Over the previous six months, I’ve watched the identical sample repeat throughout enterprise AI groups. A2A and ACP gentle up the room throughout structure evaluations—the protocols are elegant, the demos spectacular. Three weeks into manufacturing, somebody asks: “Wait, which agent licensed that $50,000 vendor cost at 2 am?“ The thrill shifts to concern.
Right here’s the paradox: Agent2Agent (A2A) and the Agent Communication Protocol (ACP) are so efficient at eliminating integration friction that they’ve eliminated the pure “brakes“ that used to drive governance conversations. We’ve solved the plumbing downside brilliantly. In doing so, we’ve created a brand new class of integration debt—one the place organizations borrow pace right this moment at the price of accountability tomorrow.
The technical protocols are strong. The organizational protocols are lacking. We’re quickly transferring from the “Can these methods join?“ section to the “Who licensed this agent to liquidate a place at 3 am?“ section. In follow, that creates a governance hole: Our potential to attach brokers is outpacing our potential to regulate what they commit us to.
To see why that shift is going on so quick, it helps to have a look at how the underlying “agent stack“ is evolving. We’re seeing the emergence of a three-tier construction that quietly replaces conventional API-led connectivity:
| Layer | Protocol examples | Objective | The “human” analog |
| Tooling | MCP (Mannequin Context Protocol) | Connects brokers to native information and particular instruments | A employee’s toolbox |
| Context | ACP (Agent Communication Protocol) | Standardizes how targets, consumer historical past, and state transfer between brokers | A employee’s reminiscence and briefing |
| Coordination | A2A (Agent2Agent) | Handles discovery, negotiation, and delegation throughout boundaries | A contract or handshake |
This stack makes multi-agent workflows a configuration downside as a substitute of a customized engineering mission. That’s precisely why the danger floor is increasing quicker than most CISOs understand.
Consider it this fashion: A2A is the handshake between brokers (who talks to whom, about what duties). ACP is the briefing doc they alternate (what context, historical past, and targets transfer in that dialog). MCP is the toolbox every agent has entry to domestically. When you see the stack this fashion, you additionally see the following downside: We’ve solved API sprawl and quietly changed it with one thing more durable to see—agent sprawl, and with it, a widening governance hole.
Most enterprises already battle to control a whole lot of SaaS functions. One evaluation places the typical at greater than 370 SaaS apps per group. Agent protocols don’t scale back this complexity; they route round it. Within the API period, people filed tickets to set off system actions. Within the A2A period, brokers use “Agent Playing cards“ to find one another and negotiate on high of these methods. ACP permits these brokers to commerce wealthy context—which means a dialog beginning in buyer assist can circulate into success and companion logistics with zero human handoffs. What was API sprawl is turning into dozens of semiautonomous processes performing on behalf of your organization throughout infrastructure you don’t absolutely management. The friction of guide integration used to behave as a pure brake on threat; A2A has eliminated that brake.
That governance hole doesn’t often present up as a single catastrophic failure. It exhibits up as a sequence of small, complicated incidents the place every thing seems “inexperienced“ within the dashboards however the enterprise final result is fallacious. The protocol documentation focuses on encryption and handshakes however ignores the emergent failure modes of autonomous collaboration. These usually are not bugs within the protocols; they’re indicators that the encompassing structure has not caught up with the extent of autonomy the protocols allow.
Coverage drift: A refund coverage encoded in a service agent might technically interoperate with a companion’s collections agent by way of A2A, however their enterprise logic could also be diametrically opposed. When one thing goes fallacious, no person owns the end-to-end conduct.
Context oversharing: A staff may develop an ACP schema to incorporate “Person Sentiment“ for higher personalization, unaware that this information now propagates to each downstream third-party agent within the chain. What began as native enrichment turns into distributed publicity.
The determinism lure: In contrast to REST APIs, brokers are nondeterministic. An agent’s refund coverage logic may change when its underlying mannequin is up to date from GPT-4 to GPT-4.5, although the A2A Agent Card declares an identical capabilities. The workflow “works“—till it doesn’t, and there’s no model hint to debug. This creates what I name “ghost breaks“: failures that don’t present up in conventional observability as a result of the interface contract seems unchanged.
Taken collectively, these aren’t edge instances. They’re what occurs once we give brokers extra autonomy with out upgrading the foundations of engagement between them. These failure modes have a standard root trigger: The technical functionality to collaborate throughout brokers has outrun the group’s potential to say the place that collaboration is acceptable, and below what constraints.
That’s why we want one thing on high of the protocols themselves: an express “Agent Treaty“ layer. If the protocol is the language, the treaty is the structure. Governance should transfer from “aspect documentation“ to “coverage as code.“
Need Radar delivered straight to your inbox? Be a part of us on Substack. Join right here.
