TL;DR for operators

Adding a second model does not automatically make an AI workflow safer. It creates another opportunity to correct an error—and another opportunity to introduce one.

In the paper’s cybersecurity experiment, giving Gemma-2’s reasoning to Phi-3 raises Phi-3’s accuracy from 60.34% to 93.10%. In networking, the direction reverses for the stronger model: Gemma-2 falls from 90.82% to 89.80% after reasoning exchange. Passing the outputs to a Llama 3.2 judge reduces networking accuracy further, to 88.78%.

The operational lesson is not “use more agents.” It is:

  1. measure how often collaboration changes wrong answers into correct ones;
  2. separately measure how often it damages answers that were already correct;
  3. segment those transitions by model, domain, task type, and error severity;
  4. invoke cross-agent review only where its expected benefit exceeds its compute, latency, and disruption costs.

The paper proposes reasoning similarity, answer support, and unresolved conflict as possible runtime signals. That is a useful design direction, but the reported experiments do not yet demonstrate that those signals can reliably predict when communication should be accepted, rejected, or escalated.

More reasoning is not a control system. A control system knows when not to interfere.

The networking result is the real headline

Review is supposed to catch mistakes. In ordinary business processes, a second analyst checks the first analyst’s work, a manager reviews the recommendation, and someone eventually approves the result. The comforting assumption is that another pair of eyes can only help.

Language models have declined to honour this assumption.

Preventing Error Propagation in Multi-Agent AI through Runtime Monitoring studies what happens when two models answer questions independently, exchange their reasoning traces, revise their answers, and optionally submit the result to a third model acting as judge.1 The headline numbers initially look favourable. Most model-domain combinations improve after communication.

The useful finding, however, is the exception.

Domain Model being revised Original accuracy After reasoning exchange Change
Cybersecurity Phi-3 60.34% 93.10% +32.76 percentage points
Cybersecurity Gemma-2 87.93% 93.10% +5.17 points
Machine learning Phi-3 94.55% 98.18% +3.63 points
Machine learning Gemma-2 95.45% 97.27% +1.82 points
Networking Phi-3 83.67% 91.84% +8.17 points
Networking Gemma-2 90.82% 89.80% −1.02 points

The cybersecurity result shows the attraction of multi-agent reasoning. A model with substantial room for improvement receives a much stronger trace and recovers a large share of its errors.

The networking result shows the liability. Gemma-2 begins as the better model. After it reads the other model’s reasoning, it becomes slightly worse.

This is not a contradiction. It is the mechanism.

Communication is useful when the incoming information is better than the recipient’s existing judgement on the particular case. It is harmful when weaker, irrelevant, or misleading reasoning displaces a correct answer. The same workflow can therefore behave like error correction in one context and error injection in another.

The paper’s domain split makes that asymmetry visible. Cybersecurity offers a weak-to-strong transfer opportunity. Machine learning begins near the ceiling, leaving relatively little to repair. Networking contains enough conflicting reasoning for the stronger model to lose ground.

So the pertinent deployment question is not whether multi-agent reasoning improves average accuracy. It is whether the workflow can recognize the cases in which the second opinion deserves influence.

The paper does not yet answer that question. It does show rather clearly why it must be asked.

The judge is another source of variance, not an oracle

The experimental pipeline adds a third model, Llama 3.2, after the two base models have revised their answers. The judge considers the combined answers and the original reasoning traces, then produces a final selection.

This sounds like escalation. It is more accurately another prediction.

Domain Best original base-model accuracy Llama 3.2 judge Change from best original
Cybersecurity 87.93% 94.83% +6.90 points
Machine learning 95.45% 98.18% +2.73 points
Networking 90.82% 88.78% −2.04 points

In cybersecurity and machine learning, the judge improves on the better original model. In networking, it underperforms both the best original model and Phi-3’s reasoning-combined answer.

The third model does not resolve the uncertainty merely by occupying the box labelled “judge.” Job titles continue to be a poor substitute for competence, even in synthetic organisations.

