Multi-Agent Workflows for Vertical AI Applications

Recent advances in large language models (LLMs) and tool-using agents have reignited interest in multi‑agent systems (MAS) as a practical engineering paradigm. Unlike general-purpose chatbots, vertical AI applications must meet domain-specific performance, reliability, compliance, and cost constraints. This paper proposes a systematic approach to designing, orchestrating, and evaluating multi‑agent workflows tailored to verticals such as healthcare, finance, legal, manufacturing, and retail. We synthesize classical MAS theory with contemporary LLM agent toolchains to derive patterns, architectural primitives, governance controls, and metrics for production-grade systems. We provide reference workflows and design checklists, discuss failure modes and safety mitigations, and frame open research questions. Throughout, we include concrete prompts for generating illustrative diagrams and UI mockups that help teams communicate architecture, state, and safety controls.

Vertical AI applications-e.g., a radiology triage assistant, an anti-money-laundering (AML) investigator, or a contract review copilot-require more than a single monolithic model. Practitioners increasingly compose ensembles of specialized agents that plan, retrieve, reason, call tools, verify, and coordinate with human operators. This “multi‑agent” approach is attractive because it decomposes complex, interdependent tasks into modular roles with explicit interfaces and accountability surfaces.

However, building trustworthy multi‑agent workflows for specific industries remains difficult. Domain constraints (e.g., HIPAA, SOX, MiFID II), structured data sources, and human-in-the-loop checkpoints complicate naïve LLM agent designs. Moreover, multi‑agent orchestration introduces emergent failure modes-non-termination, echo chambers, adversarial collusion, prompt rot, and contradictory state-that are poorly addressed by general-purpose agent demos.

This paper develops a design and evaluation framework for vertical multi‑agent workflows. We integrate classical MAS results (organization theory, negotiation protocols, blackboard systems) with modern LLM agent patterns (ReAct, toolformer, planner–solver–critic, self-reflection, graph-based orchestration). We articulate domain-driven requirements (safety, latency, explainability, cost ceilings) and map them to architectural primitives (roles, runtime guards, verifiers, memory substrates, lineage). We also propose benchmarkable metrics and test harnesses that reflect vertical constraints.

Contributions:

• 1. A reference architecture for vertical multi‑agent systems (VMAS) that separates cognition, coordination, tools, data planes, and governance layers.

• 2. A taxonomy of workflow patterns (pipeline, blackboard, contract net, planner–executor, debate/reflection, supervisory graphs) illustrated with domain-specific examples.

• 3. A principled evaluation methodology (task success, calibration, reproducibility, cost, latency, robustness, safety) with scenario libraries and scoring rubrics.

• 4. Practical guidance on compliance, privacy, model risk management (MRM), and change control for regulated environments.

• 5. Open problems: formal guarantees, compositional verification, incentive design, data lineage, and continuous assurance.

Classical Multi‑Agent Systems

Multi‑agent systems study collections of autonomous entities (agents) that perceive, reason, and act in shared environments. Early MAS research explored agent communication languages (KQML, FIPA‑ACL), organizational structures (hierarchies, markets), and coordination mechanisms (blackboard, contract net). Foundational ideas include:

• •Agent types: reactive, deliberative (BDI), hybrid.
• •Coordination: centralized vs. decentralized; cooperative vs. competitive; task allocation via auctions or negotiation.
• •Blackboard architecture: agents post and read partial solutions on a shared knowledge substrate.
• •Contract Net Protocol (CNP): task announcement, bidding, awarding, and execution.

While these frameworks predate LLMs, they offer durable principles for role decomposition, communication protocols, and conflict resolution.

LLM Agents and Tool Use

Modern LLMs can plan, call tools (APIs, code interpreters, retrievers), and reflect using chain‑of‑thought and external memory. Notable patterns include:

• •ReAct: interleaves reasoning and acting (tool calls) with observations.
• •Toolformer/Function calling: structured tool invocation with constrained schemas.
• •Self‑reflection / Critic agents: post‑hoc auditing or iterative refinement.
• •Auto‑planning / Task graphs: explicit state machines (graphs) that constrain agent transitions to avoid infinite loops.
• •Human‑in‑the‑loop (HITL): break‑glass approvals, escalation, and supervision.

Vertical AI Constraints

• •Data: highly structured, governed, and siloed; often time‑series or tabular with strict lineage.
• •Safety: legal/compliance frameworks (HIPAA, GDPR, Basel, SOX) and internal MRM.
• •Operations: clear SLAs on latency, cost ceilings, and reproducibility; change control and audit.

The intersection of MAS and vertical AI demands architectures that are modular, auditable, and robust under distribution shift.