Conventional governance treats coverage violations as failures to forestall. An antifragile method treats them as indicators to take advantage of. When an agent makes a dedication that violates a enterprise constraint, the system ought to seize that occasion, hint the causal chain, and feed it again into each the agent’s coaching and the treaty ruleset. Over time, the governance layer will get smarter, not simply stricter.
Outline treaty-level constraints: Don’t simply authorize a connection; authorize a scope. Which ACP fields is an agent allowed to share? Which A2A operations are “learn solely“ versus “legally binding“? Which classes of selections require human escalation?
Model the conduct, not simply the schema: Deal with Agent Playing cards as first-class product surfaces. If the underlying mannequin adjustments, the model should bump, triggering a rereview of the treaty. This isn’t bureaucratic overhead—it’s the one solution to keep accountability in a system the place autonomous brokers make commitments on behalf of your group.
Cross-organizational traceability: We want observability traces that don’t simply present latency however present intent: Which agent made this dedication, below which coverage? And who’s the human proprietor? That is notably important when workflows span organizational boundaries and companion ecosystems.
Designing that treaty layer isn’t only a tooling downside. It adjustments who must be within the room and the way they consider the system. The toughest constraint isn’t the code; it’s the folks. We’re getting into a world the place engineers should motive about multi-agent sport principle and coverage interactions, not simply SDK integration. Threat groups should audit “machine-to-machine commitments“ which will by no means be rendered in human language. Product managers should personal agent ecosystems the place a change in a single agent’s reward perform or context schema shifts conduct throughout a complete companion community. Compliance and audit capabilities want new instruments and psychological fashions to overview autonomous workflows that execute at machine pace. In lots of organizations, these expertise sit in numerous silos, and A2A/ACP adoption is continuing quicker than the cross-functional constructions wanted to handle them.
All of this may sound summary till you take a look at the place enterprises are of their adoption curve. Three converging tendencies are making this pressing: Protocol maturity means A2A, ACP, and MCP specs have stabilized sufficient that enterprises are transferring past pilots to manufacturing deployments. Multi-agent orchestration is shifting from single brokers to agent ecosystems and workflows that span groups, departments, and organizations. And silent autonomy is blurring the road between “device help“ and “autonomous decision-making“—typically with out express organizational acknowledgment. We’re transferring from integration (making issues discuss) to orchestration (making issues act), however our monitoring instruments nonetheless solely measure the discuss. The following 18 months will decide whether or not enterprises get forward of this or we see a wave of high-profile failures that drive retroactive governance.
The chance shouldn’t be that A2A and ACP are unsafe; it’s that they’re too efficient. For groups piloting these protocols, cease specializing in the “pleased path“ of connectivity. As a substitute, decide one multi-agent workflow and instrument it as a important product:
Map the context circulate: Each ACP subject should have a “goal limitation“ tag. Doc which brokers see which fields, and which enterprise or regulatory necessities justify that visibility. This isn’t a list train; it’s a solution to floor hidden information dependencies.
Audit the commitments: Determine each A2A interplay that represents a monetary or authorized dedication—particularly ones that don’t route by human approval. Ask, “If this agent’s conduct modified in a single day, who would discover? Who’s accountable?“
Code the treaty: Prototype a “gatekeeper“ agent that enforces enterprise constraints on high of the uncooked protocol visitors. This isn’t about blocking brokers; it’s about making coverage seen and enforceable at runtime. Begin minimal: One coverage, one workflow, one success metric.
Instrument for studying: Seize which brokers collaborate, which insurance policies they invoke, and which contexts they share. Deal with this as telemetry, not simply audit logs. Feed patterns again into governance evaluations quarterly.
If this works, you now have a repeatable sample for scaling agent deployments with out sacrificing accountability. If it breaks, you’ve realized one thing important about your structure earlier than it breaks in manufacturing. If you may get one workflow to behave this fashion—ruled, observable, and learn-as-you-go—you’ve gotten a template for the remainder of your agent ecosystem.
If the final decade was about treating APIs as merchandise, the following one can be about treating autonomous workflows as insurance policies encoded in visitors between brokers. The protocols are prepared. Your org chart shouldn’t be. The bridge between the 2 is the Agent Treaty—begin constructing it earlier than your brokers begin signing offers with out you. The excellent news: You don’t want to revamp your complete group. You could add one important layer—the Agent Treaty—that makes coverage machine-enforceable, observable, and learnable. You want engineers who take into consideration composition and sport principle, not simply connection. And you might want to deal with agent deployments as merchandise, not infrastructure.
The earlier you begin, the earlier that governance hole closes.