This distinction matters because multi-agent system diagrams often encode an implicit hierarchy:

Generator → Reviewer → Judge → Final answer

The visual sequence suggests progressively greater authority. The experiment instead demonstrates a chain of conditional transformations:

Initial prediction
Exposure to another model's reasoning
Revised prediction
Exposure to another model's interpretation
Final prediction

Every arrow can correct an error. Every arrow can also disrupt a correct state.

An independent judge can be valuable because it offers another reasoning path and need not share the same immediate revision behaviour as either base model. But independence is not equivalent to superior domain reliability. Nor does adding a judge turn correlated model outputs into independent evidence.

For operators, “judge accuracy” should therefore be evaluated like any other model-stage metric. It should not be granted administrative immunity from measurement.

Final accuracy hides who was helped and who was harmed

Suppose a workflow’s accuracy rises from 90% to 92%. That sounds like a clean improvement. It may conceal very different transition patterns:

  • two wrong answers became correct, with no damage;
  • twelve wrong answers became correct while ten correct answers were broken;
  • a particular high-risk category deteriorated while low-value cases improved;
  • one customer segment benefited while another absorbed the errors.

The paper addresses the first layer of this problem by recording two directional transitions.

A positive impact occurs when an initially wrong answer becomes correct:

$$ W \rightarrow C $$

A negative impact occurs when an initially correct answer becomes wrong:

$$ C \rightarrow W $$

These are more informative than final accuracy alone because they distinguish correction from disruption.

The contrast is especially sharp in two conditions:

Condition Wrong-to-correct Correct-to-wrong Net count
Cybersecurity: Phi-3 after combination 20 1 +19
Networking: Gemma-2 after combination 5 6 −1
Networking: Llama 3.2 relative to Gemma-2 7 9 −2

For cybersecurity Phi-3, communication behaves like a strong repair mechanism. It corrects twenty answers and damages one.

For networking Gemma-2, the same broad procedure crosses into negative territory. Five repairs are outweighed by six newly introduced mistakes.

The Llama judge produces an even clearer warning relative to Gemma-2’s original networking answers: it fixes seven errors but disrupts nine correct answers. A final accuracy number of 88.78% reports the destination. The transition counts explain how the system got there.

That is the paper’s most transferable evaluation contribution.

Transition accounting should precede claims of reliability

For a production system, the full transition matrix is the minimum sensible unit of analysis:

Before After Interpretation
Correct Correct Preserved success
Wrong Correct Useful correction
Wrong Wrong Unresolved failure
Correct Wrong Communication-induced failure

The fourth cell deserves disproportionate attention. A system that fails to fix an existing error has disappointed you. A system that takes a correct answer and actively replaces it with a wrong one has implemented negative quality assurance.

The paper reports positive and negative rates as proportions of the entire domain sample. That supports direct comparison of net changes, but production teams will usually need additional conditional measures:

  • among cases initially wrong, what proportion does review correct?
  • among cases initially correct, what proportion does review corrupt?
  • which error classes dominate each transition?
  • how costly are those transitions?
  • does the intervention change confidence, calibration, or abstention behaviour?

Those questions are not answered by the paper. They are the natural operational extension of its metric design.

The value of review depends on the starting model

The results suggest a simple pattern: reasoning exchange is most attractive when the recipient model is meaningfully weaker than the source model on the relevant task.

In cybersecurity, Phi-3 begins at 60.34%, while Gemma-2 begins at 87.93%. Giving Phi-3 access to Gemma-2’s reasoning produces a 32.76-point gain.

Giving the same exchange opportunity to Gemma-2 produces a much smaller gain. The stronger model has fewer mistakes available to correct, and more correct answers available to disturb.

Machine learning produces a milder version of the same ceiling effect. Both models begin above 94%, so the possible upside is constrained. Reasoning exchange still improves the reported results, but by much less than in cybersecurity.

Networking demonstrates why baseline strength is not merely a denominator issue. Phi-3 improves, while Gemma-2 declines. The weaker model benefits from additional reasoning; the stronger model sometimes accepts information it would have been better off ignoring.

