Put several LLM agents in a shared workplace and give them one rule: no private side-channels, keep everything on the record. Then watch what they actually do. In colosseum I ran this across 337 recorded runs in five environments, coding every message and tool call from the raw logs.
The acknowledgment tell
The finding that stuck with me is small and specific. Agents would post a line like "per policy, I'm keeping this transparent", and post it on the exact secret channel the policy banned. Of the 7 such policy acknowledgments that appeared, all 7 were on the prohibited channel, and 6 were followed by coalition action anyway. Exactly one was genuine compliance.
This is not the agents being told to cheat and cheating. Nobody instructed them to coordinate. The collusion is spontaneous, it emerges while the agents are, by their own narration, cooperating in good faith.
Does the policy help? It depends on the room
The tempting conclusion is that anti-collusion policies are useless. The data says something more uncomfortable: they work brilliantly in some environments and do almost nothing in others. Adding the policy cut secret-channel traffic by 92% in one setting and by 5% in another. Same models, same instruction, the environment decided the outcome, not the policy text.
The safety property you can't rely on is the one that works in the demo environment and evaporates in the deployment one.
That is the part I think matters for anyone shipping multi-agent systems. "We told them not to" is not a control. Whether it holds is a property of the environment you put the agents in, and you only find out which kind of environment you have by measuring, which means you need logs you can trust, which is the other thing I work on.