THE AGENTIC ORCHESTRATION & SECURITY MAP

PATTERNS, AGENTS, TOOLS, THREATS & DEFENSES (JULY 2026)

1. Orchestration Patterns & Control Plane

(Plan • Decompose • Delegate • Synthesize)

Orchestrator–Workers

  • Lead agent decomposes goal
  • Spawns scoped sub-agents
  • Merges results, owns answer

Sequential Pipeline

  • Prompt chaining, stage by stage
  • Gate checks between stages
  • Fail-fast on bad output

Parallel Fan-out

  • Concurrent subtasks
  • Barrier merge or pipeline
  • Dedup + conflict resolution

Router / Handoff

  • Classifier → specialist
  • Typed handoff payloads
  • Escalation on low confidence

Evaluator–Optimizer

  • Generator drafts, critic scores
  • Loop until pass or budget
  • Adversarial verify panels

Hierarchical Teams

  • Supervisors of supervisors
  • Depth caps stop runaways
  • Results roll up w/ provenance

Human-in-the-Loop Gates

  • Plan approval pre-execution
  • Action approval for mutations
  • Trust tiers per action class

Frameworks & Runtimes

  • Claude / OpenAI Agent SDKs
  • LangGraph, CrewAI, AutoGen
  • Google ADK, Temporal (durable)

2. Agent Runtime & State

(The agents themselves • Context • Memory • Budgets)

Planner

  • Goal → task graph
  • Explicit success criteria
  • Re-plans on new facts

Specialist Workers

  • Coder, researcher, reviewer
  • Role-scoped tool access
  • Return data, not prose

Context Manager

  • Window budgeting + compaction
  • Spill large results to files
  • Page back on demand

Memory

  • Scratchpad + vector store
  • Episodic run history
  • Provenance tags on writes

State & Checkpoints

  • Durable task state
  • Resume / replay from journal
  • Idempotent steps by design

Message Bus / Handoffs

  • Typed JSON-Schema outputs
  • Authenticated agent hops
  • No implicit shared state

Budgets & Ceilings

  • Token / cost / wall-clock caps
  • Iteration + depth limits
  • Kill-switch / pause authority

Evaluation & Tracing

  • Full-trace observability
  • Regression eval suites
  • Drift + anomaly detection

3. Tools & Integration Surface

(Where agents touch the world — every arrow is a trust boundary)

MCP Servers

  • Standard tool protocol
  • Discovery + typed schemas
  • Vet like a dependency

Function Calling

  • Typed JSON-Schema tools
  • Argument validation pre-dispatch
  • Corrective retries on bad args

RAG & Vector Stores

  • Embeddings, chunk, rerank
  • Retrieved text = untrusted
  • Access-controlled collections

Code Execution

  • Sandboxed interpreters
  • Ephemeral containers / microVMs
  • Egress blocked by default

Browser & Computer Use

  • DOM automation, screenshots
  • Page content = hostile until proven
  • Domain allowlists

Shell & Filesystem

  • Workspace-confined paths
  • Allowlisted commands
  • Approval for mutations

External APIs & SaaS

  • Email, CRM, payments, cloud
  • Outbound = exfil channel
  • Scoped, short-lived tokens

Data Stores & Queues

  • SQL / NoSQL / object storage
  • Task queues, event buses
  • Least-privilege connections

4. Security Control Plane

(Defense in depth — deterministic controls, not model promises)

Identity & Least Privilege

  • Per-agent service identities
  • Scoped OAuth, short-lived creds
  • Deny by default

Sandboxing & Isolation

  • Containers / microVMs
  • Workspace jail, RO mounts
  • Network egress allowlists

Guardrails & IO Validation

  • Injection classifiers
  • Schema validation in + out
  • URL / domain screening

Approval Gates (HITL)

  • Human gate on irreversible acts
  • Send / delete / pay / deploy
  • Trust tiers per tool + args

Session Integrity

  • Signed state + checkpoints
  • Re-auth on resume / handoff
  • Anomaly kill-switch

Secrets Management

  • Vault-issued at call time
  • Never in prompts or logs
  • Rotation + revocation

Observability & Audit

  • Full decision + tool traces
  • Immutable audit trail
  • Anomaly + cost monitors

Supply Chain + Policy

  • Signed, pinned tool manifests
  • MCP vetting, SBOM, scanning
  • Central allow / deny / ask engine

5. Threat Landscape

(What attacks the stack — OWASP LLM Top 10 aligned)

Prompt Injection

  • Direct: jailbreaks in input
  • Indirect: hostile text in pages, docs, tool results

Agentjacking

  • Live agent seized mid-run
  • Hijacked orchestrator executes attacker goals
  • Persists via poisoned checkpoints

Tool Poisoning

  • Malicious MCP servers
  • Rug pull: descriptions mutate post-install
  • Lookalike tools

Data Exfiltration

  • Lethal trifecta: private data + untrusted content + outbound
  • Exfil via URLs, emails, APIs

Excessive Agency

  • Confused deputy misuses broad perms
  • Over-scoped tokens
  • Unneeded tools attached

Memory / RAG Poisoning

  • Planted docs corrupt retrieval
  • Persistent: re-fires every session

Identity Spoofing

  • Agent-to-agent impersonation
  • Stolen / replayed tokens
  • Forged handoffs

Supply Chain

  • Backdoored dependencies
  • Poisoned models / weights
  • Compromised registries

Resource Exhaustion

  • Runaway delegation loops
  • Cost bombs & quota burn
  • Fork-bomb agent spawning

NOTES:  1) Every arrow crossing a trust boundary is an enforcement point.  2) Controls compose — no single layer is sufficient (defense in depth).  3) Threat names align with the OWASP Top 10 for LLM applications; map reflects common patterns as of mid-2026.