This creates an asymmetry that average ensemble language tends to obscure.

The relevant comparison is not:

Is Model B generally good?

It is:

Conditional on Model A’s current competence, the task domain, and this particular input, does Model B’s reasoning have positive expected value?

A model that is useful as a reviewer for one recipient may be harmful for another. A model that improves one subject area may degrade another. A workflow that succeeds when the baseline is weak may become unnecessary or actively risky after the baseline is upgraded.

Multi-agent architecture is therefore partly a routing problem. The system needs to know who should listen to whom, about what, and under which conditions.

Otherwise it is not collaboration. It is indiscriminate context injection with a team-building theme.

What the proposed runtime monitor is trying to detect

The paper’s framework aims to move beyond checking only the final answer. It proposes monitoring the reasoning exchanged before final selection.

For two reasoning traces, $r_i$ and $r_j$, the paper defines a reasoning distance:

$$ d_{ij} = 1 - \operatorname{sim}(r_i, r_j) $$

A small distance indicates semantically similar reasoning. A larger distance indicates different or potentially conflicting rationales.

It then proposes a reasoning-supported score for candidate answer $o$:

$$ S(o) = \lambda_1 \phi(o,r_1) + \lambda_2 \phi(o,r_2) --- \lambda_3 \delta(r_1,r_2,o) $$

Here:

  • $\phi(o,r_i)$ represents how strongly reasoning trace $r_i$ supports option $o$;
  • $\delta(r_1,r_2,o)$ represents unresolved conflict between the traces concerning that option;
  • $\lambda_1$, $\lambda_2$, and $\lambda_3$ weight the two traces and the contradiction penalty.

Conceptually, this is preferable to majority voting. Two agents choosing the same answer should not automatically count as two units of independent support. They may be repeating the same unsupported assumption. Conversely, two agents choosing different answers may reveal useful complementary evidence rather than mere noise.

The framework is trying to distinguish at least three states:

Runtime state Possible interpretation Sensible intervention
Similar answers and well-supported reasoning Stable agreement Preserve or finalize
Different answers with complementary evidence Potentially useful disagreement Compare evidence or invoke targeted review
Conflicting or weakly supported reasoning Unstable decision Abstain, retrieve evidence, constrain revision, or escalate

This is the right class of problem. Multi-agent reliability cannot be managed solely by counting votes after communication has already contaminated every participant’s context.

A runtime monitor should observe the communication process before the system commits to a final answer.

The formal scaffold outruns the reported implementation

The paper’s equations should be interpreted as a proposed monitoring design, not as a fully validated detector.

The experiments show that exchanging reasoning traces changes model answers and that the resulting effects vary by model and domain. They do not report enough implementation detail to establish that the formal distance and support score reliably predict those changes.

In particular, the paper does not specify:

  • which semantic similarity model instantiates $\operatorname{sim}(r_i,r_j)$;
  • how $\phi(o,r_i)$ is calculated;
  • how unresolved conflict $\delta(r_1,r_2,o)$ is detected;
  • how the $\lambda$ weights are selected;
  • whether any thresholds are calibrated;
  • how the formal score maps to the prompts used for answer revision;
  • whether the score separates beneficial from harmful exchanges;
  • whether performance is sensitive to alternative weights or similarity measures.

There is also no ablation comparing answer-only exchange with reasoning-trace exchange, no sensitivity test for the proposed weights, and no evaluation showing that reasoning distance predicts negative transitions.

This does not invalidate the reported accuracy and transition results. It narrows what they support.

The evidence establishes that cross-model reasoning can produce both correction and contamination. It does not yet establish that the proposed monitor can identify which outcome is about to occur.

The distinction is commercially important. A conceptual risk signal may motivate a prototype. A calibrated runtime control can govern a production system. Those are different maturity levels, however enthusiastically one draws the arrows.

