Multi-Agent Tagging Systems Overview

• Multi-agent tagging systems are distributed computational frameworks that enable autonomous agents to collaboratively tag entities in dynamic, high-stakes environments.
• They utilize diverse methodologies, including cooperative MDPs, heuristics, FDQN, and LLM-driven pipelines, to enhance accuracy, scalability, and security.
• Practical deployments reveal significant benefits in emergency response, enterprise annotation, and educational tagging, while robust strategies defend against prompt-injection attacks.

Multi-agent tagging systems are distributed computational frameworks in which multiple autonomous agents collaborate or coordinate to assign task-relevant tags or labels to entities such as victims in emergencies, customer utterances, or educational content. These systems leverage diverse architectures, from rule-based heuristics and deep reinforcement learning agents to LLM-driven annotators, to achieve robust, scalable, and context-adaptive tagging performance in domains characterized by complexity, uncertainty, or adversarial threats. Key deployments include cooperative victim labeling in emergency response, enterprise-scale annotation of financial data, and secure inter-agent communication against prompt-injection attacks.

1. Formal Problem Definitions and System Architectures

Multi-agent tagging tasks are typically formulated as cooperative multi-agent Markov Decision Processes (MDPs) or as multi-step annotation pipelines with parallel or hierarchical agent compositions.

Victim Tagging in Emergency Response: The formal model is a cooperative MDP: $$M = \bigl(n, \mathcal{S}, \mathcal{A}, P, \mathcal{R}, \gamma\bigr)$$ where $n$ is the agent count ($r_1,\ldots,r_n$), $\mathcal S$ encodes the global state (including agent FSM states, victim selection and tag status), and $\mathcal A$ the joint action space with action masking for illegal FSM transitions. Transition dynamics $P$ are deterministic and encode spatial movement and tagging durations. Rewards are a function of both individual and team-level performance, with temporal decay and bonus per new victim tagged. The objective is to minimize the finish time: $$T_{\mathrm{all}} = \min \left\{ t \mid \forall j,\ g_j(t) = 1 \right\}$$ (Cardei et al., 2 Mar 2025).

Enterprise Annotation (MAFA): MAFA uses a configuration-driven, multi-agent pipeline consisting of:

• Central Orchestrator
• Query Planning Agent
• Four Annotation Agents (primary/full-context, embedding/no-embedding)
• Judge Agent (consensus-based aggregation and final decision) Agents interact using structured JSON (Attentive Reasoning Query), with parallel execution and human-in-the-loop routing for low-confidence cases (Hegazy et al., 16 Oct 2025).

Knowledge Tagging in Education: Tagging is orchestrated as a sequence of specialized LLM-driven agents:

• Task Planner (decomposes complex tagging criteria)
• Question Solver
• Semantic Judger
• Numerical Judger (argument extraction & code execution)
• Aggregator (AND-aggregation of sub-judgments) This factorization improves precision for concept–question matching relative to single-prompt baselines (Li et al., 2024).

LLM Security Tagging: Each inter-agent message $m = (o, c)$ is tagged with origin ($o$ in $\{\text{USER}, A_1, ..., A_n\}$), with verification and enforcement at all send/receive boundaries to protect against self-replicating prompt-injection (prompt infection) (Lee et al., 2024).

2. Tagging Methodologies and Coordination Heuristics

Distributed Heuristics:

Several practical heuristics are considered in cooperative physical tasks:

• Random Victim Policy (RVP): Agents select untagged victims randomly, assuming global knowledge.
• Nearest Victim Policy (NVP): Selects globally closest untagged, unassigned victim—requires global state sharing.
• Local Nearest Victim Policy (LNVP): Bases selection solely on local proximity; includes replanning if another agent has already selected the current target but is farther away by threshold $\zeta$.
• Local Critical Victim Policy (LCVP): Prioritizes critical victims ($h_l<0.5$) before falling back to LNVP.
• Local Grid Assignment Policy (LGAP): Area partitioning for spatially local assignment; purely local observations, no explicit agent messaging (Cardei et al., 2 Mar 2025).

Learning-Based Multi-Agent Methods:

• Factorized Deep Q-Network (FDQN): Adopts value decomposition: each agent head $Q_i(s, a_i;\theta)$ contributes to the joint Q-value via $$Q_\text{joint}(s,a) = \sum_{i=1}^n Q_i(s, a_i; \theta)$$. Training uses centralized replay and action masking for FSM enforcement, with optimization via Adam and $\epsilon$-greedy exploration (Cardei et al., 2 Mar 2025).

Annotation by Parallel LLM Agents:

• MAFA employs four specialized annotation agents (embedding-based and non-embedding, each with primary/full-context focus), which independently propose top-$K$ labels with confidence scores. The Judge Agent uses weighted consensus, with weights $w_i$ reflecting agent accuracy over a rolling window. Consensus: $S(a) = \sum_{i=1}^4 w_i \cdot (s_{i,a}/100)$ Final rank determines top suggestions and high/medium/low confidence bands for human review (Hegazy et al., 16 Oct 2025).

LLM-Based Task Decomposition:

In knowledge tagging, the LLM pipeline decomposes the tagging function $F(k, q) \in \{0,1\}$ into simpler sub-judgments, formally: $$Y = \bigwedge_{S_j \in S} y_{S_j} \land \bigwedge_{N_l \in N} y_{N_l}$$ where $y_{S_j}$ and $y_{N_l}$ are the outputs of semantic and numeric judgers, respectively (Li et al., 2024).

