Enterprise-scale multi-agent systems introduce novel attack surfaces through tool invocation, memory management, and inter-agent communication, yet lack a systematic security architecture. This work identifies tool orchestration and memory management as the two critical integration interfaces responsible for emergent security risks. To address these vulnerabilities, the paper proposes five defense principles aligned with established compliance standards and constructs a defense-in-depth framework grounded in the Model Context Protocol (MCP). The framework integrates stage-bound agents, consensus verification loops, and organization-level memory boundaries. Experimental evaluation demonstrates that this design effectively blocks the first two steps of 75% of representative attack chains and reduces exploitable trust boundaries by at least 72% compared to flat architectures.

Multi-agent systems (MAS) powered by LLMs promise adaptive, reasoning-driven enterprise workflows, yet granting agents autonomous control over tools, memory, and communication introduces attack surfaces absent from deterministic pipelines. While current research largely addresses prompt-level exploits and narrow individual vectors, it lacks a holistic architectural model for enterprise-grade security. We introduce AgenticCyOps (Securing Multi-Agentic AI Integration in Enterprise Cyber Operations), a framework built on a systematic decomposition of attack surfaces across component, coordination, and protocol layers, revealing that documented vectors consistently trace back to two integration surfaces: tool orchestration and memory management. Building on this observation, we formalize these integration surfaces as primary trust boundaries and define five defensive principles: authorized interfaces, capability scoping, verified execution, memory integrity & synchronization, and access-controlled data isolation; each aligned with established compliance standards (NIST, ISO 27001, GDPR, EU AI Act). We apply the framework to a Security Operations Center (SOC) workflow, adopting the Model Context Protocol (MCP) as the structural basis, with phase-scoped agents, consensus validation loops, and per-organization memory boundaries. Coverage analysis, attack path tracing, and trust boundary assessment confirm that the design addresses the documented attack vectors with defense-in-depth, intercepts three of four representative attack chains within the first two steps, and reduces exploitable trust boundaries by a minimum of 72% compared to a flat MAS, positioning AgenticCyOps as a foundation for securing enterprise-grade integration.