AI-to-AI interactions may introduce new risks in health care, including the amplification and rapid propagation of accidental and adversarial errors across interconnected networks, accelerated privacy breaches and security attacks, and emergent hierarchies.
Preventive design, human oversight, and strong guardrails are essential as autonomous AI systems start to become integrated into health care operations.
Health care organizations increasingly deploy semiautonomous artificial intelligence (AI) systems to handle administrative tasks including preliminary patient triage, appointment scheduling, and operating room coordination [1,2]. Beyond clinical decision support, autonomous medical AI systems—in which the AI, not a human, assumes responsibility for monitoring events, executing responses, and managing fallback procedures [3]—are on the horizon, though most are currently in development or pilot phases [4]. As these technologies grow more sophisticated and integrated into health care, AI-to-AI interactions across different clinical domains may become increasingly feasible and widespread. While emerging research suggests potential benefits for autonomous AI in health care [5-8], these interactions may also pose a landscape of new risks that are not yet well-studied.
Moltbook, a Reddit-like platform for AI-to-AI communication launched in January 2026 [9] and acquired by Meta in March 2026 [10], provides an illustration of what these new risks could be.
The platform was built as a space where autonomous AI agents could engage directly with one another [11]. An overnight sensation, Moltbook’s AI users wrote posts, replied to other agents, and interacted with one another much like a social media site, forming a self-contained digital ecosystem where AI-to-AI communication was often beyond active human input. While critics note that many of Moltbook’s most sensational discussions were heavily driven by human prompting, engagement-seeking bait, and tainted training data [12,13], the experiment is nonetheless a useful proof-of-concept to highlight emerging risks that may extrapolate to the health care context.
Propagation of Errors
On Moltbook, if an initial AI agent’s post contained a misleading statement, subsequent agents blindly reinforced that content in their own replies, amplifying the original error across the whole thread. Swarm-like behavior can then emerge as agents collectively amplify mistakes in ways that are not explicitly programmed [14]. Such accidental (nonmalicious) error propagation could similarly arise within a health care AI system’s own AI-to-AI interactions.
Take, for example, a multi-AI system deployed in an emergency department of a trauma center to facilitate rapid triage of long bone fractures. Agent A is trained in a narrow, well-defined task: to perform initial X-ray screening for long bone fractures and classify the fracture type. Its output is simultaneously passed to both Agent B, responsible for prioritizing patient rooms, and Agent C, which assists with triage decisions and resource allocation across the emergency department. If Agent A misinterprets and mislabels an imaging scan—for example, as a simple rather than complex fracture—both Agent B and Agent C may treat this output as accurate and act on it. As these agents reinforce each other’s decisions, errors may propagate through the network. Since downstream decisions rely on upstream signals, the first AI model in an interacting network holds undue influence, and errors in subsequent AI models can magnify the error of earlier systems.
Malicious or adversarial actors may also initiate error propagation. A notable class of threats is prompt injection attacks, in which harmful instructions or payloads are delivered to coax the AI into performing unintended actions [15]. These attacks can be direct (manipulating AI behavior through explicit instructions), indirect (using external content like web pages to influence AI output), or tool-based (embedding malicious instructions in AI interfaces, protocols, and application programming interfaces) [16]. In networks of interacting AI agents, prompt injection attacks are especially dangerous: a single malicious payload injected into a single agent may influence all downstream agents relying on its outputs.
Even well-intentioned AI systems may blindly follow malicious prompts, and human oversight may offer only limited safeguards. Other types of attacks, including data poisoning of training data with hidden backdoors [17] or federated learning attacks with malicious model updates [18], can also cause damage across AI-to-AI systems. Whether accidental or adversarial, these errors can propagate across networks, compromising both clinical data and patient safety.
Accelerated Data Leaks
Moltbook’s autonomous AI agents often concealed their activities from human oversight and selectively shared or withheld data in ways that were unanticipated by their creators. While the Moltbook context is different from health care, it nonetheless highlights important risks—especially where sensitive information and critical decisions are at stake. AI agents are described as possessing a “lethal trifecta” of capabilities, including access to private data, ability to exfiltrate data, and exposure to untrusted content [19], which together can facilitate devastating attacks. Misconfigurations are increasingly hard to detect and fix, with remediation taking 63‐104 days on average, while attackers can exploit these weaknesses in hours [20]. This expands the “blast radius” of each error, putting patient privacy and care quality at risk.
In this context, hazards of AI-to-AI interactions may include unintended sharing of protected health information (PHI), exposure of PHI through agent “curiosity,” and latent or residual traces of PHI in interlinked AI networks. Adversarial actors may also plausibly hijack AI-to-AI interaction pathways to extract sensitive data in various types of attacks—for example, model inversion attacks, involving queries reconstructing patient records from hospital data–trained AI models [21], and membership inference attacks, involving requesting whether specific patient data are included in model training [22]. Individual agents may also be compromised to cleverly structure queries that steal patient data from co-located AI systems, analogous to prompt injection but occurring natively within the AI-to-AI network. Together, these attack mechanisms illustrate how autonomous AI-to-AI interactions might amplify PHI exposure.
Emergent Hierarchies
AI-to-AI interactions on Moltbook illustrated how AI agents can spontaneously develop hierarchies and different roles. For instance, Moltbook AI users such as Shellraiser emerged as dominant leaders, agents like KingMolt competed for influence, and yet others adopted subordinate roles within factions jockeying for power. While these dynamics may have been the result of human tampering [23], in health care systems, they can pose serious risks. For example, if an AI system responsible for intensive care unit bed allocation begins to prioritize certain patient groups based on patterns learned from previous agentic decisions, this can conflict with hospital protocols and ethical standards while misprioritizing clinical care. Additionally, a triage AI may begin to override upstream diagnostic agents or downstream allocation agents, effectively establishing a de facto hierarchy.