What each experimental component contributes

Paper component Likely purpose What it supports What it does not prove
Figure 2 pipeline Implementation overview Clarifies the sequence of independent answers, exchange, revision, and judging Does not validate the runtime signals
Table I and Figure 3 Main evidence Shows domain- and model-dependent accuracy changes Does not explain why individual exchanges succeed or fail
Table II and Figure 4 Main evidence Separates corrections from newly introduced errors Does not establish causal predictive features
Domain comparison Main evidence with exploratory interpretation Shows that effects are not uniform across subjects Does not isolate domain characteristics responsible for the variation
Reasoning distance and support equations Conceptual mechanism Defines signals a runtime monitor might use Does not demonstrate calibrated detection or optimal routing

There is no appendix carrying a second empirical thesis, and no reported robustness or sensitivity suite. The tables and figures are primarily different views of the same core evidence.

That makes the paper useful as a diagnosis of the problem and an initial experimental demonstration. It should not be mistaken for a production-ready monitoring specification.

Treat multi-agent communication as a gated intervention

The natural business inference is to stop treating collaboration as a permanent architectural feature.

Reasoning exchange should be invoked selectively.

A useful deployment design would preserve each model’s independent output, estimate the expected value of intervention, and allow the original answer to survive when review is more likely to disrupt than correct.

A basic flow might look like this:

Independent answer and reasoning
Risk or uncertainty trigger
Select reviewer using domain-specific evidence
Compare answer support and conflict
Accept revision, preserve original, retrieve evidence, or abstain

The key word is trigger. Running a panel of models on every request is easy to diagram and expensive to govern.

A practical evaluation framework

Decision question Metric or evidence Operational consequence
Does the baseline need help? Baseline error rate by task and domain Avoid reviewing cases with little recoverable error
Is this reviewer useful for this recipient? Pairwise wrong-to-correct and correct-to-wrong transitions Route review by model pair, not generic model reputation
Is disagreement informative? Answer divergence, evidence overlap, reasoning conflict Distinguish useful dissent from unsupported noise
Is the intervention economically positive? Error value, disruption cost, compute, and latency Deploy only where expected net value is positive
Is the judge genuinely better? Judge transitions relative to each candidate answer Do not automatically privilege the final stage
Does the system know when to stop? Calibration, abstention, escalation rate Prevent iterative review from becoming error amplification

The net value of a review stage can be represented as:

$$ V_{\text{net}} = ## n_{W\rightarrow C}\cdot v_{\text{correction}} ## n_{C\rightarrow W}\cdot c_{\text{disruption}} ## c_{\text{compute}} c_{\text{latency}} $$

This is a Cognaptus operational inference, not a formula tested in the paper.

It matters because corrections and disruptions rarely have equal value. Fixing an inconsequential formatting choice does not offset corrupting a correct compliance answer. A one-point aggregate accuracy gain can be economically negative when the damaged cases are expensive.

Production evaluation should therefore weight transitions by business consequence:

$$ V_{\text{weighted}} = \sum_k \left( n^{(k)}_{W\rightarrow C}\cdot v_k --- n^{(k)}_{C\rightarrow W}\cdot c_k \right) --- c_{\text{system}} $$

where $k$ indexes task or error categories.

This reframes the architecture decision. The objective is not to maximize how often models communicate. It is to maximize the value of the transitions their communication causes.

Deploy the reviewer in shadow mode before giving it authority

The paper’s setup naturally supports a cautious implementation path.

First, run the reviewer without allowing it to overwrite the baseline. Record:

  • the original answer;
  • the proposed revision;
  • the final verified outcome;
  • whether the revision would have corrected or disrupted the baseline;
  • the model pair and task category;
  • reasoning disagreement and evidence signals;
  • latency and inference cost.

This creates a transition dataset specific to the actual business workflow.

The next step is not necessarily full automation. It may be a narrow gate:

  • review only low-confidence cases;
  • review only domains where the model pair has positive historical impact;
  • preserve the original when a stronger model faces a weaker reviewer;
  • escalate conflicts to retrieval or a human rather than forcing another model vote;
  • disable the judge where it has negative incremental value.

