接簽名機制需要從一開始就具有量子抵抗性,而不是在密碼學假設轉變後再進行改造。
硬件認證使情況更為複雜。當交接跨越設備邊界——一個嵌入式單元在照護環境中將責任傳遞給另一個——硬件認證告訴你每個設備運行的是它聲稱運行的內容。它不認證交接負載本身。固件經過認證的設備仍然可以轉發偽造或被污染的交接記錄。認證和交接記錄是獨立的問責聲明,兩者都必須存在才能使鏈條成立。
完整的交接架構需要什麼
一個嚴肅的交接架構有四個組件,必須在任何多智能體管道處理重要決策之前存在。第一,在轉移時刻創建的明確交接記錄:指定轉移智能體、接收智能體、正在轉移的範圍,以及原始授權鏈。第二,接收智能體驗證步驟,在對轉移狀態採取行動之前檢查交接記錄的簽名並驗證授權鏈。第三,狀態一致性檢查——接收智能體確認轉移的狀態在內部是連貫的,並且在其被授權處理的範圍內。第四,將交接視為一等事件的統一問責日誌,以便可以從單個可審計的軌跡重建整個管道中所有智能體行動的完整序列。
這些組件都不比智能體系統本身的成本昂貴。所有這些都被定期省略,因為交接看起來是管道細節而不是問責表面。交接是問責表面。它是責任從一個智能體轉移到另一個的確切時刻——如果該時刻沒有文檔記錄、沒有簽名、沒有驗證,之後的審計軌跡就建立在假設上,而不是事實上。