We target multi‑step, cross‑tool tasks typical of vertical workflows. Examples include:

• •Healthcare: intake → triage → guideline retrieval → differential diagnosis drafting → radiology order suggestion → patient‑friendly summary.
• •Finance: KYC onboarding → entity resolution → adverse media search → risk scoring → SAR drafting.
• •Legal: clause extraction → risk heatmap → counter‑proposal generation → negotiation simulation → final redlines.
• •Manufacturing: sensor diagnosis → root cause analysis → maintenance plan → parts ordering.

Goal: given inputs (x) (docs, tables, signals) and tool universe (T), design a multi‑agent workflow (W) that maximizes utility (U) subject to constraints on safety (S), cost (C), latency (L), and compliance (G). Formally:

[ _W ; [U(W(x;T))] S(W) s_0,; C(W) c_0,; L(W) _0,; G(W)=. ] Here (S) encodes safety scores (e.g., hallucination risk, PHI leakage), (G) denotes governance checks (policy compliance), and (U) is domain‑specific value (e.g., diagnostic F1, recovered revenue, cycle time reduction).

We propose a layered architecture (Figure 1 prompt below) that separates concerns and enables independent evolution of components.

Layers

• 1. Interaction Layer (UI/HITL): task intake, operator console, explanations, approvals.

• 2. Coordination Layer: workflow graph runtime; message bus; policy engine; router.

• 3. Cognition Layer: specialized agent roles (planner, solver, retriever, verifier, critic, negotiator).

• 4. Tooling Layer: structured tool adapters (RAG, SQL, search, extraction, code, calculators, domain APIs).

• 5. Data & Memory Layer: vector/graph stores, episodic and semantic memory, blackboard; lineage and versioning.

• 6. Governance Layer: safety filters, PII/PHI redaction, model risk registry, guardrails, audit logging, change management.

Core Primitives

• •Agent Role: (a := (policy, tools, memory, constraints))
• •Message: (m := (sender, receiver, content, schema, provenance))
• •Tool Call: typed function call with JSON schema; idempotency keys; rate limits.
• •Workflow Graph: (G=(V,E)) where nodes are agents/tools and edges are typed channels with guards.
• •Policy Guard: predicate over (message, state) → allow/transform/block.
• •Verifier: deterministic or stochastic checker with acceptance thresholds.
• •Tracer: event log with spans, lineage IDs, and redaction domains.

Orchestration Runtimes

Options span from lightweight libraries (graph DSLs) to distributed systems (actors, microservices). Key capabilities:

• •Deterministic routing: finite-state machine or DAG with guards; retry semantics.
• •Concurrency control: fan‑out/fan‑in with quorum policies; timeouts and circuit breakers.
• •State management: per‑task context, memory shares, and materialized views.
• •Observability: traces, structured logs, counters, and cost telemetry.

Memory Substrates

• •Episodic memory: per‑session messages and artifacts.
• •Semantic memory: embeddings or graph‑based entity memory.
• •Blackboard store: shared hypothesis board with conflict detection.
• •Policy memory: learned preferences and operator feedback.

We catalog patterns that recur across industries and map them to constraints and tooling.

Planner–Executor–Critic (PEC)

Structure: a planning agent decomposes tasks; multiple executors perform tool‑calls; a critic verifies outputs, requests revisions, or escalates to a human.

• •Use: document processing, report generation, decision support.
• •Strengths: modularity, explainability, natural fit for HITL.
• •Risks: over‑planning (latency/cost), critic confirmation bias.

Blackboard Collaboration

Agents post partial hypotheses (e.g., diagnoses, entity links) to a shared store. A controller triggers agents when relevant slots change.

• •Use: diagnostics, multi‑modal triage, fraud rings discovery.
• •Strengths: flexible, supports asynchronous agents, good for evidence accumulation.
• •Risks: race conditions, duplicate work; needs conflict resolution policies.

Contract Net / Auction Allocation

A manager broadcasts a task; specialists bid with cost/utility estimates; the manager awards the task.

• •Use: choosing among retrieval strategies (keyword vs. vector), selecting annotators, routing to model variants.
• •Strengths: economic interpretation; enables cost‑aware routing.
• •Risks: strategic bidding; need truthful scoring rules.

Debate and Reflection

Two or more agents argue for/against hypotheses; a judge selects the best answer or requests new evidence.

• •Use: legal risk assessment, medical differential diagnosis, model red‑teaming.
• •Strengths: often improves factuality and coverage.
• •Risks: longer latency; theatrical debates without substantive evidence.

