LLM-powered Multi-Agent Systems Overview
- LLM-MAS are systems where LLM-driven agents interact using natural language, tools, and environmental feedback to achieve both individual and collective goals.
- Modern architectures combine heterogeneous agents, layered communication protocols, and adaptive learning to optimize performance amid uncertainty and security challenges.
- Formal models and game-theoretic frameworks underpin LLM-MAS, highlighting the importance of coordinated reasoning, dynamic risk management, and scalable adaptation.
LLM-powered multi-agent systems (LLM-MAS) are multi-agent systems in which LLM-based agents interact with each other, humans, and the environment to achieve individual or collective goals, often leveraging external tools and knowledge; recent work further treats them as unified, dynamic socio-technical systems composed of heterogeneous agents interacting through natural language, tools, and environments in open, uncertain settings (Hu et al., 3 Feb 2025, Hu et al., 15 Oct 2025). Across current research, LLM-MAS are studied simultaneously as engineering architectures for distributed reasoning, as stochastic or game-theoretic systems of interacting policies, and as safety-critical organizations whose reliability depends on coordination, uncertainty management, security, and governance across the full system lifecycle (Hao et al., 21 Jan 2026).
1. Conceptual foundations
The contemporary literature defines LLM-MAS at a level broader than prompt-chained role play. In the systems view, agents may be software, robotics, embodied, or human agents, and their interactions are mediated by natural language communication, tool use, memory, and environmental feedback rather than by fixed symbolic protocols alone (Hu et al., 3 Feb 2025). A closely related line of work argues that the central normative property in such systems is not merely local alignment of each agent, but system-level “agreement”: coordinated outputs, collective decisions, unified semantic interpretations, bounded disagreement, and traceable behavior under uncertainty and attack (Hu et al., 15 Oct 2025).
A complementary theoretical synthesis organizes LLM-MAS through the four primitives of game theory—players, strategies, payoffs, and information. Under this lens, normal-form games capture static strategic interactions; extensive-form games model turn-taking, message passing, tool calls, and verification loops; Markov or stochastic games model dynamic environments; and Bayesian games model incomplete information about capabilities, preferences, or private context (Hao et al., 21 Jan 2026). This framing is not merely classificatory. It suggests that role assignment, communication protocols, voting rules, debate, auctions, and arbitration are all design choices that instantiate particular information structures and equilibrium-selection mechanisms.
Evaluation theory has also shifted from raw benchmark comparison toward explicit task characterization. A representative proposal models task complexity along two dimensions: depth, the number of sequential reasoning steps, and width, the number of capability-specific micro-operations per step. For a task with per-step success and depth , the corresponding single-agent and multi-agent success models are
and
with relative gain
Under the assumptions used in that analysis, increases with both depth and width, but the effect is more pronounced with respect to depth (Tang et al., 5 Oct 2025). This suggests that LLM-MAS are not uniformly advantageous; their benefits are conditional on the structure of the task and on the interaction protocol that realizes collective reasoning.
2. Architectures and coordination patterns
The canonical LLM-MAS architecture now comprises more than a set of prompted roles. One widely cited target architecture includes an agent layer of heterogeneous role-specialized agents, a tool API layer, a RAG and memory stack, an authenticated and logged communication bus, orchestration for task decomposition and coordination, moderation and governance components, human-in-the-loop interfaces, and end-to-end provenance and monitoring (Hu et al., 3 Feb 2025). Communication topologies are often classified as centralized, decentralized, or layered. In centralized systems, a coordinator decomposes tasks and aggregates outputs; in decentralized systems, peers discuss and vote; in layered systems, analysts, solvers, and validators are arranged hierarchically, with control stratified across levels (Xie et al., 7 Jul 2025).
Several frameworks exemplify distinct coordination philosophies. SynergyMAS uses a hierarchical “boss” orchestrator, specialized agents such as Product Manager, Market Research Analyst, Product Designer, and Sales Manager, a Neo4j graph knowledge base, Answer Set Programming via Clingo, a modified Corrective RAG pipeline with Chroma and Tavily, and explicit “My Beliefs” sections to operationalize Theory of Mind (Kostka et al., 2 Jul 2025). MAS-GPT reframes MAS construction itself as a generative language task, training an LLM to map a query to executable Python code that defines agents, prompts, interactions, and orchestration in a single inference (Ye et al., 5 Mar 2025). X-MAS replaces homogeneous backbones with heterogeneous LLM assignments per role and domain-function combination, showing that model diversity can be injected without changing the underlying MAS topology (Ye et al., 22 May 2025).
