The Subagent That Inherited a System Prompt It Should Not Have Seen
A planner agent receives a task, decomposes it, and spawns a researcher subagent to handle one of the branches. The orchestration framework propagates the parent's full context to the child because that is the easiest default to ship. The researcher now holds the planner's complete system prompt — the policy text, the names of internal tools, the credentials the parent was scoped to use, the few-shot examples that hint at how your billing pipeline is structured. The researcher's job was to read three documents. The blast radius of the call is the entire authority of the parent.
This is not a hypothetical. It is the default behavior of most multi-agent frameworks shipping in production today. A recent audit found that 93% of agentic projects use unscoped API keys, and that when one agent calls another, the child agent either inherits the parent's full credentials or receives its own independent key — with no project implementing scope narrowing, depth limits, or cascade revocation for delegated access. The framework treats "share parent state" as a convenience and "scope down the child" as opt-in. The opt-in step is the one nobody writes.