3. Empirical Evaluation and Performance

System	Domain	Best Reported Accuracy	F1 Score	Key Strength
FDQN	Victim Tagging	12.8 steps (R1)	--	Small, structured cases
LNVP Heuristic	Victim Tagging	89.0 steps (R8)	--	Large-scale, high-uncert.
MAFA (Full)	Annotation	83.7% (Top-1)	91.0%	Parallel, confidence HIL
Multi-Ag. LLM	Edu Tagging	86.9%	81.75%	Precision, transparency
Single LLM	Edu Tagging	88.4%	85.46%	Higher recall

Interpretation: In cooperative victim tagging tasks, locally communicating heuristics such as LNVP outperform learning-based MARL (FDQN) in large or high-uncertainty domains, whereas FDQN achieves superior results in small, well-structured instances. MAFA's parallel LLM-based annotation pipeline with judge-based consensus yields significant improvements over single-agent or single-model settings, with +13.8 percentage points Top-1 accuracy and +16.9 points F1 over single-agent baselines in financial annotation. Educational knowledge tagging using LLM-based multi-agent systems trades a modest reduction in recall for a substantial boost in precision—crucial for minimizing over-tagging of pedagogical concepts (Cardei et al., 2 Mar 2025, Hegazy et al., 16 Oct 2025, Li et al., 2024).

4. Adaptivity, Configuration, and Task Generalization

MAFA and related systems are explicitly designed for dynamic adaptation. Central to this is externalized configuration (AnnotationConfig), specifying annotation schema, thresholds, matching verbs, and columns to support rapid addition of new task types (e.g., entities, intents, categories) without code modification. YAML-based task definitions allow organizations to switch or expand tagging schemes modularly. Dynamic adjustment of confidence-band thresholds and agent weighting enables ongoing recalibration based on live performance data (Hegazy et al., 16 Oct 2025).

In knowledge tagging, the multi-agent structure allows straightforward extension by incorporating additional sub-agents (e.g., for multi-modal constraints), and modular replacement or retraining of any component agent (e.g., swapping GPT-4o for another backend in the Numerical Judger) (Li et al., 2024).

5. Security and Robustness in Multi-Agent Tagging

Prompt Infection presents a novel LLM-to-LLM prompt-injection attack in multi-agent systems, with the infection propagating by self-replication across communication boundaries. To mitigate such threats, LLM Tagging mandates origin-labeling of every inter-agent message. Only USER-originated content is accepted for execution; agent-tagged outputs are excluded from prompt input, provably halting self-replication post-initial compromise:

• Combined with orthogonal defenses (e.g., Marking, Instruction defense), LLM Tagging reduces Attack Success Rate (ASR) from ~90% (no defense) to 0–3%.
• Tagging alone reduces ASR by only 5%, but when combined with strong marker-based approaches, achieves full containment (Lee et al., 2024).

Limitations include the syntactic vulnerability of plain-text tags (susceptible to attacker manipulation) and absence of cryptographic origin guarantees. Proposed extensions include signature-based tags, out-of-band metadata tagging, and random per-session tag rotation for enhanced security. Best practices demand strict message provenance enforcement, tag-based filtering, and complementing tagging with additional isolation mechanisms.

6. Challenges, Limitations, and Future Directions

The reviewed systems highlight persistent scalability and reliability challenges:

• Victim Tagging: Scaling MARL approaches such as FDQN to very large agent counts or to environments with continuous observation spaces remains unresolved; partial observability and non-stationary dynamics demand new architectures (e.g., learned message passing, QMIX-style mixing networks) (Cardei et al., 2 Mar 2025).
• Educational Tagging: Hard-AND aggregation propagates any sub-agent's error to the system output, reducing recall; dynamic or soft aggregation, agent pruning, and meta-learning planners are open research topics. Extension to multi-modal and symbolic/mathematical verification further increases complexity (Li et al., 2024).
• Enterprise Annotation: Maintaining low latency and full auditability under high QPS loads, ensuring transparency and error analysis, and managing failure modes (e.g., out-of-domain queries, multi-intent ambiguity) are ongoing concerns. Confidence-aware workload allocation and structured prompting have proven effective in reducing annotator workload and hallucination rates (Hegazy et al., 16 Oct 2025).
• Security: Plain-text tagging alone is insufficient for high-assurance domains. Future directions include cryptographic integrity assurance, non-linguistic formal markings, and adaptive tag protocols (Lee et al., 2024).

Adaptively combining rule-based heuristics, deep MARL, and LLM-driven logic remains the frontier for robust, scalable, and secure multi-agent tagging.

7. Practical Implications and Impact

Multi-agent tagging systems have demonstrated substantial operational impact:

• Automated annotation pipelines (e.g., MAFA) have eliminated million-scale annotation backlogs in industry deployments, increased human–machine agreement by 14 percentage points, and saved thousands of annotation hours (Hegazy et al., 16 Oct 2025).
• In educational domains, multi-agent LLM pipelines yield precision gains critical for high-stakes tagging, with modular architectures enabling transparent error analysis and straightforward integration of new constraint types (Li et al., 2024).
• In security and safety-critical NLP, mandatory tagging protocols restore strong integrity and authenticity boundaries in LLM-based multi-agent workflows, providing a template for layered defense against self-propagating prompt-injection threats (Lee et al., 2024).
• Hybrid deployment strategies—combining distributed heuristics and learning-based cooperation—are especially effective in dynamic, high-uncertainty environments such as mass casualty incident response (Cardei et al., 2 Mar 2025).

This collection of results substantiates the efficacy of modular, configurable, and security-aware multi-agent tagging systems in real-world, large-scale, and adversarial contexts.