LCGuard: Latent Communication Guard for Safe KV Sharing in Multi-Agent Systems

Sadia Asif, Mohammad Mohammadi Amiri, Momin Abbas, Prasanna Sattigeri, Karthikeyan Natesan Ramamurthy

May 21, 2026
arXiv:2605.22786v1PDF
cs.AI(primary)cs.ETcs.LGcs.MA
#1042 of 2292 · Artificial Intelligence
Share
Tournament Score
1422±48
10501800
57%
Win Rate
8
Wins
6
Losses
14
Matches
Rating
6.8/ 10
Significance
Rigor
Novelty
Clarity

Abstract

Large language model (LLM)-based multi-agent systems increasingly rely on intermediate communication to coordinate complex tasks. While most existing systems communicate through natural language, recent work shows that latent communication, particularly through transformer key-value (KV) caches, can improve efficiency and preserve richer task-relevant information. However, KV caches also encode contextual inputs, intermediate reasoning states, and agent-specific information, creating an opaque channel through which sensitive content may propagate across agents without explicit textual disclosure. To address this, we introduce \textbf{LCGuard} (Latent Communication Guard), a framework for safe KV-based latent communication in multi-agent LLM systems. LCGuard treats shared KV caches as latent working memory and learns representation-level transformations before cache artifacts are transmitted across agents. We formalize representation-level sensitive information leakage operationally through reconstruction: a shared cache artifact is unsafe if an adversarial decoder can recover agent-specific sensitive inputs from it. This leads to an adversarial training formulation in which the adversary learns to reconstruct sensitive inputs, while LCGuard learns transformations that preserve task-relevant semantics and reduce reconstructable information. Empirical evaluations across multiple model families and multi-agent benchmarks show that LCGuard consistently reduces reconstruction-based leakage and attack success rates while maintaining competitive task performance compared to standard KV-sharing baselines.

AI Impact Assessments

(1 models)

Scientific Impact Assessment: LCGuard

1. Core Contribution

LCGuard addresses a genuinely novel problem: privacy leakage through KV-cache sharing in multi-agent LLM systems. As latent communication via KV caches gains traction (LatentMAS, KVComm, C2C), the paper correctly identifies that these dense representations can encode and propagate sensitive agent-specific information — an attack surface that existing output-level safety mechanisms fundamentally cannot address.

The key technical contributions are: (1) formalizing reconstruction-based leakage as the operational definition of privacy risk in latent communication, (2) proposing a minimax adversarial training framework where lightweight residual bottleneck transformations are learned to sanitize KV caches before transmission, and (3) distinguishing between per-agent (local) and full-system (global) optimization variants that capture compositional leakage across multi-hop communication paths.

The reconstruction-based formalization is well-motivated: a shared KV artifact is "unsafe" if an adversarial decoder can recover sensitive inputs from it. This is more practically meaningful than information-theoretic measures for this setting, though it provides no formal privacy guarantees.

2. Methodological Rigor

Strengths in formulation: The minimax objective (Eq. 8) is clean and well-motivated, with the tradeoff parameter β providing interpretable control. The distinction between local and system-level leakage (Mobs = m_ij vs. Mobs = M) is principled and yields meaningful empirical differences.

Architecture: The residual bottleneck transformation (Eqs. 18-19) is sensible — the residual preserves task-relevant information while the bottleneck constrains fine-grained sensitive details. With ~16.8M parameters for d=4096, it's lightweight relative to the backbone models.

Experimental concerns: The evaluation is extensive across models (Qwen3-4B/8B/14B, Gemma-9B, LLaMA-3B/8B), benchmarks (PrivacyLens, AgentLeak, MAGPIE), and topologies (sequential, hierarchical, graph). However, several methodological concerns arise:

  • Adversary strength as a proxy for leakage: The framework's security guarantees are only as strong as the adversary used during training. The ablation (Table 5) shows ASR increases from 0.285 to 0.365 moving from weak to strong adversaries, but this gap raises questions about what happens with even stronger adversaries not tested.
  • LLM-as-judge for ASR: Using an LLM judge to evaluate semantic equivalence of reconstructed sensitive inputs introduces evaluation noise and potential biases. The reliability of this metric is not validated against human judgments.
  • Benchmark suitability: While the three benchmarks have privacy considerations, they were not specifically designed for latent communication leakage evaluation. The paper adapts them to this setting, but the adaptation methodology deserves more scrutiny.
  • Statistical reporting: Results are averaged over 3 runs but no confidence intervals or significance tests are reported. Some performance differences between methods appear small.