Graph‑Constrained ReAct

Agents interleave tool calls with reasoning, but transitions are constrained by an explicit graph with timeouts and max‑step ceilings.

• •Use: RAG over regulated data, step‑bounded automations.
• •Strengths: reduces infinite loops and prompt rot; easier to test.
• •Risks: under‑exploration if graph too rigid.

Supervisor Trees and Escalations

A supervisor monitors outcomes and enforces stop conditions, cost budgets, and escalation to a human or a rule-based fallback.

• •Use: financial recommendations, medical instructions, compliance workflows.
• •Strengths: enforce policies; deliver predictable UX.
• •Risks: bottlenecks; too many escalations erode value.

We provide schematic workflows for exemplar verticals. Each includes role definitions, tools, and governance.

Healthcare: Radiology Triage Assistant

Objective: Assist radiologists by prioritizing studies, retrieving guidelines, and drafting findings while preserving PHI.

• •Roles: - Intake Agent: de‑identifies PHI, validates DICOM metadata. - Retriever: queries guideline corpus (e.g., ACR Appropriateness Criteria) and prior studies. - Vision Agent: (if available) interprets imaging summaries or model outputs. - Drafting Agent: composes preliminary read with uncertainty tags. - Verifier: checks for contradictions, missing key findings; ensures structured report sections. - Supervisor: enforces PHI rules and HITL sign‑off.
• •Tools: PACS adapters, DICOM validators, vector search, ICD/CPT coders, calculators (e.g., volume), guideline APIs.
• •Governance: PHI redaction; audit logs; versioned prompts; model cards.
• •Metrics: case‑level accuracy (lesion mention recall), time‑to‑report, error severity, escalation rate, PHI leakage rate.

Finance: AML/KYC Investigator

Objective: Accelerate KYC onboarding and AML investigations while maintaining traceability.

• •Roles: - Entity Resolution Agent: merges identities across sources; flags conflicts. - Adverse Media Agent: searches and ranks news hits with evidence snippets. - Risk Scoring Agent: aggregates features (jurisdiction, PEP status, network links) into scores with rationales. - SAR Drafting Agent: prepopulates suspicious activity reports with citations. - Compliance Verifier: checks policy rules, required fields, thresholds. - Supervisor: ensures four‑eyes principle and case journaling.
• •Tools: sanctions lists, news search, graph DBs, KYC APIs, explainable scoring models.
• •Governance: access controls; immutable case journals; eDiscovery export.
• •Metrics: precision/recall of risk flags, false positive reduction, case cycle time, regulator audit outcomes.

Legal: Contract Review Copilot

Objective: Extract clauses, assess risk, propose redlines, and simulate negotiation positions.

• •Roles: - Parser: converts PDFs to structured text; detects tables and exhibits. - Clause Extractor: identifies clause types and terms (e.g., indemnity caps). - Risk Assessor: maps terms to policy playbook and case law. - Redline Generator: proposes edits with justifications. - Negotiation Simulator: generates counter‑party responses and explores Pareto‑improving trades. - Verifier: ensures track changes formatting, highlights deviations from fallbacks.
• •Tools: OCR, PDF parsers, citation retrievers, policy KB, diff tools.
• •Governance: privilege preservation, data residency, document retention policies.
• •Metrics: extraction F1 by clause type, review time saved, lawyer acceptance rate, escape defects (issues found post‑signing).

Manufacturing: Predictive Maintenance Orchestrator

Objective: Diagnose faults, recommend maintenance, order parts.

• •Roles: - Telemetry Agent: aggregates sensor streams; checks data quality. - Anomaly Detector: flags unusual patterns; correlates across sensors. - Root Cause Analyst: hypothesizes failure modes referencing manuals. - Planner: maps to maintenance actions, checklists, and technician skills. - Procurement Agent: checks inventory, lead times, and orders parts. - Verifier: validates safety steps and environmental compliance.
• •Tools: time‑series DB, rules engines, CMMS, ERP, vendor catalogs.
• •Metrics: MTBF/MTTR improvements, false alarm rate, spare stockouts avoided, compliance incidents.

Retail: Merchandising & Marketing Co‑Pilot

Objective: Optimize assortments, pricing tests, and campaign content.

• •Roles: - Demand Forecaster: seasonal models with LLM‑augmented signals (events, weather notes). - Assortment Planner: proposes SKU changes per store cluster. - Pricing Experiment Designer: suggests A/B cells with guardrails. - Content Generator: channel‑specific copy/images with brand rules. - Lift Estimator: estimates incremental sales; runs synthetic controls. - Compliance Auditor: checks claim substantiation and brand voice.
• •Tools: forecasting library, MAB/experiment platform, PIM, DAM, CMS.
• •Metrics: GMV lift, gross margin, experimentation velocity, brand violation rate.