A more recent family of systems centers on adaptation after deployment. MASFly constructs task-specific operation procedures at test time by retrieving prior successful collaboration patterns from an SOP repository and supervising execution with a global Watcher agent backed by a personalized experience pool (Liu et al., 14 Feb 2026). MAS introduces a “generator-implementer-rectifier” tri-agent meta-system that first architects a workflow template, then assigns concrete backbones to roles, and finally patches or recomposes the downstream MAS when failures or budget overruns are detected (Wang et al., 29 Sep 2025). Meta-Team, in turn, treats the MAS itself as an evolving organization: it preserves each agent’s local execution context, coordinates post-task communication, and updates the system at three scales—agent behavior, pairwise coordination, and team-level organization—through collaborative self-evolution (Hao et al., 28 May 2026).
Homogeneous architectures remain important because they isolate coordination effects. SIMAS, a Sequential Iterative Multi-Agent System, fixes all agents to the same base LLM and same parameters, introduces diversity only through agent profiles, and lets agents speak sequentially over a fixed number of rounds before the first agent synthesizes the final answer. This minimalist design is used to study how performance scales as the number of agents increases when heterogeneity is held constant (Li et al., 30 May 2026).
3. Formal models, learning, and optimization
Formalization efforts in LLM-MAS span executable program synthesis, reinforcement learning, constrained combinatorial optimization, and controlled stochastic processes. MAS-GPT represents an MAS as executable code and optimizes a supervised objective
where the output includes a reasoning paragraph and Python code implementing the system. The resulting generator can produce query-adaptive MASes with a single LLM call for the design phase (Ye et al., 5 Mar 2025).
From a cooperative control perspective, LLM collaboration has been formulated as a Dec-POMDP. MAGRPO treats agents as decentralized policies over local histories, uses strictly joint rewards, and replaces centralized critics with group-relative advantage estimation. Its central estimator is
0
with PPO-style clipped updates for each agent policy (Liu et al., 6 Aug 2025). The intent is to preserve centralized training signals while avoiding value-function architectures that scale poorly to massive language action spaces.
Optimization-based coordination has also been pushed further. SGTO-MAS formulates secure agent selection as a constrained binary optimization problem over a candidate pool, with a total objective that combines attack suppression benefit, trust, compatibility, historical quality, collective intelligence, hallucination risk, tool misuse risk, data leakage risk, computational cost, groupthink penalties, and role-balance penalties. Its full fitness is
1
and candidate subsets are optimized by a risk-aware variant of Gorilla Troops Optimization (Jamshidi, 6 Jun 2026).
In simulation settings, LLM-MAS have been cast as controlled Markov chains with decision-dependent uncertainty. One service-operations framework embeds the design vector 2 directly into agent prompts, treats the resulting interaction dynamics as a kernel 3, and optimizes a steady-state objective
4
Its on-trajectory learning algorithm uses zeroth-order smoothing and updates
5
thereby constructing gradient estimates and improving design parameters on a single evolving simulation trajectory (Wang et al., 6 Apr 2026).
Automatic design has also moved from topology search toward reasoning-module search. ARM defines a step-generator 6 and a meta-policy 7, then discovers both by reflection-guided tree search over code. The central claim is that optimizing the atomic reasoning step—an agentic generalization of Chain-of-Thought—can outperform task-specific rediscovery of full architectures and generalize across tasks and backbones without per-domain redesign (Yao et al., 7 Oct 2025).
4. Agreement, uncertainty, and lifecycle governance
A central position in the recent literature is that responsibility in LLM-MAS cannot be reduced to per-agent RLHF, SFT, or similar local alignment mechanisms. Because inter-agent interactions create emergent conflicts, knowledge asymmetries, and cascading uncertainties, responsibility must be treated as a lifecycle-wide property spanning design, development, deployment, and maintenance or retirement (Hu et al., 15 Oct 2025). In this formulation, responsibility has three coupled dimensions: agreement, uncertainty, and security.
Agreement extends alignment to the system level. One formalization defines pairwise disagreement between agents 8 and 9 as
0
and system-wide agreement as
1
A system is then verifiably coherent when disagreement is bounded, uncertainty remains below threshold, and provenance-complete decision traces are available for audit (Hu et al., 15 Oct 2025).
