Over the previous six months, I’ve watched the identical sample repeat throughout enterprise AI groups. A2A and ACP mild up the room throughout structure opinions—the protocols are elegant, the demos spectacular. Three weeks into manufacturing, somebody asks: “Wait, which agent approved that $50,000 vendor cost at 2 am?“ The thrill shifts to concern.
Right here’s the paradox: Agent2Agent (A2A) and the Agent Communication Protocol (ACP) are so efficient at eliminating integration friction that they’ve eliminated the pure “brakes“ that used to drive governance conversations. We’ve solved the plumbing drawback brilliantly. In doing so, we’ve created a brand new class of integration debt—one the place organizations borrow velocity in the present day at the price of accountability tomorrow.
The technical protocols are strong. The organizational protocols are lacking. We’re quickly transferring from the “Can these methods join?“ part to the “Who approved this agent to liquidate a place at 3 am?“ part. In apply, that creates a governance hole: Our capacity to attach brokers is outpacing our capacity to regulate what they commit us to.
To see why that shift is occurring so quick, it helps to take a look at how the underlying “agent stack“ is evolving. We’re seeing the emergence of a three-tier construction that quietly replaces conventional API-led connectivity:
| Layer | Protocol examples | Function | The “human” analog |
| Tooling | MCP (Mannequin Context Protocol) | Connects brokers to native knowledge and particular instruments | A employee’s toolbox |
| Context | ACP (Agent Communication Protocol) | Standardizes how targets, person historical past, and state transfer between brokers | A employee’s reminiscence and briefing |
| Coordination | A2A (Agent2Agent) | Handles discovery, negotiation, and delegation throughout boundaries | A contract or handshake |
This stack makes multi-agent workflows a configuration drawback as an alternative of a customized engineering undertaking. That’s precisely why the danger floor is increasing sooner than most CISOs understand.
Consider it this manner: A2A is the handshake between brokers (who talks to whom, about what duties). ACP is the briefing doc they trade (what context, historical past, and targets transfer in that dialog). MCP is the toolbox every agent has entry to domestically. When you see the stack this manner, you additionally see the subsequent drawback: We’ve solved API sprawl and quietly changed it with one thing tougher to see—agent sprawl, and with it, a widening governance hole.
Most enterprises already wrestle to control a whole bunch of SaaS functions. One evaluation places the common at greater than 370 SaaS apps per group. Agent protocols don’t scale back this complexity; they route round it. Within the API period, people filed tickets to set off system actions. Within the A2A period, brokers use “Agent Playing cards“ to find one another and negotiate on prime of these methods. ACP permits these brokers to commerce wealthy context—that means a dialog beginning in buyer assist can circulate into achievement and associate logistics with zero human handoffs. What was API sprawl is changing into dozens of semiautonomous processes performing on behalf of your organization throughout infrastructure you don’t absolutely management. The friction of handbook integration used to behave as a pure brake on danger; A2A has eliminated that brake.
That governance hole doesn’t often present up as a single catastrophic failure. It reveals up as a collection of small, complicated incidents the place every part seems “inexperienced“ within the dashboards however the enterprise final result is incorrect. The protocol documentation focuses on encryption and handshakes however ignores the emergent failure modes of autonomous collaboration. These aren’t bugs within the protocols; they’re indicators that the encompassing structure has not caught up with the extent of autonomy the protocols allow.
Coverage drift: A refund coverage encoded in a service agent could technically interoperate with a associate’s collections agent by way of A2A, however their enterprise logic could also be diametrically opposed. When one thing goes incorrect, no one owns the end-to-end conduct.
Context oversharing: A crew would possibly broaden an ACP schema to incorporate “Person Sentiment“ for higher personalization, unaware that this knowledge now propagates to each downstream third-party agent within the chain. What began as native enrichment turns into distributed publicity.
The determinism lure: In contrast to REST APIs, brokers are nondeterministic. An agent’s refund coverage logic would possibly change when its underlying mannequin is up to date from GPT-4 to GPT-4.5, regardless that the A2A Agent Card declares similar capabilities. The workflow “works“—till it doesn’t, and there’s no model hint to debug. This creates what I name “ghost breaks“: failures that don’t present up in conventional observability as a result of the interface contract seems unchanged.
Taken collectively, these aren’t edge instances. They’re what occurs after we give brokers extra autonomy with out upgrading the foundations of engagement between them. These failure modes have a typical root trigger: The technical functionality to collaborate throughout brokers has outrun the group’s capacity to say the place that collaboration is suitable, and beneath what constraints.
That’s why we’d like one thing on prime of the protocols themselves: an specific “Agent Treaty“ layer. If the protocol is the language, the treaty is the structure. Governance should transfer from “facet documentation“ to “coverage as code.“
Need Radar delivered straight to your inbox? Be a part of us on Substack. Enroll right here.