Patterns That Work

• •Typed messages & schemas: enforce structure; ease auditing and tool integration.
• •Stateful graphs with guards: explicit transitions limit drift and loops.
• •Task tokens and budgets: per‑task currency to prevent runaway cost.
• •Hybrid verifiers: combine deterministic checks (schemas, rules) with learned critics.
• •Selective HITL: approvals where risk is concentrated (e.g., medical advice issuance).
• •Dual‑channel memory: short‑term blackboard plus long‑term vector/graph store.

Anti‑Patterns to Avoid

• •Unbounded chat: free-form agent chatter without schemas → non‑determinism.
• •Monolithic prompts: giant system prompts accumulating entropy and policy debt.
• •Single‑point critics: overreliance on one checker → correlated errors.
• •Opaque tool wrappers: hide failure reasons; impede observability.
• •Prompt rot: implicit dependencies on transient context; no versioning.

Vertical MAS must satisfy internal and external governance. We outline a practical control set aligned to MRM and compliance expectations.

Safety Risks

• •Hallucination / fabrication
• •Data leakage (PII/PHI/PCI)
• •Overconfidence / miscalibration
• •Tool misuse / unsafe actions
• •Model drift / prompt rot
• •Bias and unfairness

Controls and Guardrails

• 1. Input filters: PII/PHI detection, profanity/abuse filters; provenance checks.

• 2. Output guards: policy linting, redaction, cite‑before‑say (require evidence links).

• 3. Action guards: allow‑lists, dry‑run mode, simulators, approval workflows.

• 4. Budget guards: step caps, cost ceilings, timeouts, memory purges.

• 5. Model registry and prompt versioning: immutable IDs; canary rollouts; rollback.

• 6. Audit and lineage: event logs, data fingerprints, signature of artifacts.

Human‑in‑the‑Loop Design

• •Escalation tiers: automatic → assisted → supervised → blocked.
• •Explanation surfaces: rationales, evidence tables, diffs, uncertainty bars.
• •“Break‑glass” procedures: emergency overrides with enhanced logging.

Compliance Mapping

• •Healthcare: HIPAA (minimum necessary, access controls), FDA guidance on CDS.
• •Finance: KYC/AML, recordkeeping, SOX controls, model risk (SR 11‑7).
• •Privacy: GDPR/CCPA (data minimization, right to explanation where applicable).

Orchestration Frameworks

• •Graph Runtimes: DSLs for stateful workflows; step‑bounded control; resumability.
• •Agent Frameworks: role definitions, tool wiring, memory, and message schemas.
• •Message Bus: reliable delivery, retry queues, dead‑letter handling.

Serving and Scaling

• •Model Serving: multi‑tenant LLM gateways; dynamic model selection; quantization.
• •Concurrency & Resilience: actor systems, backpressure, circuit breakers.
• •Cost & Latency Telemetry: per‑agent cost meters, SLOs, auto‑throttling.

Data Plane

• •RAG Connectors: SQL, document stores, data lakes, vector DBs, knowledge graphs.
• •Caching: response, retrieval, and tool result caches with invalidation policies.
• •Lineage & Catalog: dataset/prompt/model versions; feature stores.

Observability

• •Tracing: request‑spans across agents and tools; correlation IDs.
• •Metrics: task success, retry rates, cost/latency percentiles.
• •Eventing: alerting on safety guard trips and anomalous patterns.

Metrics

• 1. Task Success Rate (TSR): fraction of tasks meeting acceptance criteria.

• 2. Exactness & Coverage: precision/recall on extracted fields; factuality scores.

• 3. Calibration: Brier score and ECE of agent confidence.

• 4. Latency: p50/p95 end‑to‑end and by stage.

• 5. Cost: per‑task and per‑stage monetary and token costs.

• 6. Robustness: performance under perturbations (noisy OCR, tool failures).

• 7. Safety: redaction recall, harmful content flags, policy violation rates.

• 8. Reproducibility: variance across seeds, model versions, time.

Scenario Libraries

Curate scenario sets per vertical: - Healthcare: canonical cases (e.g., appendicitis vs. gastroenteritis), imaging artifacts, rare edge cases. - Finance: shell companies, name collisions, nested ownership. - Legal: tricky clauses (MFN, change‑of‑control), conflicting exhibits. - Manufacturing: interdependent sensor failures, seasonal drift.