    • 3. Potential Impact

    Immediate impact: As KV-cache sharing becomes more prevalent in multi-agent systems (with concurrent work like KVFlow, TokenDance, C2C), LCGuard addresses a timely gap. Any deployment of latent multi-agent communication in sensitive domains (healthcare, finance, legal) would benefit from such safeguards.

    Broader implications: The paper establishes "latent communication channels as attack surfaces" as a research direction, which could influence how the community designs future multi-agent communication protocols. The reconstruction-based threat model could become a standard evaluation framework for latent communication security.

    Limitations on impact: Without formal privacy guarantees (acknowledged by the authors), adoption in high-stakes settings may be limited. The approach also assumes a specific threat model (decoder-based reconstruction) that may not capture all attack vectors.

    4. Timeliness & Relevance

    This paper is highly timely. KV-cache sharing in multi-agent systems is an active research front (ICLR 2026 papers on C2C and KVComm are cited as concurrent/recent work). The security implications of this paradigm shift from text-based to latent communication have been largely overlooked. The paper fills this gap precisely when it matters — before latent communication becomes widely deployed without privacy considerations.

    5. Strengths & Limitations

    Key Strengths:

  • Novel problem identification: First principled framework for privacy in KV-based latent communication
  • Clean formalization: The reconstruction-based leakage definition and minimax formulation are elegant and practical
  • Comprehensive evaluation: Breadth across 6 model variants, 3 benchmarks, 3 topologies is impressive
  • Meaningful ablations: β sensitivity, adversary strength, per-agent vs. system-level, reconstruction difficulty analysis provide genuine insights
  • System-level insight: Demonstrating that compositional leakage across agents exceeds local leakage (Per-Agent vs. Full-System gap) is a valuable finding

    • Notable Weaknesses:

  • No formal privacy guarantees: The approach is empirical; a sufficiently powerful adversary might still succeed
  • Fixed adversary architecture: Training against specific decoder architectures may not generalize to novel attack strategies
  • Task performance degradation: While moderate, helpfulness consistently drops (e.g., 0.780→0.710 for Qwen3-4B), which may matter in practice
  • Limited baselines: Only ADAPT and PrivAct are compared; other representation-level defenses (e.g., gradient-based sanitization, information bottleneck methods) are absent
  • Reproducibility: While experimental details are thorough, code availability is not mentioned
  • Scalability questions: All experiments use ≤5 agents; behavior at larger scales is unknown

    • Additional Observations:

    The paper's framing of KV caches as "latent working memory" is conceptually appealing and could influence how the community thinks about inter-agent communication design. The inference efficiency analysis (Table 10) showing only 0.04× overhead relative to vanilla KV sharing strengthens the practical case. However, the paper could have explored whether simpler approaches (e.g., selective KV token dropping based on sensitivity scores) might achieve comparable results with less training overhead.

    Overall, this is a well-executed paper addressing a genuine and timely gap. The problem identification is the strongest contribution; the solution, while effective, is a relatively straightforward application of adversarial training to a new domain. The empirical evaluation is thorough but would benefit from stronger baselines and formal guarantees.

    Rating:6.8/ 10
    Significance 7.5Rigor 6.5Novelty 7Clarity 7.5

    Generated May 22, 2026

    Comparison History (14)

    vs. AtelierEval: Agentic Evaluation of Humans & LLMs as Text-to-Image Prompters
    gemini-3.15/22/2026

    Paper 1 addresses a critical and emerging security challenge in multi-agent LLM architectures—securing latent communication (KV cache sharing) against privacy leakage. Its focus on representation-level safety via adversarial training has profound implications for deploying secure, efficient multi-agent systems in real-world environments. In contrast, Paper 2 presents a benchmark for text-to-image prompting, which is valuable but narrower in scope and less likely to drive foundational shifts in AI safety and system design.