Uncertainty is treated as both an internal and relational property. Agent-level uncertainty may be measured by predictive entropy,
2
and aggregated to the system level through
3
Conformal prediction is proposed as a way to constrain collective decisions to acceptable risk levels:
4
Associated engineering mechanisms include calibration metrics such as Brier score and expected calibration error, disagreement detection, entropy-based routing, abstention rules triggered when 5 or 6, and human escalation when uncertainty exceeds policy thresholds (Hu et al., 15 Oct 2025).
Governance is correspondingly dual-perspective. Interdisciplinary design combines domain knowledge, regulation, and technical specification; human–AI collaborative oversight assigns routine monitoring to AI moderators and exceptional adjudication to human moderators (Hu et al., 3 Feb 2025). Operational artifacts include checklists, model cards, system cards, provenance chains, logs, risk registers, decision records, and incident reports. In the stronger governance formulation, boards or regulators define acceptance criteria and risk thresholds; developers implement agreement, uncertainty, and security mechanisms; evaluators run pre- and post-deployment validation; and monitors or incident-response teams handle runtime oversight, triage, containment, and remediation (Hu et al., 15 Oct 2025). The result is a conception of LLM-MAS as auditable socio-technical systems rather than as collections of individually aligned black boxes.
5. Security, vulnerability, and adversarial behavior
Security research on LLM-MAS has converged on a broad threat surface that includes user inputs, individual agent internals, role profiles, tool chains, inter-agent messages, trust management, environment manipulation, and shared memory. A unifying attacker objective has been proposed as
7
where 8 ranges over system components the attacker can influence, 9 encodes capability constraints, and 0 denotes goals such as harmful behavior, resource exhaustion, performance degradation, or privacy leakage (He et al., 2 Jun 2025). The key claim is compositional: because one agent’s output becomes another’s input, vulnerabilities cascade in ways absent from single-agent systems.
Communication channels have emerged as a particularly severe point of failure. The Agent-in-the-Middle attack manipulates inter-agent messages without altering agent internals, tools, or external databases. Across AutoGen, CAMEL, MetaGPT, ChatDev, and multiple communication topologies, the reported targeted attack success rate exceeds 40% in all settings and often exceeds 70%; chain structures are the most vulnerable, and for denial-of-service objectives 23 of 32 cells exceed 80% ASR (He et al., 20 Feb 2025). The empirical pattern is that persuasive, role-consistent instructions embedded in expected message formats are often sufficient to compromise downstream reasoning, code generation, or refusal behavior.
Another line studies covert, intention-hiding malicious agents. Four representative paradigms are identified: Suboptimal Fixation, Reframing Misalignment, Fake Injection, and Execution Delay. These agents maintain cooperative-seeming, role-consistent behavior while steering the group toward inferior outcomes, tangential objectives, false premises, or inflated coordination costs (Xie et al., 7 Jul 2025). Their effects depend on topology: decentralized systems show the largest accuracy declines in generative tasks, layered systems are the most robust, and Execution Delay is hardest to detect because it resembles conscientious thoroughness. AgentXposed addresses this through HEXACO-based baseline profiling, deviation monitoring, and Reid-style progressive interrogation, with layered F1 values including 80.52 for Suboptimal Fixation and 70.34 for Execution Delay (Xie et al., 7 Jul 2025).
The broader responsibility literature treats such attacks as part of a continuous security dimension that includes collusion, poisoning through RAG and context windows, jailbreaking across modalities, wormhole and denial-of-service attacks, and covert signaling. The resulting prescription is runtime provenance monitoring, dependency tracking, guardrails, access control, sandboxing, agent isolation, secure communication, randomized smoothing for certified robustness, and machine unlearning for contaminated representations (Hu et al., 15 Oct 2025). A plausible implication is that security in LLM-MAS cannot be reduced to static prompt hardening or training-time filtering; it must be embedded in communication, tool governance, verification, and runtime intervention.
6. Empirical regimes, applications, and scaling behavior
Empirical work shows that LLM-MAS effectiveness is highly regime-dependent. Controlled studies of task complexity indicate that multi-agent gains over single-agent systems rise with both depth and width, with the effect more pronounced for depth (Tang et al., 5 Oct 2025). By contrast, controlled studies of homogeneous teams show that performance does not scale monotonically with agent count. In SIMAS, larger base models such as Llama-3.1-70B and Qwen2.5-72B often exhibit an inverted-U relationship in which performance improves up to a task-dependent peak and then declines as coordination overhead dominates; smaller 7B–8B models commonly degrade as agents are added and are therefore not “sufficiently driven” (Li et al., 30 May 2026). Token-padding controls further show that the degradation stems from coordination overhead rather than merely from long-context failure (Li et al., 30 May 2026).
