This work addresses the challenge of collective policy violations in multi-agent systems arising from contextual fragmentation—where agents comply locally yet violate policies globally. To this end, the authors propose Distributed Sentinel, a distributed zero-trust architecture that employs lightweight sidecar proxies to propagate cross-domain security states. The system introduces a novel Semantic Taint Token (STT) protocol and a counterfactual graph simulation mechanism, enabling cross-contextual policy verification without exposing raw data. Evaluated on the authors’ custom benchmark, PhantomEcosystem, Distributed Sentinel achieves an F1 score of 0.95 with an end-to-end latency of only 106 ms, substantially outperforming prompt filtering (F1=0.85) and rule-based DLP approaches (F1=0.65). This study presents the first systematic modeling and effective defense against policy violations induced by contextual fragmentation.

We identify and formalize a novel security risk: Context-Fragmented Violations (CFVs) - a class of policy breaches where individual agent actions appear locally safe and reasonable, yet collectively violate organizational policies because critical policy facts are siloed in different departments private contexts. Existing prompt-based alignment mechanisms and monolithic interceptors are poorly matched to violations that span contextual islands. We propose Distributed Sentinel, a distributed zero-trust enforcement architecture that introduces the Semantic Taint Token (STT) Protocol. Through lightweight sidecar proxies, our system propagates security state across organizational boundaries without exposing raw cross-domain data, enabling Counterfactual Graph Simulation for cross-domain policy verification. We construct PhantomEcosystem, a comprehensive benchmark comprising 9 categories of realistic cross-agent violation scenarios with adversarially balanced safe controls. On this benchmark, Distributed Sentinel achieves F1 = 0.95 with 106ms end-to-end latency (16ms verification + 90ms entity extraction on A100), compared to 0.85 F1 for prompt-based filtering and 0.65 for rule-based DLP. To empirically validate the need for external enforcement, we evaluate eight frontier LLMs in execution-oriented multi-agent workflows with per-agent domain world models. All models exhibit substantial violation rates (14-98%), with cross-domain data flows showing systematically higher violation rates than same-domain flows. These results indicate that self-avoidance is unreliable and that multi-agent security benefits from a centralized enforcement layer operating above individual agents.