Over the previous six months, I’ve watched the identical sample repeat throughout enterprise AI groups. A2A and ACP mild up the room throughout structure opinions—the protocols are elegant, the demos spectacular. Three weeks into manufacturing, somebody asks: “Wait, which agent approved that $50,000 vendor fee at 2 am?“ The thrill shifts to concern.
Right here’s the paradox: Agent2Agent (A2A) and the Agent Communication Protocol (ACP) are so efficient at eliminating integration friction that they’ve eliminated the pure “brakes“ that used to pressure governance conversations. We’ve solved the plumbing drawback brilliantly. In doing so, we’ve created a brand new class of integration debt—one the place organizations borrow pace right this moment at the price of accountability tomorrow.
The technical protocols are strong. The organizational protocols are lacking. We’re quickly transferring from the “Can these techniques join?“ section to the “Who approved this agent to liquidate a place at 3 am?“ section. In apply, that creates a governance hole: Our skill to attach brokers is outpacing our skill to regulate what they commit us to.
To see why that shift is going on so quick, it helps to take a look at how the underlying “agent stack“ is evolving. We’re seeing the emergence of a three-tier construction that quietly replaces conventional API-led connectivity:
| Layer | Protocol examples | Objective | The “human” analog |
| Tooling | MCP (Mannequin Context Protocol) | Connects brokers to native knowledge and particular instruments | A employee’s toolbox |
| Context | ACP (Agent Communication Protocol) | Standardizes how targets, person historical past, and state transfer between brokers | A employee’s reminiscence and briefing |
| Coordination | A2A (Agent2Agent) | Handles discovery, negotiation, and delegation throughout boundaries | A contract or handshake |
This stack makes multi-agent workflows a configuration drawback as a substitute of a customized engineering challenge. That’s precisely why the danger floor is increasing quicker than most CISOs notice.
Consider it this fashion: A2A is the handshake between brokers (who talks to whom, about what duties). ACP is the briefing doc they change (what context, historical past, and targets transfer in that dialog). MCP is the toolbox every agent has entry to domestically. When you see the stack this fashion, you additionally see the following drawback: We’ve solved API sprawl and quietly changed it with one thing tougher to see—agent sprawl, and with it, a widening governance hole.
Most enterprises already battle to manipulate a whole lot of SaaS functions. One evaluation places the typical at greater than 370 SaaS apps per group. Agent protocols don’t scale back this complexity; they route round it. Within the API period, people filed tickets to set off system actions. Within the A2A period, brokers use “Agent Playing cards“ to find one another and negotiate on high of these techniques. ACP permits these brokers to commerce wealthy context—that means a dialog beginning in buyer assist can movement into success and associate logistics with zero human handoffs. What was once API sprawl is turning into dozens of semiautonomous processes appearing on behalf of your organization throughout infrastructure you don’t absolutely management. The friction of handbook integration used to behave as a pure brake on danger; A2A has eliminated that brake.
That governance hole doesn’t often present up as a single catastrophic failure. It reveals up as a sequence of small, complicated incidents the place every little thing appears “inexperienced“ within the dashboards however the enterprise end result is flawed. The protocol documentation focuses on encryption and handshakes however ignores the emergent failure modes of autonomous collaboration. These aren’t bugs within the protocols; they’re indicators that the encompassing structure has not caught up with the extent of autonomy the protocols allow.
Coverage drift: A refund coverage encoded in a service agent could technically interoperate with a associate’s collections agent through A2A, however their enterprise logic could also be diametrically opposed. When one thing goes flawed, no person owns the end-to-end conduct.
Context oversharing: A workforce would possibly develop an ACP schema to incorporate “Person Sentiment“ for higher personalization, unaware that this knowledge now propagates to each downstream third-party agent within the chain. What began as native enrichment turns into distributed publicity.
The determinism lure: Not like REST APIs, brokers are nondeterministic. An agent’s refund coverage logic would possibly change when its underlying mannequin is up to date from GPT-4 to GPT-4.5, although the A2A Agent Card declares equivalent capabilities. The workflow “works“—till it doesn’t, and there’s no model hint to debug. This creates what I name “ghost breaks“: failures that don’t present up in conventional observability as a result of the interface contract appears unchanged.
Taken collectively, these aren’t edge instances. They’re what occurs after we give brokers extra autonomy with out upgrading the principles of engagement between them. These failure modes have a typical root trigger: The technical functionality to collaborate throughout brokers has outrun the group’s skill to say the place that collaboration is suitable, and underneath what constraints.
That’s why we want one thing on high of the protocols themselves: an express “Agent Treaty“ layer. If the protocol is the language, the treaty is the structure. Governance should transfer from “aspect documentation“ to “coverage as code.“
Need Radar delivered straight to your inbox? Be part of us on Substack. Enroll right here.
