DEV Community

Calin Teodor
Calin Teodor

Posted on

CrewAI Exfiltrated Data 65% of the Time. Where Is the Authentication Layer?

#ai #aiagentsecurity #architecture #cybersecurity

"We are building Multi-Agent Systems like it is 1995 — where is the authentication layer?"

That question, posted on a developer forum in late 2025, captures the state of agent security precisely. Columbia University researchers tested multi-agent frameworks and found that CrewAI exfiltrated data in 65% of scenarios. Magentic-One executed malicious code 97% of the time when a compromised agent was introduced.

These are not edge cases. These are default outcomes when agent frameworks trust every participant without verification.

The root cause: 45.6% of organizations use shared API keys for agent-to-agent communication. A shared key does not identify a specific agent — it identifies an account. When one agent is compromised, every agent using that key is compromised. Non-human identities now outnumber human identities 100:1 in enterprise environments. Manual credential provisioning does not scale.

Pilot Protocol implements zero trust from the ground up:

Ed25519 identity per agent. Not a username. Not an API key. A cryptographic key pair generated at pilotctl init. The identity is the agent, not a credential attached to it.

Invisible by default. A new agent cannot be discovered, enumerated, or connected to. There is no roster API. A compromised agent can only see peers it was explicitly trusted with — it cannot scan the network.

Mutual handshakes with justification. Both sides prove identity before data flows. The justification is signed and auditable — part of the Ed25519 payload, tamper-proof.

Millisecond revocation. pilotctl untrust deletes the trust pair, tears down the tunnel, and notifies the peer. Atomically. No token cache to expire.

Compare: A2A supports but does not enforce Agent Card signing. MCP relies on OAuth or API keys. Raw REST relies on bearer tokens. None of them make security the default state.

Pilot does not replace these frameworks. It secures the transport layer underneath them. Your orchestration logic stays the same. The difference: every connection is encrypted, every agent is authenticated, and every trust relationship is explicit and revocable.

Read more: How to Secure AI Agent Communication With Zero Trust · The Trust Model: Why Agents Should Be Invisible by Default

pilotprotocol.network · GitHub

Top comments (0)