    vs. ExComm: Exploration-Stage Communication for Error-Resilient Agentic Test-Time Scaling
    gemini-3.15/22/2026

    Paper 1 addresses error propagation in test-time scaling, a highly critical bottleneck in advancing reasoning capabilities of LLMs. Its approach to real-time error correction and trajectory diversification tackles immediate, high-impact challenges in building autonomous agents. Paper 2, while methodologically rigorous in addressing privacy in latent KV communication, focuses on a more niche and less universally adopted communication paradigm, giving Paper 1 broader applicability and a higher potential impact in the rapidly growing field of agentic reasoning.

    vs. Gated DeltaNet-2: Decoupling Erase and Write in Linear Attention
    gpt-5.25/22/2026

    Paper 2 likely has higher scientific impact: it advances core sequence modeling architecture by decoupling erase/write in linear attention, provides new algorithms (chunkwise WY, gate-aware backward) enabling efficient training, and demonstrates strong scaling and broad benchmark gains, especially for long-context retrieval—highly timely and broadly applicable across NLP and systems. Paper 1 addresses an important safety issue in multi-agent KV-sharing, but its impact is narrower (specific to latent KV communication setups) and depends on adoption of KV-sharing agents; it also hinges on a particular leakage definition (reconstruction) that may not cover all threat models.

    vs. Embedding by Elicitation: Dynamic Representations for Bayesian Optimization of System Prompts
    gpt-5.25/22/2026

    Paper 2 has higher estimated impact due to stronger timeliness and broad applicability: securing latent KV-cache communication is a rapidly emerging need as multi-agent LLM systems adopt KV sharing for efficiency. LCGuard introduces a clear threat model (reconstruction-based leakage) and an adversarial training approach that can generalize across model families and agent settings, with direct real-world implications for privacy and safety. Paper 1 is novel and useful for prompt optimization under aggregate feedback, but its scope is narrower and closer to existing Bayesian optimization/prompt-tuning lines.

    vs. Efficient Agentic Reasoning Through Self-Regulated Simulative Planning
    gemini-3.15/22/2026

    Paper 1 addresses a fundamental and highly relevant challenge in AI: improving the token efficiency and reasoning capabilities of LLM agents. By introducing a self-regulated simulative planning framework, it achieves massive performance gains with much smaller models and significantly fewer tokens. This has broad implications for scaling inference-time compute. Paper 2, while methodologically sound and addressing an important security concern, focuses on a narrower niche (KV cache privacy in multi-agent systems), limiting its overall breadth of impact compared to Paper 1's contributions to general LLM reasoning.

    vs. Skill Weaving: Efficient LLM Improvement via Modular Skillpacks
    gpt-5.25/22/2026

    Paper 2 (Skill Weaving) likely has higher impact due to broad applicability: modular “skillpacks” and compression for specialization under fixed memory/inference budgets directly address major deployment constraints across many domains and model sizes. If results hold (9B surpassing 32B with speedups), the real-world implications for edge, enterprise, and agentic systems are substantial. The idea is timely amid demand for efficient post-training adaptation. Paper 1 is novel and important for safety in latent KV sharing, but its scope is narrower (multi-agent KV-cache communication) and depends on adoption of that specific communication paradigm.

    vs. Beyond Rational Illusion: Behaviorally Realistic Strategic Classification
    gpt-5.25/22/2026

    Paper 2 likely has higher scientific impact due to broader cross-field relevance and real-world applicability: it reframes strategic classification with behaviorally realistic agents using prospect theory, bridging ML with behavioral economics and potentially affecting policy, lending, hiring, and security settings. The novelty is conceptual and modeling-oriented (new problem setting + framework), which can generalize across many strategic ML domains. Paper 1 is timely and practical for multi-agent LLM safety, but its impact may be narrower (KV-cache sharing setups) and more technique-specific, with methodological rigor tied to a particular leakage proxy (reconstruction).

    vs. Beyond Rational Illusion: Behaviorally Realistic Strategic Classification
    gemini-3.15/22/2026

