AI, A2A, and the Governance Gap – O’Reilly

Over the previous six months, I’ve watched the identical sample repeat throughout enterprise AI groups. A2A and ACP gentle up the room throughout structure critiques—the protocols are elegant, the demos spectacular. Three weeks into manufacturing, somebody asks: “Wait, which agent licensed that $50,000 vendor fee at 2 am?“ The thrill shifts to concern.

Right here’s the paradox: Agent2Agent (A2A) and the Agent Communication Protocol (ACP) are so efficient at eliminating integration friction that they’ve eliminated the pure “brakes“ that used to drive governance conversations. We’ve solved the plumbing downside brilliantly. In doing so, we’ve created a brand new class of integration debt—one the place organizations borrow velocity right now at the price of accountability tomorrow.

The technical protocols are strong. The organizational protocols are lacking. We’re quickly transferring from the “Can these methods join?“ part to the “Who licensed this agent to liquidate a place at 3 am?“ part. In apply, that creates a governance hole: Our capability to attach brokers is outpacing our capability to manage what they commit us to.

To see why that shift is occurring so quick, it helps to have a look at how the underlying “agent stack“ is evolving. We’re seeing the emergence of a three-tier construction that quietly replaces conventional API-led connectivity:

This stack makes multi-agent workflows a configuration downside as an alternative of a customized engineering challenge. That’s precisely why the chance floor is increasing sooner than most CISOs notice.

Consider it this fashion: A2A is the handshake between brokers (who talks to whom, about what duties). ACP is the briefing doc they alternate (what context, historical past, and objectives transfer in that dialog). MCP is the toolbox every agent has entry to domestically. When you see the stack this fashion, you additionally see the following downside: We’ve solved API sprawl and quietly changed it with one thing tougher to see—agent sprawl, and with it, a widening governance hole.

Most enterprises already battle to control a whole lot of SaaS purposes. One evaluation places the common at greater than 370 SaaS apps per group. Agent protocols don’t scale back this complexity; they route round it. Within the API period, people filed tickets to set off system actions. Within the A2A period, brokers use “Agent Playing cards“ to find one another and negotiate on high of these methods. ACP permits these brokers to commerce wealthy context—that means a dialog beginning in buyer assist can movement into achievement and associate logistics with zero human handoffs. What was API sprawl is changing into dozens of semiautonomous processes performing on behalf of your organization throughout infrastructure you don’t totally management. The friction of guide integration used to behave as a pure brake on threat; A2A has eliminated that brake.

That governance hole doesn’t normally present up as a single catastrophic failure. It reveals up as a collection of small, complicated incidents the place all the pieces appears “inexperienced“ within the dashboards however the enterprise end result is fallacious. The protocol documentation focuses on encryption and handshakes however ignores the emergent failure modes of autonomous collaboration. These should not bugs within the protocols; they’re indicators that the encompassing structure has not caught up with the extent of autonomy the protocols allow.

Coverage drift: A refund coverage encoded in a service agent could technically interoperate with a associate’s collections agent through A2A, however their enterprise logic could also be diametrically opposed. When one thing goes fallacious, no one owns the end-to-end conduct.

Context oversharing: A crew may develop an ACP schema to incorporate “Person Sentiment“ for higher personalization, unaware that this knowledge now propagates to each downstream third-party agent within the chain. What began as native enrichment turns into distributed publicity.

The determinism lure: Not like REST APIs, brokers are nondeterministic. An agent’s refund coverage logic may change when its underlying mannequin is up to date from GPT-4 to GPT-4.5, regardless that the A2A Agent Card declares equivalent capabilities. The workflow “works“—till it doesn’t, and there’s no model hint to debug. This creates what I name “ghost breaks“: failures that don’t present up in conventional observability as a result of the interface contract appears unchanged.

Taken collectively, these aren’t edge instances. They’re what occurs once we give brokers extra autonomy with out upgrading the principles of engagement between them. These failure modes have a typical root trigger: The technical functionality to collaborate throughout brokers has outrun the group’s capability to say the place that collaboration is suitable, and underneath what constraints.

That’s why we want one thing on high of the protocols themselves: an specific “Agent Treaty“ layer. If the protocol is the language, the treaty is the structure. Governance should transfer from “aspect documentation“ to “coverage as code.“

Need Radar delivered straight to your inbox? Be a part of us on Substack. Sign up here.