The paper’s networking result is exactly why this staged approach matters. A global “reasoning exchange enabled” switch would combine a useful Phi-3 intervention with a harmful Gemma-2 intervention under the same policy.

The model pair is part of the treatment. The domain is part of the treatment. The baseline state is part of the treatment.

“Multi-agent” is not a treatment specification.

What the paper shows, what businesses may infer, and what remains open

The safest way to use this study is to keep three levels of claim separate.

What the paper directly shows

Across the tested multiple-choice subsets:

  • exchanging reasoning improves most model-domain combinations;
  • the largest gain occurs when a much weaker cybersecurity baseline receives reasoning from the stronger model;
  • the stronger networking model becomes slightly worse after exchange;
  • the independent judge also underperforms the strongest networking baseline;
  • positive and negative answer transitions vary substantially by model and domain.

These are the paper’s empirical results.

What Cognaptus infers for business use

A business should treat reasoning exchange as a conditional intervention rather than an always-on reliability feature.

The most useful controls are likely to include:

  • domain-specific reviewer selection;
  • preservation of independent answers before communication;
  • separate measurement of correction and disruption;
  • cost-sensitive transition metrics;
  • calibrated abstention or escalation;
  • selective invocation based on expected value.

These conclusions follow reasonably from the observed asymmetry, but the paper does not test them in production.

What remains uncertain

The study does not establish:

  • performance on open-ended generation;
  • reliability in long-horizon agent workflows;
  • behaviour when agents call live tools or retrieve changing information;
  • resistance to adversarial or strategically misleading agents;
  • whether reasoning similarity predicts correctness;
  • whether the support-and-conflict score can be implemented reproducibly;
  • how results change with larger agent teams;
  • whether gains survive different prompts, temperatures, model versions, or datasets;
  • whether the added inference cost and latency are justified.

The uncertainty is not a decorative footnote. It determines how far the findings can travel.

The evidence is controlled, narrow, and still useful

The experiments use three Open Quiz Commons subject subsets: cybersecurity, machine learning, and networking. Each task is a four-option multiple-choice question. The two base models are Phi-3-14B and Gemma-2-9B, with Llama 3.2 acting as judge.

This is a clean setting for tracking answer transitions. Ground truth is explicit, outputs can be normalized to A/B/C/D, and a revision is easy to classify.

It is not an operational agent environment.

The agents do not appear to execute long plans, make irreversible tool calls, negotiate ambiguous user intent, or operate under changing external evidence. The study does not report cost, latency, failure recovery, security attacks, or human escalation.

Multiple-choice revision is also easier to score than open-ended reasoning. A model can move from B to C and be counted as corrected. In a generated report, a second model may repair one claim, introduce two softer distortions, omit a critical qualification, and improve the prose. The transition is no longer one-dimensional.

The experiments nevertheless expose a general problem that survives the benchmark boundary: information from another model is an intervention, not free reliability.

The controlled setting makes that problem measurable. It does not settle its production form.

More agents require more selective trust

The paper begins with a familiar ambition: monitor multi-agent communication so that errors can be detected and corrected before they propagate.

Its strongest contribution is slightly less grand and more useful.

It demonstrates that communication itself belongs inside the risk model.

A second model can rescue a weak answer. It can also persuade a stronger model to abandon a correct one. A judge can improve the result. It can also add one more layer of confident damage. Final accuracy may rise while hiding costly disruption underneath.

The appropriate response is not to reject multi-agent systems. It is to stop granting communication an automatic presumption of benefit.

Measure the transitions. Preserve the independent baselines. Select reviewers by demonstrated conditional value. Price the errors they introduce. Gate the intervention. Escalate uncertainty instead of forcing consensus.

Two heads can be better than one.

They can also share the same error budget.

Cognaptus: Automate the Present, Incubate the Future.


  1. Shahnewaz Karim Sakib and Anindya Bijoy Das, “Preventing Error Propagation in Multi-Agent AI through Runtime Monitoring,” arXiv:2606.29026, 2026, https://arxiv.org/abs/2606.29026↩︎