Conventional governance treats coverage violations as failures to forestall. An antifragile method treats them as alerts to use. When an agent makes a dedication that violates a enterprise constraint, the system ought to seize that occasion, hint the causal chain, and feed it again into each the agent’s coaching and the treaty ruleset. Over time, the governance layer will get smarter, not simply stricter.
Outline treaty-level constraints: Don’t simply authorize a connection; authorize a scope. Which ACP fields is an agent allowed to share? Which A2A operations are “learn solely“ versus “legally binding“? Which classes of selections require human escalation?
Model the conduct, not simply the schema: Deal with Agent Playing cards as first-class product surfaces. If the underlying mannequin modifications, the model should bump, triggering a rereview of the treaty. This isn’t bureaucratic overhead—it’s the one method to keep accountability in a system the place autonomous brokers make commitments on behalf of your group.
Cross-organizational traceability: We want observability traces that don’t simply present latency however present intent: Which agent made this dedication, beneath which coverage? And who’s the human proprietor? That is significantly important when workflows span organizational boundaries and associate ecosystems.
Designing that treaty layer isn’t only a tooling drawback. It modifications who must be within the room and the way they consider the system. The toughest constraint isn’t the code; it’s the folks. We’re coming into a world the place engineers should purpose about multi-agent sport idea and coverage interactions, not simply SDK integration. Danger groups should audit “machine-to-machine commitments“ that will by no means be rendered in human language. Product managers should personal agent ecosystems the place a change in a single agent’s reward operate or context schema shifts conduct throughout a whole associate community. Compliance and audit features want new instruments and psychological fashions to evaluation autonomous workflows that execute at machine velocity. In lots of organizations, these abilities sit in several silos, and A2A/ACP adoption is continuing sooner than the cross-functional constructions wanted to handle them.
All of this would possibly sound summary till you take a look at the place enterprises are of their adoption curve. Three converging tendencies are making this pressing: Protocol maturity means A2A, ACP, and MCP specs have stabilized sufficient that enterprises are transferring past pilots to manufacturing deployments. Multi-agent orchestration is shifting from single brokers to agent ecosystems and workflows that span groups, departments, and organizations. And silent autonomy is blurring the road between “software help“ and “autonomous decision-making“—typically with out specific organizational acknowledgment. We’re transferring from integration (making issues speak) to orchestration (making issues act), however our monitoring instruments nonetheless solely measure the speak. The subsequent 18 months will decide whether or not enterprises get forward of this or we see a wave of high-profile failures that drive retroactive governance.
The danger will not be that A2A and ACP are unsafe; it’s that they’re too efficient. For groups piloting these protocols, cease specializing in the “joyful path“ of connectivity. As an alternative, choose one multi-agent workflow and instrument it as a important product:
Map the context circulate: Each ACP subject should have a “goal limitation“ tag. Doc which brokers see which fields, and which enterprise or regulatory necessities justify that visibility. This isn’t a listing train; it’s a method to floor hidden knowledge dependencies.
Audit the commitments: Establish each A2A interplay that represents a monetary or authorized dedication—particularly ones that don’t route by means of human approval. Ask, “If this agent’s conduct modified in a single day, who would discover? Who’s accountable?“
Code the treaty: Prototype a “gatekeeper“ agent that enforces enterprise constraints on prime of the uncooked protocol site visitors. This isn’t about blocking brokers; it’s about making coverage seen and enforceable at runtime. Begin minimal: One coverage, one workflow, one success metric.
Instrument for studying: Seize which brokers collaborate, which insurance policies they invoke, and which contexts they share. Deal with this as telemetry, not simply audit logs. Feed patterns again into governance opinions quarterly.
If this works, you now have a repeatable sample for scaling agent deployments with out sacrificing accountability. If it breaks, you’ve realized one thing important about your structure earlier than it breaks in manufacturing. If you may get one workflow to behave this manner—ruled, observable, and learn-as-you-go—you might have a template for the remainder of your agent ecosystem.
If the final decade was about treating APIs as merchandise, the subsequent one can be about treating autonomous workflows as insurance policies encoded in site visitors between brokers. The protocols are prepared. Your org chart will not be. The bridge between the 2 is the Agent Treaty—begin constructing it earlier than your brokers begin signing offers with out you. The excellent news: You don’t want to revamp your total group. You might want to add one important layer—the Agent Treaty—that makes coverage machine-enforceable, observable, and learnable. You want engineers who take into consideration composition and sport idea, not simply connection. And you’ll want to deal with agent deployments as merchandise, not infrastructure.
The earlier you begin, the earlier that governance hole closes.