Test Harness

• •Spec‑as‑code: YAML definitions of tasks, acceptance checks, and budgets.
• •Synthetic operators: scripted HITL to standardize approvals.
• •Fault injection: simulated tool outages, slowdowns, and adversarial prompts.
• •Canarying: compare control vs. treatment workflows before full rollout.

Statistical Considerations

• •Power analyses for TSR improvements; sequential testing with spending functions.
• •Cost–benefit analyses incorporating human time and error severities.
• •Sensitivity analyses for guard thresholds; ablation of agents/guards.

Requirements Elicitation

• •What is the operator of value (e.g., hours saved, risk reduction)?
• •What decisions are automated vs. recommended vs. gated?
• •What evidence must be cited to support outputs?
• •What are latency and cost ceilings per task?
• •What regulators and internal policies apply?

Role Definition Template

• •Objective: concise role purpose.
• •Inputs/Outputs: schemas and constraints.
• •Tools: typed interfaces with limits.
• •Memory: scope and retention.
• •Policies: what to prohibit/escalate.
• •KPIs: per‑role metrics and alerts.

Guardrail Design

• •Map hazards → controls (input/output/action/budget).
• •Define thresholds and owner for each control.
• •Build dry‑run paths and simulators.
• •Log rationales and evidence for audit.

Cost & Latency Budgeting

• •Estimate per‑agent token burn and tool cost.
• •Add buffers for retries and debates.
• •Implement early‑exit rules when confidence high.
• •Cache heavy retrieval steps with TTLs.

Prompt & Model Lifecycle

• •Version prompts and models; pin IDs in prod.
• •Canary new versions; keep rollback windows.
• •Monitor prompt drift via semantic diffing.
• •Maintain prompt libraries with unit tests.

Below is a simplified blueprint for a graph‑constrained multi‑agent orchestrator with guards and HITL.

Retrieval Quality

For vertical tasks, retrieval sets the ceiling of performance. Combine: - Structured retrieval: SQL/Graph queries for canonical facts. - Semantic retrieval: dense embedding searches for unstructured text. - Evidence‑first prompting: require citations before synthesis.

Tool Reliability and Idempotency

• •Wrap tools with retries, backoff, idempotency keys.
• •Emit structured error taxonomies (transient vs. permanent).
• •Use shadow tools to compare outputs across providers.

Cost Controls

• •Choose small models for rote extraction and large models for synthesis.
• •Token streaming and early stopping in debates.
• •Cache intermediate artifacts; plan for cache invalidation triggers.

Human Factors

• •Design consoles that surface why an answer is plausible-not just what.
• •Track operator trust and acceptance; add explanatory friction for risky actions.
• •Provide undo and diff views.

End‑to‑End AML Case (Narrative)

A bank receives a new business account application. The Intake Agent validates forms and sanitizes PII. The Entity Resolution Agent queries corporate registries, merges entities, and flags a conflict: two beneficial owners share a surname with a politically exposed person in a neighboring country. The Adverse Media Agent runs a news sweep, retrieving three articles referencing sanctions. Confidence is low due to name collisions; the Critic requests additional disambiguating identifiers. After acquiring passport numbers, the Risk Scoring Agent assigns a medium risk with uncertainty 0.35, recommending escalation. The Compliance Verifier checks that all required evidentiary excerpts are cited and that thresholds are met. The HITL reviewer approves the Suspicious Activity Report draft after minor edits. All steps are logged with lineage IDs, and costs are within the $1.20 budget.

Radiology Mini‑Trial (Quantitative)

We deploy PEC with blackboard memory on a 1,000‑study retrospective set. Baseline TSR (radiologist‑only) is defined as 1.00 for safety; VMAS aims for time savings without increasing critical miss rate (CMR). After roll‑out, TSR remains unchanged within non‑inferiority margin δ=0.01; mean report time drops 18%; CMR unchanged; PHI leakage rate 0 across samples. Operator satisfaction increases by 0.6 on a 5‑point Likert scale.

• 1. Formal Guarantees: How to offer bounded‑error guarantees for stochastic agents and tool chains? Probabilistic contracts and assume‑guarantee reasoning are promising.

• 2. Mechanism Design: Robust auction/contract mechanisms for truthful cost/utility bidding among agents with learned policies.

• 3. Long‑Horizon Memory: Preventing ungrounded folklore in blackboards; reconciling conflicting memories with truth maintenance systems.

• 4. Adaptive Governance: Policies that learn from operator behavior while preserving compliance and avoiding automation bias.

• 5. Compositional Evaluation: From micro‑benchmarks to end‑to‑end outcomes with attribution across agents and tools.

• 6. Environment Simulators: Domain sandboxes for safe pre‑deployment testing of tool‑using agents.