AutoGen-style workflows usually look harmless at the message level. One agent reads something. Another agent replies. A third agent decides what to do next. The problem starts when the first thing was not trusted. Maybe it was a support ticket. Maybe a PDF. Maybe a web page. Maybe an email thread. The first agent reads it, produces a clean summary, and that summary moves into the next agent step. After one or two turns, the original source is no longer visible. What remains is just another agent message in the conversation. That is a bad place to lose provenance. A later agent does not know whether a sentence came from your app policy, from a user request, from a trusted internal source, or from an external document that happened to pass through another agent first. In a single-agent app, you usually worry about what enters the model context. In an AgentChat workflow, you also have to worry about what moves through the conversation.…