Conventional governance treats coverage violations as failures to forestall. An antifragile strategy treats them as indicators to use. When an agent makes a dedication that violates a enterprise constraint, the system ought to seize that occasion, hint the causal chain, and feed it again into each the agent’s coaching and the treaty ruleset. Over time, the governance layer will get smarter, not simply stricter.

Outline treaty-level constraints: Don’t simply authorize a connection; authorize a scope. Which ACP fields is an agent allowed to share? Which A2A operations are “learn solely“ versus “legally binding“? Which classes of choices require human escalation?

Model the conduct, not simply the schema: Deal with Agent Playing cards as first-class product surfaces. If the underlying mannequin modifications, the model should bump, triggering a rereview of the treaty. This isn’t bureaucratic overhead—it’s the one option to keep accountability in a system the place autonomous brokers make commitments on behalf of your group.

Cross-organizational traceability: We’d like observability traces that don’t simply present latency however present intent: Which agent made this dedication, underneath which coverage? And who’s the human proprietor? That is significantly important when workflows span organizational boundaries and associate ecosystems.

Designing that treaty layer isn’t only a tooling downside. It modifications who must be within the room and the way they give thought to the system. The toughest constraint isn’t the code; it’s the folks. We’re coming into a world the place engineers should purpose about multi-agent sport idea and coverage interactions, not simply SDK integration. Danger groups should audit “machine-to-machine commitments“ that will by no means be rendered in human language. Product managers should personal agent ecosystems the place a change in a single agent’s reward perform or context schema shifts conduct throughout a complete associate community. Compliance and audit features want new instruments and psychological fashions to assessment autonomous workflows that execute at machine velocity. In lots of organizations, these abilities sit in numerous silos, and A2A/ACP adoption is continuing sooner than the cross-functional constructions wanted to handle them.

All of this may sound summary till you take a look at the place enterprises are of their adoption curve. Three converging traits are making this pressing: Protocol maturity means A2A, ACP, and MCP specs have stabilized sufficient that enterprises are transferring past pilots to manufacturing deployments. Multi-agent orchestration is shifting from single brokers to agent ecosystems and workflows that span groups, departments, and organizations. And silent autonomy is blurring the road between “device help“ and “autonomous decision-making“—typically with out specific organizational acknowledgment. We’re transferring from integration (making issues discuss) to orchestration (making issues act), however our monitoring instruments nonetheless solely measure the discuss. The following 18 months will decide whether or not enterprises get forward of this or we see a wave of high-profile failures that drive retroactive governance.

The chance will not be that A2A and ACP are unsafe; it’s that they’re too efficient. For groups piloting these protocols, cease specializing in the “completely satisfied path“ of connectivity. As an alternative, choose one multi-agent workflow and instrument it as a important product:

Map the context movement: Each ACP area should have a “function limitation“ tag. Doc which brokers see which fields, and which enterprise or regulatory necessities justify that visibility. This isn’t a list train; it’s a option to floor hidden knowledge dependencies.

Audit the commitments: Determine each A2A interplay that represents a monetary or authorized dedication—particularly ones that don’t route by way of human approval. Ask, “If this agent’s conduct modified in a single day, who would discover? Who’s accountable?“

Code the treaty: Prototype a “gatekeeper“ agent that enforces enterprise constraints on high of the uncooked protocol visitors. This isn’t about blocking brokers; it’s about making coverage seen and enforceable at runtime. Begin minimal: One coverage, one workflow, one success metric.

Instrument for studying: Seize which brokers collaborate, which insurance policies they invoke, and which contexts they share. Deal with this as telemetry, not simply audit logs. Feed patterns again into governance critiques quarterly.

If this works, you now have a repeatable sample for scaling agent deployments with out sacrificing accountability. If it breaks, you’ve realized one thing important about your structure earlier than it breaks in manufacturing. If you will get one workflow to behave this fashion—ruled, observable, and learn-as-you-go—you may have a template for the remainder of your agent ecosystem.

If the final decade was about treating APIs as merchandise, the following one will likely be about treating autonomous workflows as insurance policies encoded in visitors between brokers. The protocols are prepared. Your org chart will not be. The bridge between the 2 is the Agent Treaty—begin constructing it earlier than your brokers begin signing offers with out you. The excellent news: You don’t want to revamp your total group. You have to add one important layer—the Agent Treaty—that makes coverage machine-enforceable, observable, and learnable. You want engineers who take into consideration composition and sport idea, not simply connection. And it’s good to deal with agent deployments as merchandise, not infrastructure.

The earlier you begin, the earlier that governance hole closes.