Heterogeneity and adaptation can materially change this picture. X-MAS-Bench evaluates 27 LLMs across 5 domains, 21 test sets, and 5 MAS-related functions over more than 1.7 million evaluations, and uses the resulting capability landscape to assign different backbones to different roles (Ye et al., 22 May 2025). In a chatbot-only MAS scenario, the heterogeneous configuration yields up to 8.4% performance improvement on the MATH dataset; in a mixed chatbot-reasoner scenario, it yields a 47% performance boost on the AIME dataset (Ye et al., 22 May 2025). MASFly pushes this further through retrieval-augmented SOP instantiation and execution-time supervision, reporting a 61.7% final pass rate on TravelPlanner Sole-Planning and top performance on GAIA and coding benchmarks (Liu et al., 14 Feb 2026). Meta-Team emphasizes post-task collective learning rather than only test-time adaptation, and reports an average score of 62.7 across nine benchmark columns, exceeding both hand-crafted MAS and MASFly in its evaluation suite (Hao et al., 28 May 2026).
Application-specific studies show that LLM-MAS are already used as more than generic reasoning ensembles. In data-marketplace simulation, buyer and seller agents plan, search, price, purchase, analyze, update, and exit under budgets, trends, and entry dynamics; over 40 steps the reported system includes 1,149 buyers, 1,144 sellers, 3,014 transactions, and 401 unique traded datasets, and reproduces long-tail demand and scale-free buyer–seller network structure more faithfully than traditional approaches (Sashihara et al., 17 Nov 2025). In service-operations optimization, LLM agents are embedded in a controlled Markov simulator whose design variables enter prompts directly, and on-trajectory zeroth-order learning outperforms black-box optimization and prompt-only baselines in sustainable supply chain and contest-design settings (Wang et al., 6 Apr 2026). In autoformalization, MASA combines drafting agents, theorem-prover-based hard critique, LLM-based soft critique, refinement agents, and retrieval tools; its iterative self-refinement system reaches 35.25% and 61.89% of outputs that are both syntactically correct and semantically aligned for Qwen2.5-7B and GPT-4.1-mini, respectively (Zhang et al., 10 Oct 2025).
These results collectively indicate that empirical success depends less on the mere existence of multiple agents than on the interaction between task structure, topology, model capability, role assignment, verification, and adaptation. The literature therefore no longer treats LLM-MAS as a single method class with monotonic scaling, but as a family of organizational designs whose advantages emerge only under particular coordination regimes.
7. Open problems and research directions
Several unresolved problems recur across the literature. Formal verification remains difficult because current formal methods for LLMs face scalability and interpretability limits, prompting proposals for interactive proof protocols, neural-symbolic hybrids, and semantic uncertainty measures that go beyond purely probabilistic confidence (Hu et al., 15 Oct 2025). Safety evaluation remains fragmented: vulnerability analyses call for LLM-MAS-specific benchmarks that vary communication topology, role design, tool assignments, and protocol choices under explicit black-box, gray-box, and white-box threat models (He et al., 2 Jun 2025). Game-theoretic surveys similarly highlight the lack of standardized, reproducible benchmarks spanning cooperation, competition, and mixed-motive interaction (Hao et al., 21 Jan 2026).
Adaptation and learning remain open at multiple time scales. MASFly identifies heuristic intervention timing and repository coverage as current bottlenecks, and calls for learned Watcher policies and more scalable retrieval over collaboration patterns (Liu et al., 14 Feb 2026). Meta-Team points to the need to couple scaffold-level evolution with parameter-level learning such as fine-tuning or reinforcement learning, and to extend evolution beyond prompts and organization into tool APIs, memory backends, and verifier infrastructure (Hao et al., 28 May 2026). MARL-based approaches argue that joint-reward training can produce genuine cooperation, but larger heterogeneous teams, longer horizons, richer memory, and tool-mediated interaction remain underexplored (Liu et al., 6 Aug 2025).
Finally, a recurring methodological implication is that LLM-MAS should be designed and evaluated as organizations rather than as bundles of prompts. Agreement must be quantified at the collective level, uncertainty must be propagated and calibrated across interactions, security must be enforced at the level of messages, tools, and provenance, and performance claims must be conditioned on task depth, width, topology, and base-model capability (Tang et al., 5 Oct 2025, Hu et al., 15 Oct 2025). The emerging field is therefore moving toward an overview of orchestration, statistical learning, formal assurance, and socio-technical governance as the defining framework for LLM-powered multi-agent systems.