This work addresses the challenge that existing stateless defense mechanisms struggle to counter adversarial semantic attacks dispersed across retrieval, planning, and generation components in multimodal agent-based RAG systems. The authors formulate the security problem as a partially observable Markov decision process (POMDP), treating adversarial intent as a latent variable for the first time and enabling stateful, layered defense through belief-state maintenance. They propose MMA-RAG^T, a model-agnostic runtime control framework that integrates modular trusted agents with structured large language model reasoning and configurable internal checkpoints. Evaluated on 43,774 test instances, the approach reduces average attack success rates by 6.5× with negligible impact on system utility. Ablation studies confirm that both statefulness and spatial coverage are critical to defense effectiveness.

Current stateless defences for multimodal agentic RAG fail to detect adversarial strategies that distribute malicious semantics across retrieval, planning, and generation components. We formulate this security challenge as a Partially Observable Markov Decision Process (POMDP), where adversarial intent is a latent variable inferred from noisy multi-stage observations. We introduce MMA-RAG^T, an inference-time control framework governed by a Modular Trust Agent (MTA) that maintains an approximate belief state via structured LLM reasoning. Operating as a model-agnostic overlay, MMA-RAGT mediates a configurable set of internal checkpoints to enforce stateful defence-in-depth. Extensive evaluation on 43,774 instances demonstrates a 6.50x average reduction factor in Attack Success Rate relative to undefended baselines, with negligible utility cost. Crucially, a factorial ablation validates our theoretical bounds: while statefulness and spatial coverage are individually necessary (26.4 pp and 13.6 pp gains respectively), stateless multi-point intervention can yield zero marginal benefit under homogeneous stateless filtering when checkpoint detections are perfectly correlated.