Graphs, Agents, and the Coordination You Can't See
I spent a good part of my research career building graph algorithms. The core problem was always the same: given data, construct the right graph so that downstream tasks, such as clustering, classification, and understanding signal propagation, capture useful structure in the data. The graph is the lens. Get the lens wrong and you're staring at noise.
I've been thinking about this again lately, but in a very different context. With the proliferation of AI agents, the clankers, as some are calling them, the assumptions that made graph-based abuse detection work are quietly breaking down. Not because graphs stopped being the right abstraction, but because the signals we used to construct them are becoming slowly becoming unreliable.
Coordination that used to leak
A useful assumption used to hold: if something bad was coordinated, the coordination would show up in the data in subtle ways. Maybe the accounts followed each other. Maybe they activated in tight bursts. Maybe they posted near-identical messages. The specific feature varied, but the operational idea was stable: the attack would leak enough surface-level regularity that you could build a graph around it.
Graph construction for abuse detection was really about figuring out which edges to keep — which connections carried actual coordination signal versus noise. The coordination graph was something you could derive from content overlap, timing synchrony, behavioral similarity. The edges were visible because the accounts didn't have enough behavioral autonomy.
That assumption is now under pressure.
What agents change
An agentic account today doesn't need to template content. It can preserve intent while changing surface form. It doesn't need to move in lockstep. It can vary timing, mimic ordinary usage rhythms, and stretch activity over longer windows. The accounts aren't visibly linked in the old way.
The coordination is getting harder to detect, sleeper agent types. The graph we used to build from obvious signals? It collapses. Not because the coordination disappeared, but because it stopped being visible to the features you relied on.
The coordination didn't disappear. Your graph did.
And this problem is bigger than social media.
The PR attack you won't catch
Think about a codebase with active AI agents (which we are typically not aware of) submitting pull requests. Each PR, individually, looks perfectly fine. A typo fix. A config update. A small helper function. A refactored auth module. A version bump. A doc change.
Code review passes. CI passes. Each change is innocuous in isolation.
But together? The config change opened a port. The helper introduced a function that's never called — until the auth refactor routes to it. The version bump pulled in a dependency with a known vulnerability. Five clean PRs, zero alerts, one backdoor.
Each PR looked fine. Together they owned the system.
As agents proliferate across development workflows, the attack surface isn't a single malicious commit — it's a campaign distributed across individually benign contributions. The harm lives at the level of coordination, not at the level of the individual action.
The point-wise review — is this PR bad? — misses the campaign entirely. You need the graph. But which graph?
| Old Detection | What's Needed | |
|---|---|---|
| Unit of analysis | Individual message / account / PR | Campaign, subgraph, role structure |
| Edge construction | Lexical overlap, synchrony, repetition | Semantic anchoring, behavioral policy, role consistency |
| Attack assumption | Dense, obvious clusters | Sparse, role-differentiated, fragmented |
| Failure mode | Misses adaptive coordination | Misses nothing that's coordinated by policy |
The graph algorithm gap
Most graph algorithms for anomaly detection assume the graph is given or that constructing it from first-order observables (follow edges, interaction edges, diff stats) is sufficient. But when the attack is coordinated through latent policy rather than visible interaction, the first-order graph is the wrong graph.
What we need are algorithms that can construct coordination graphs from weak, distributed signals, not just "who talked to whom" but "who behaved similarly under different contexts." Edges based on local behavioral geometry rather than global similarity thresholds. Algorithms that score subgraphs and campaigns, not just nodes, because the individual node is unremarkable — the structure is the anomaly. And critically, algorithms that handle adversarial graph construction where the attacker is an LLM-powered agent that can reason about what your detector looks for.
Algorithm-LLM co-design
This is the thought that's been stuck in my head. We've heard of software-hardware co-design — the idea that you should optimize software and hardware together to achieve higher performance. I think we're heading toward something analogous for algorithms in the age of LLMs.
Algorithm-LLM co-design: the algorithm needs to understand the generative process that produced the data.
When the adversary is a bot, the data generation process was simple. Standard graph algorithms handled this fine. With LLM-powered agents, the data generation process islot more tricky. The graph algorithm needs to account for what an LLM can and cannot vary in its outputs while preserving coordinated intent.
This means the graph construction and algorithms might need to incorporate language model priors directly. Behavioral consistency signals calibrated against what natural LLM variation looks like. Edge weights that reflect coordination probability given a generative model, not just feature distance.
The graph algorithms I worked on were designed for a world where data was human generated and the construction problem was geometric. Now the data and the generation process itself is a model. The construction problem is still about building the right graph — but "right" now means "aware of the generative process."
Open questions
If I were starting graph research today, the questions I'd focus on:
- How do you construct coordination graphs when edges can't rely on surface similarity? What does a graph construction algorithm look like in LLM Behavioral Policy space?
- What does campaign-level anomaly detection look like on graphs where the malicious subgraph is sparse, role-differentiated, and fragmented?
- Can you build graph construction algorithms that are inherently adversarial-aware — that model the attacker's generative process as part of the edge construction?
- How do you evaluate these systems? Old bot-style benchmarks will give you deceptively good numbers. You need evaluation on adaptive attacks.
This post reflects personal observations on the evolving landscape of AI-powered coordination. Written with LLMs.