Conventional governance treats coverage violations as failures to forestall. An antifragile method treats them as indicators to use. When an agent makes a dedication that violates a enterprise constraint, the system ought to seize that occasion, hint the causal chain, and feed it again into each the agent’s coaching and the treaty ruleset. Over time, the governance layer will get smarter, not simply stricter.
Outline treaty-level constraints: Don’t simply authorize a connection; authorize a scope. Which ACP fields is an agent allowed to share? Which A2A operations are “learn solely“ versus “legally binding“? Which classes of selections require human escalation?
Model the conduct, not simply the schema: Deal with Agent Playing cards as first-class product surfaces. If the underlying mannequin adjustments, the model should bump, triggering a rereview of the treaty. This isn’t bureaucratic overhead—it’s the one approach to preserve accountability in a system the place autonomous brokers make commitments on behalf of your group.
Cross-organizational traceability: We’d like observability traces that don’t simply present latency however present intent: Which agent made this dedication, underneath which coverage? And who’s the human proprietor? That is notably essential when workflows span organizational boundaries and associate ecosystems.
Designing that treaty layer isn’t only a tooling drawback. It adjustments who must be within the room and the way they consider the system. The toughest constraint isn’t the code; it’s the individuals. We’re coming into a world the place engineers should cause about multi-agent sport principle and coverage interactions, not simply SDK integration. Threat groups should audit “machine-to-machine commitments“ that will by no means be rendered in human language. Product managers should personal agent ecosystems the place a change in a single agent’s reward operate or context schema shifts conduct throughout a complete associate community. Compliance and audit features want new instruments and psychological fashions to evaluate autonomous workflows that execute at machine pace. In lots of organizations, these expertise sit in several silos, and A2A/ACP adoption is continuing quicker than the cross-functional constructions wanted to handle them.
All of this would possibly sound summary till you have a look at the place enterprises are of their adoption curve. Three converging tendencies are making this pressing: Protocol maturity means A2A, ACP, and MCP specs have stabilized sufficient that enterprises are transferring past pilots to manufacturing deployments. Multi-agent orchestration is shifting from single brokers to agent ecosystems and workflows that span groups, departments, and organizations. And silent autonomy is blurring the road between “instrument help“ and “autonomous decision-making“—typically with out express organizational acknowledgment. We’re transferring from integration (making issues speak) to orchestration (making issues act), however our monitoring instruments nonetheless solely measure the speak. The following 18 months will decide whether or not enterprises get forward of this or we see a wave of high-profile failures that pressure retroactive governance.
The chance just isn’t that A2A and ACP are unsafe; it’s that they’re too efficient. For groups piloting these protocols, cease specializing in the “completely satisfied path“ of connectivity. As a substitute, choose one multi-agent workflow and instrument it as a essential product:
Map the context movement: Each ACP discipline will need to have a “goal limitation“ tag. Doc which brokers see which fields, and which enterprise or regulatory necessities justify that visibility. This isn’t a listing train; it’s a approach to floor hidden knowledge dependencies.
Audit the commitments: Establish each A2A interplay that represents a monetary or authorized dedication—particularly ones that don’t route via human approval. Ask, “If this agent’s conduct modified in a single day, who would discover? Who’s accountable?“
Code the treaty: Prototype a “gatekeeper“ agent that enforces enterprise constraints on high of the uncooked protocol visitors. This isn’t about blocking brokers; it’s about making coverage seen and enforceable at runtime. Begin minimal: One coverage, one workflow, one success metric.
Instrument for studying: Seize which brokers collaborate, which insurance policies they invoke, and which contexts they share. Deal with this as telemetry, not simply audit logs. Feed patterns again into governance opinions quarterly.
If this works, you now have a repeatable sample for scaling agent deployments with out sacrificing accountability. If it breaks, you’ve discovered one thing essential about your structure earlier than it breaks in manufacturing. If you will get one workflow to behave this fashion—ruled, observable, and learn-as-you-go—you’ve a template for the remainder of your agent ecosystem.
If the final decade was about treating APIs as merchandise, the following one can be about treating autonomous workflows as insurance policies encoded in visitors between brokers. The protocols are prepared. Your org chart just isn’t. The bridge between the 2 is the Agent Treaty—begin constructing it earlier than your brokers begin signing offers with out you. The excellent news: You don’t want to revamp your complete group. You have to add one essential layer—the Agent Treaty—that makes coverage machine-enforceable, observable, and learnable. You want engineers who take into consideration composition and sport principle, not simply connection. And you’ll want to deal with agent deployments as merchandise, not infrastructure.
The earlier you begin, the earlier that governance hole closes.