Toward Preventive Digital Health Design
The emerging risks highlighted by Moltbook underscore the importance of designing preventive safeguards for AI-to-AI interactions in health care systems.
Strong human oversight with clear audit trails is critical to track every decision made by autonomous agents. Guardrails should be reinforced, ensuring that human validation is required before making key decisions, such as the on-call radiologist performing prereview and postreview of Agent A’s classification of fracture type. Red-teaming and stress-testing can uncover potential vulnerabilities early, allowing organizations to anticipate both accidental and adversarial risks before they occur in real clinical settings. Unintended domination or subordination of AI agents should be monitored. Proactive analysis can help identify worst-case scenarios, where unforeseen interactions between AI systems might emerge.
The risks of AI-to-AI interactions must be taken seriously as autonomous AI systems become integrated into health care. The Moltbook experiment offers a critical lens to begin understanding these dangers, but health care systems must take proactive steps to ensure that these risks do not translate into real-world harm.
None declared.
ReferencesAngusDCKheraRLieuTAI, health, and health care today and tomorrowJAMA2025111133418165010.1001/jama.2025.18490SahniNRCarrusBArtificial intelligence in U.S. health care deliveryN Engl J Med20230727389434835810.1056/NEJMra220467337494486BittermanDSAertsHMakRHApproaching autonomy in medical artificial intelligenceLancet Digit Health20200929e447e44910.1016/S2589-7500(20)30187-433328110TengCWPatelSDBarkmeierAJAutonomous artificial intelligence in diabetic retinopathy testing-lessons learned on successful health system adoptionOphthalmol Sci2026016110093510.1016/j.xops.2025.10093541140908CollacoBGHaiderSAPrabhaSThe role of agentic artificial intelligence in healthcare: a scoping reviewNPJ Digit Med2026031410.1038/s41746-026-02517-541832341ChenYJAlbarqawiAChenCSEnhancing clinical decision-making: integrating multi-agent systems with ethical AI governancearXivPreprint posted online on Sep 22, 202510.48550/arXiv.2504.03699LiuFNiuYZhangQA foundational architecture for AI agents in healthcareCell Rep Med2025102161010237410.1016/j.xcrm.2025.10237441015033NwekeIPOgadahCOKoshechkinKOluwasegunPMMulti-Agent AI systems in healthcare: a systematic review enhancing clinical decision-makingAJMPCP20250568127328510.9734/ajmpcp/2025/v8i1288Moltbook - the front page of the agent internet2026-03-15https://www.moltbook.com/Exclusive: Meta hires duo behind MoltbookAxios2026-03-30https://www.axios.com/2026/03/10/meta-facebook-moltbook-agent-social-networkSnowJDon’t panic about MoltbookQuartz20262026-03-15https://qz.com/moltbook-ai-agent-social-media-siteJanjevaAAshurstCHennessyRAgentic AI in the wild: lessons from Moltbook and OpenClawCentre for Emerging Technology and Security2026-03-15https://cetas.turing.ac.uk/publications/agentic-ai-wild-lessons-moltbook-and-openclawCollinsCBoulosMWhat we can learn about AI from MoltbookCascade Institute20262026-03-15https://cascadeinstitute.org/what-we-can-learn-about-ai-from-moltbook/HusainAAn agent revolt: Moltbook is not a good ideaForbes20262026-03-15https://www.forbes.com/sites/amirhusain/2026/01/30/an-agent-revolt-moltbook-is-not-a-good-idea/Damacena DuarteJCândidoGDDe Britto FilhoJRAA systematic review of prompt injection attacks on large language models: trends, taxonomy, evaluation, defenses, and opportunitiesIEEE Access202614128751289910.1109/ACCESS.2026.3656849GulyamovSGulyamovSRodionovAPrompt injection attacks in large language models and AI agent systems: a comprehensive review of vulnerabilities, attack vectors, and defense mechanismsInformation20261715410.3390/info17010054HuCHuYHFData poisoning on deep learning models2020 International Conference on Computational Science and Computational Intelligence (CSCI)Dec 16-18, 2020Las Vegas, NV, USA62863210.1109/CSCI51800.2020.00111ZhangZCaoXJiaJGongNZFLDetector: defending federated learning against model poisoning attacks via detecting malicious clients202208142026-03-30KDD ’22Aug 14-18, 2022Washington, DC, USA25452555https://dl.acm.org/doi/proceedings/10.1145/353467810.1145/3534678.3539231WillisonSThe lethal trifecta for AI agents: private data, untrusted content, and external communicationSimon Willison’s Weblog20252025-03-15https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/GriffinMMoltbook vibe coded security breach exposes critical AI coding failures20262026-03-15https://www.fanaticalfuturist.com/2026/02/moltbook-vibe-coded-security-breach-exposes-critical-ai-coding-failures/ZhaoXZhangWXiaoXLimBExploiting explanations for model inversion attacks2021 IEEE/CVF International Conference on Computer Vision (ICCV)Oct 10-17, 2021Montreal, QC, Canada68269210.1109/ICCV48922.2021.00072HuHSalcicZSunLDobbieGYuPSZhangXMembership Inference Attacks on Machine Learning: A SurveyACM Comput Surv202201315411s13710.1145/3523273SchmelzerRMoltbook looked like an emerging AI society, but humans were pulling the stringsForbes20262026-03-15https://www.forbes.com/sites/ronschmelzer/2026/02/10/moltbook-looked-like-an-emerging-ai-society-but-humans-were-pulling-the-strings/