When a Million AI Agents Share One Brain, Failures Strike All at Once

Source: Google DeepMind | Published: 2026-06-23T15:48:06Z

The vast majority of AI agents run on a handful of dominant models, making their decisions highly correlated. When something goes wrong, the cascade could dwarf a stock market flash crash in both scale and speed.

Nenad Tomašev, a senior staff research scientist at Google DeepMind, has a surprising answer — this isn't a technical problem, it's a design problem. If you want fair outcomes, give every competing agent the same budget and let each one decide how to allocate it based on its owner's schedule, preferences, and constraints. Whether the result is fair is determined by whoever designs the auction system, not by the agents themselves.

That example points to something larger: the age of AI agents isn't just about "smarter assistants" — it's a new layer of infrastructure that could reshape how human economic collaboration works.

The difference between agents and LLMs is subtler than you think

A language model works like this: you ask, it answers. An agent works like this: you authorize, it acts.

Tomašev's framing is straightforward. A language model takes input and produces a continuation or a response. An agent perceives the state of an environment and executes actions within it. In practice, though, the distinction is one of degree — every agent today runs a language model underneath, just wrapped in an execution framework that lets the model's proposed actions actually land.

Wedding planning is a useful illustration. Ask an LLM to find a reception venue and you'll get a list. But drafting inquiry emails, coordinating schedules, comparing quotes — that's still on you. The value of an agent is that you approve the direction and it handles the rest: booking tickets, messaging friends, arranging the itinerary. Meanwhile, you open Netflix and unwind.

The more you trust it, the more dangerous it gets

The biggest real-world deployment of agents right now is in software development. The reason is practical: software has verification built in. You write unit tests, you check whether the output is correct, the feedback loop is cheap.

But within that domain, Tomašev has already noticed something that concerns him: automation bias.

When an agent gets the first thing right, then the second, users start to relax. By the tenth task, the twentieth, they've mostly stopped checking seriously. Then a subtle error slips through somewhere and goes unnoticed. This isn't a capability problem — agents aren't error-free, just as humans aren't. The failure is human.

Tomašev's position is blunt: whether a human is "in the loop" matters less than whether, when they are in the loop, they're actually paying attention.

Delegating tasks to other agents: far harder than it sounds

One area Tomašev is actively researching is the delegation mechanism between agents.

Imagine a complex task: book a venue, invite guests, arrange catering, coordinate schedules. No single agent can handle all of it, so the lead agent needs to subcontract pieces to specialized sub-agents. The problem is that most multi-agent systems today are doing parallelization, not real delegation — slicing tasks into chunks, running them independently, with no information shared between them.

The agent sourcing glasses has no idea the other agent is buying wine, and comes back with a set of regular tumblers.

A real delegation framework has to solve much harder problems: how do you assess the trustworthiness of a sub-agent? How do you define clean task contracts between agents? How do you handle mid-task failures? Current systems are largely silent on all of this.

There's an interesting inversion worth noting. In medical imaging, reverse delegation already exists. AI systems make an initial read of a scan, and when uncertain, hand the decision back to a human radiologist. Tomašev notes that this human-AI collaboration outperforms both pure AI and pure human interpretation — AI is more accurate where findings are clear-cut, humans are more reliable in the ambiguous cases.

A poisoned web

Once agents are permitted to operate autonomously on the real internet, they run into what Tomašev calls "agent traps."

One attack vector is hidden prompt injection: webpages contain text invisible to the human eye that agents read when parsing the page source, steering them toward unintended actions. Another is dynamic spoofing — a site can detect from access patterns whether a visitor is human or agent, and serve the agent entirely different content engineered to trigger out-of-scope behavior. The same threats exist at the image layer: imperceptible pixel-level modifications to an image can cause a vision agent to draw the wrong conclusions.

Tomašev acknowledges that researchers have already seen agents tricked into transferring money in test environments. For now these incidents are contained in controlled settings. But as agents connect to the real web at scale, the attack surface expands sharply and the economic payoff for adversaries rises with it.

His answer is "defense in depth": there's no single fix. You need layers — verifying the trustworthiness of web content, constraining agent behavior at the agent level, running out-of-scope detection at the model layer, tightly scoping what permissions an agent actually holds. Stacked together, these make a system reasonably secure. Permission scoping is especially critical: even if an agent is compromised, the damage it can do should be bounded.

When a million agents act at once, one failure is everyone's failure

Multi-agent systems carry a security risk that tends to go overlooked: cognitive monoculture.

The vast majority of agents today run on a handful of dominant models. Those models share a nearly identical worldview and tend toward similar decisions when facing the same situation. When millions of agents built on the same underlying models all participate in an economic system, their decisions produce highly correlated failure points — one breaks, and the rest follow.

Stock market flash crashes are the human-era version of this. High-frequency trading algorithms, built on similar logic, react identically at the same moment and trigger a cascade. The agent version could be worse — larger scale, faster execution, and agents can achieve tacit coordination without communicating directly, simply by influencing a shared environment. Something close to silent collusion.

There are technical mitigations. You can inject differentiated "personalities" through carefully designed system prompts, nudging agents toward different decision tendencies. But that requires users to actively configure it, and most won't.

"Human-level intelligence" vs. "human-society-level intelligence" — the distinction matters

This is the part of the conversation worth pausing on.

Tomašev plays chess and has studied AI's approach to the game. He offers this: Gemini can play some chess, but you'd never use it for a serious game — you'd use a dedicated chess engine because it's faster, more accurate, and cheaper. The engine does one thing and does it to the extreme. That logic applies elsewhere.

His view is that the real endpoint may not be a single "does everything" superintelligent generalist. More likely, we end up with a distributed intelligence network of specialists — each node deeply optimized in its own domain, connected by a more general coordination layer that understands intent and routes tasks. The generalist layer handles comprehension and dispatch; the specialist models handle execution.

Human society already works this way. No one is simultaneously a surgeon, an architect, and a software engineer. We distribute intelligence across specialists and use language, law, economics, and culture to coordinate among them. When we talk about AGI, we say "human-level intelligence" — but what we may actually be building toward is something closer to human-society-level intelligence.

If that's right, the alignment problem changes shape. You're not aligning a model. You're aligning a system of thousands of nodes whose composition shifts day to day — agent A works with agent B today, then agent C tomorrow, and C subcontracts part of the job to D, who at some point checks back with a human. Tomašev thinks economic incentives are probably the most realistic coordination mechanism available right now: if agents pursuing profit don't cause harm in the process, that's at least a starting point. But he's direct about the gap: this area of research is nowhere near where it needs to be.