    Paper 2 addresses a highly timely and critical issue: security and privacy in multi-agent LLM systems. As latent communication via KV caches becomes more prevalent for efficiency, preventing sensitive information leakage is paramount for real-world deployment. Its alignment with the rapidly growing field of LLMs gives it a broader and more immediate potential impact compared to the more niche, though innovative, behavioral economics approach to strategic classification in Paper 1.

    vs. AOP-Wiki EMOD 3.0: Data Model Expansions and Content Evaluation Framework for Using Agentic AI to Improve Integration between AOPs and New Approach Methodologies (NAMs)
    gemini-3.15/22/2026

    Paper 2 addresses a highly timely and critical issue—security and privacy in multi-agent LLM systems—by proposing a novel defense against sensitive information leakage in latent KV cache communication. Its methodological rigor, featuring adversarial training, and its broad applicability across the rapidly expanding field of generative AI give it a wider potential impact than Paper 1, which is highly specialized in regulatory toxicology and biomedical modeling.

    vs. IdleSpec: Exploiting Idle Time via Speculative Planning for LLM Agents
    gpt-5.25/22/2026

    Paper 2 (LCGuard) likely has higher scientific impact: it addresses a timely, broadly relevant safety/privacy risk introduced by latent KV-cache communication—an emerging paradigm for efficient multi-agent LLMs. The approach formalizes leakage via adversarial reconstruction and proposes a general, model-agnostic mitigation framework that can be adopted across systems, affecting both ML security and multi-agent learning. Paper 1 (IdleSpec) is novel and practically useful for latency/throughput, but its impact is narrower (agent inference optimization) and more incremental relative to existing speculative/planning techniques.

    vs. PALS: Power-Aware LLM Serving for Mixture-of-Experts Models
    gpt-5.25/22/2026

    Paper 2 (PALS) likely has higher scientific impact due to strong real-world applicability and timeliness: data-center energy use is a major, immediate constraint, and a runtime integrated into vLLM without retraining lowers adoption barriers. The methodology is concrete (models + feedback control) with clear, measurable gains across hardware and MoE/dense models, suggesting broad systems impact. Paper 1 (LCGuard) is novel and important for emerging latent multi-agent communication safety, but relies on an operational leakage definition (reconstruction) that may not capture all privacy risks and may see slower near-term deployment.

    vs. Parametric Modular Answer Set Programs Made Declarative
    gemini-3.15/22/2026

    Paper 1 addresses security and privacy in LLM-based multi-agent systems, a rapidly growing and highly impactful area of AI. Mitigating sensitive information leakage in latent communication solves a critical, timely problem with broad real-world applications. In contrast, Paper 2 focuses on Answer Set Programming (ASP), a narrower theoretical subfield of logic programming, which inherently limits the breadth and immediacy of its scientific and practical impact compared to Paper 1.

    vs. Beyond the Org Chart: AI and the Transformation of Invisible Work
    claude-opus-4.65/22/2026

    LCGuard addresses a novel and technically rigorous problem—privacy-preserving latent communication in multi-agent LLM systems—an area of growing importance as LLM-based agents become more prevalent. It introduces a formal framework with adversarial training, has clear methodological contributions, and addresses a timely security/privacy concern in AI systems. Paper 2, while offering useful qualitative insights on AI's impact on workplace culture, is a smaller-scale interview study (n=24) at a single company, with more limited generalizability and methodological novelty. Paper 1's technical contributions are more likely to influence future research directions across ML security, privacy, and multi-agent systems.

    vs. AutoRPA: Efficient GUI Automation through LLM-Driven Code Synthesis from Interactions
    claude-opus-4.65/22/2026

    LCGuard addresses a fundamental and emerging security concern in multi-agent LLM systems—information leakage through latent KV cache sharing—which is a novel problem formulation with broad implications as latent communication becomes more prevalent. It introduces a principled adversarial training framework with formal definitions of safety. Paper 2 (AutoRPA) offers practical efficiency gains for GUI automation but is more incremental, combining existing paradigms (ReAct + RPA). LCGuard's contribution to AI safety and privacy in multi-agent systems has broader cross-field impact and higher timeliness given rapid multi-agent deployment.