From Brooks' Subsumption Architecture to LLM-based agents — what is structurally new, what persists, and what the cybersecurity blind spot conceals
Agentic AI frameworks are once again in the spotlight, celebrated by some as revolutionary advancements. Yet, the term ‘revolution’ can also be interpreted in its astronomical sense — the Moon’s revolution around the Earth — signifying a recurrence of past events rather than a wholly novel breakthrough.
The aspiration to develop agentic AI — systems that can independently perceive their environment, set goals, and make decisions — has been a cornerstone of AI research for decades. Several pioneering implementations exemplify these early frameworks: Brooks’ Subsumption Architecture (1986) used layered control systems where higher layers could subsume the roles of lower ones. Distributed Artificial Intelligence (DAI) systems in the 1990s led to Multi-Agent Systems (MAS), applied in logistics, resource allocation, and cooperative robotics. The Belief-Desire-Intention (BDI) Model, developed by Bratman, Rao, and Georgeff, sought to formalize rational agency but highlighted a critical limitation: the lack of genuine self-generated intent.
Several key factors contributed to their stagnation: computational limitations, overly narrow domain expertise, lack of robust learning capabilities, inefficient collaboration in multi-agent systems, and the fundamental question of intent. Daniel Dennett’s intentional stance treats intentionality as an interpretive framework, while John Searle’s concept of intrinsic intentionality demands genuine understanding arising from the system’s own nature — a standard no current AI system meets. The practical question is whether agents can exhibit sufficiently adaptive, context-sensitive goal modification to operate reliably in open-ended environments. The honest answer is that they cannot.
The most significant structural difference is the emergence of large language models as general-purpose planners and reasoners. In LLM-based agentic systems, natural language serves simultaneously as the substrate for representation, planning, reasoning, and inter-agent communication. Yao et al. (2023) formalized this in the ReAct framework. Shinn et al.’s Reflexion framework extends this further, showing that agents can use linguistic self-reflection to improve performance across episodes without parameter updates. A second structural difference is the capacity of LLM-based agents to interface with arbitrary external tools through natural language descriptions.
Generalization remains a significant challenge. Benchmarks like SWE-bench, WebArena, and GAIA reveal sobering limitations. The alignment problem takes on new dimensions with LLM-based agents — RLHF, constitutional AI, and mechanistic interpretability were primarily developed for single-model, single-turn interactions. Extending them to multi-agent, multi-step workflows introduces compounding risks including reward hacking.
A dimension conspicuously absent from most discussions is cybersecurity. The ACL problem: when an agentic system operates on behalf of multiple users with different privilege levels, the identity and authorization model becomes profoundly complex. Current frameworks typically operate with a single set of credentials, creating a de facto privilege escalation risk. Data leakage and exfiltration risks are compounded in multi-agent architectures where each inter-agent communication channel represents a potential leakage point. Prompt injection in agentic context has consequences far more severe than in a simple chatbot, because the agent can take actions: sending emails, modifying files, executing code. The EU AI Act and MDR demand demonstrable data governance, traceability, and robust access control.
At TweenMe we believe it is more pragmatic and responsible to leverage the human brain for high-level orchestration. Specialized agents handle data-intensive tasks efficiently while humans contribute creativity, moral judgment, and adaptability. Human-in-the-loop architectures provide natural checkpoints for access control validation.
Integration of Chain-of-Thought reasoning with multi-agent specialization inspired by the Six Thinking Hats methodology: White Hat (factual data), Red Hat (sentiment), Black Hat (risks), Yellow Hat (opportunities), Green Hat (creative alternatives), Blue Hat (orchestration). The first and most critical architectural question is conflict resolution — weighted aggregation, structured debate, Delphi-style refinement, or hierarchical override. Each high-level Hat agent can itself orchestrate lower-level specialized agents. From a cybersecurity standpoint, modular architectures enable fine-grained access control at the agent level.
The foundational questions remain open: intrinsic motivation, robust generalization, ethical alignment, cybersecurity and data governance. Adopting hybrid models that keep humans at the center of orchestration offers a pragmatic path forward. History tends to repeat itself, but we have the opportunity to learn from past experiences and steer agentic AI toward genuinely transformative outcomes — with architectural rigor in security design, intellectual honesty about limitations, and a willingness to address foundational issues head-on.