Hi All,
I have been researching something that kept coming up while studying multi-agent pipelines in regulated industries. Every current observability tool watches what your AI system says to the user. Nobody watches what agents say to each other internally, and research suggests that is where the majority of sensitive data leakage actually happens.
A benchmark published this year found inter-agent messages leak sensitive data at 68.8% while output channels leak at 27.2%. Most teams are either unaware of this or handling it with custom middleware written by hand.
A few specific questions for people building production pipelines with LangChain or LangGraph:
- How do you currently know what data is travelling between your agents in a multi-agent setup?
- If a compliance team or regulator asked you to prove that no sensitive data crossed an agent boundary it should not have, what would you show them?
- Are you doing anything beyond output-level monitoring?
Genuinely curious what the current practice looks like. I wrote up a longer piece on this if useful but mostly want to hear how people are actually handling it.
The gap most teams hit is that governance signals do not propagate across handoffs. Agent A retrieves chunks with quality metadata attached. When it hands context to Agent B, the quality metadata is stripped and only the text survives.
Three things need to travel with the data across every handoff:
- Provenance — which source documents produced these chunks, and when were they last validated
- Quality signals — pre-ingestion scores like semantic density, freshness status, and conflict flags per chunk
- PII flags — whether any chunk contains personally identifiable information that restricts how downstream agents can process it
The EU AI Act Article 10 makes this a compliance requirement by August 2026. The documentation trail needs to show that data quality was assessed and PII was handled at every stage of the pipeline, not just at ingestion. Most teams are solving this with append-only audit logs keyed by chunk_id — a content hash that follows each chunk from ingestion through retrieval through generation. The hash is cheap to compute and gives you a stable join key for governance queries across the full pipeline.
Your reply was the clearest description of the metadata propagation problem I have read, building something for
exactly this.
One question while I work on it: when your team hits the metadata stripping problem at handoff, are you currently solving it with custom middleware written by hand, or have you found anything that handles it cleanly out of the box?
Thanks, appreciate that Abhay— it’s a problem that doesn’t get enough attention because it’s invisible until something breaks downstream.
Honest answer: there’s nothing that handles it cleanly out of the box. The agent frameworks treat metadata as a per-step concern, not a pipeline-level concern. LangChain’s RunnablePassthrough can carry metadata forward but you have to explicitly wire it at every step — it doesn’t propagate automatically. CrewAI’s task context passes natural language summaries between agents but strips structured metadata entirely. AutoGen’s message history preserves conversation context but not provenance metadata about where the data originated.
So yes, custom middleware is where most teams end up. The pattern that’s worked best in my experience is a thin wrapper around each agent handoff that does three things:
-
Captures the outbound metadata envelope before the sending agent completes (source IDs, confidence scores, retrieval timestamps, any access control tags).
-
Attaches it as a sidecar payload alongside the natural language output — not embedded in the prompt itself, because that pollutes the context window and the receiving agent starts hallucinating about metadata fields instead of using them.
-
The receiving agent’s pre-processing step reads the sidecar and decides what to inherit vs what to regenerate. Some metadata carries forward (original source document ID), some gets recalculated (confidence score after the new agent’s own retrieval).
The key insight that saved us a lot of debugging: never let metadata travel inside the prompt text. Keep it structured and adjacent. The moment you put “source: document_47, confidence: 0.89” inside the LLM’s input, you’ve turned governance data into something the model will reason about creatively instead of preserving faithfully.
It’s not elegant but it’s reliable. I would genuinely be interested to see what you build — this is a gap that needs a proper solution.