← AI Native Landscape 🕐 9 min read
AI Native Landscape

The A2A Protocol: What Mid-Market CIOs Need to Know About the New Agent Infrastructure Layer

Brandon Sneider · April 2026

Until 2025, the practical barrier to enterprise multi-agent AI was not capability — it was plumbing.

Executive Summary

  • Google’s Agent2Agent (A2A) protocol — announced April 2025, now at v1.0 — is the emerging standard for how AI agents delegate tasks to other agents. It has 150+ organizational supporters including Microsoft, AWS, Salesforce, SAP, ServiceNow, and all major consulting firms, and is now embedded in Azure AI Foundry and Amazon Bedrock.
  • A2A and Anthropic’s Model Context Protocol (MCP) are complementary, not competing: MCP governs how an agent connects to tools and data; A2A governs how agents communicate with each other. Together they form the two-layer transport infrastructure for enterprise multi-agent systems.
  • The standards competition is settled. Both protocols now sit under Linux Foundation neutral governance, with every major AI lab and hyperscaler in the same governance tent. Lock-in risk is lower than 2025 framing suggested.
  • The production evidence base is thin. 150 organizations have committed support; named at-scale production deployments are limited to a handful of vendor case studies. These case studies are vendor-published and represent selected wins with no control group and no independent verification. Developer adoption is real (23,000+ GitHub stars, five SDKs); enterprise production claims are ahead of documented evidence.
  • The security gap is real and unaddressed. A2A v1.0 includes HTTPS, OAuth 2.0, and Signed Agent Cards — but three attack vectors (prompt injection across agent boundaries, SSRF, and credential escalation through delegation) have no industry consensus mitigation. If your organization is deploying multi-agent systems today, this is the governance conversation to start now, not in 12 months.

What A2A Is — And Why the Timing Matters

Until 2025, the practical barrier to enterprise multi-agent AI was not capability — it was plumbing. Building a system where a customer service agent could delegate a contract review subtask to a legal agent, which could in turn query a compliance agent, required custom integration code for every pair of agents. Vendors built walled gardens. A Salesforce agent could not natively delegate to a ServiceNow agent.

A2A solves the handshake problem. Each agent publishes an “Agent Card” — a JSON document listing what it can do, what data it accepts, what it returns, and how to authenticate. Agents discover each other’s capabilities via these cards and delegate tasks through standardized JSON-RPC calls over HTTPS. The protocol handles long-running async workflows through Server-Sent Events — so an orchestrator agent can hand off a task and receive a result hours later without maintaining an open connection.

Google launched A2A in April 2025 as an Apache 2.0 open standard, specifically to avoid the perception that only Google agents could interoperate. The Linux Foundation took stewardship in June 2025. By March 2026, v1.0 shipped with cryptographically signed Agent Cards — agents can now verify that the capability card they’re talking to was actually issued by the domain it claims.

The timing matters because the three hyperscalers have now embedded A2A at the platform layer. Azure AI Foundry and Copilot Studio use A2A. Amazon Bedrock AgentCore uses A2A. Google Cloud’s native agent tooling uses A2A. If a CIO is building on any of these platforms, A2A is already the transport — known or not.

A2A and MCP: The Functional Split

The question most CIOs ask when they hear about two protocols is: which one wins? The answer is that they are not competing for the same job.

MCP (Model Context Protocol): Governs how an AI agent connects to external tools and data sources — databases, APIs, file systems, SaaS applications. An agent uses MCP to call a Salesforce API or read from a document store. It is frequently described as the USB standard for AI: a connector specification, not a communication protocol.

A2A: Governs how an AI agent communicates with another AI agent — capability discovery, task delegation, status updates, result handoff. An orchestrator agent uses A2A to say “here is a task; here is the context; tell me when it is done.”

The emerging enterprise architecture has both layers:

  1. MCP — agent connects to tools and data sources
  2. A2A — agent delegates to another agent

An orchestrator agent uses A2A to hand a subtask to a specialist agent. That specialist agent uses MCP to pull the data it needs to complete the task. The two protocols do not overlap.

Anthropic donated MCP to the Linux Foundation in December 2025 under the new Agentic AI Foundation (AAIF), which also houses OpenAI’s AGENTS.md specification and Block’s open-source agent framework. IBM’s competing Agent Communication Protocol merged into A2A in August 2025, eliminating what briefly looked like a standards fork. The governance picture as of April 2026: all major labs and hyperscalers coordinate under neutral Linux Foundation structures. The standards war is over before most enterprises noticed it started.

The Vendor Landscape: Who Has Committed and What That Means

The 150+ organization figure from the April 2026 one-year press release requires careful interpretation. These organizations have committed support — through Linux Foundation membership, integration announcements, or developer tooling — not verified production deployments.

The commitments that matter most for mid-market CIOs:

Platform-level integration (highest signal):

  • Microsoft: A2A embedded in Azure AI Foundry and Copilot Studio — any multi-agent workflow built on Microsoft’s platform uses A2A as the underlying transport
  • AWS: A2A in Amazon Bedrock AgentCore Runtime — same pattern
  • Google Cloud: Native across ADK and Vertex AI agent tooling

Enterprise application vendors (founding partners): Salesforce, SAP, ServiceNow, Workday, UKG, and Atlassian all signed on as founding partners in April 2025. For a mid-market company running any combination of these platforms, the practical implication is that agents built on these systems will eventually be able to delegate tasks to each other without custom integration. “Eventually” is doing work in that sentence — vendor roadmap commitment is not the same as shipped capability.

Developer framework support (measurable): LangGraph, CrewAI, and Google’s Agent Development Kit all have native A2A support. If a development team is building custom agents on any of these frameworks today, A2A is available. GitHub metrics — 23,000+ stars, 2,400+ forks, five production-ready SDKs across Python, JavaScript, Java, Go, and .NET — indicate genuine developer adoption, not marketing traction.

Key Data Points

Metric Value Source Date Credibility
Founding partners at launch 50+ Google Cloud Next announcement April 2025 HIGH
Organizations supporting A2A 150+ Linux Foundation / PR Newswire April 2026 MEDIUM — supporters, not production deployments
GitHub stars 23,000+ a2aproject/A2A repository April 2026 HIGH — verifiable
Production SDKs available 5 (Python, JS, Java, Go, .NET) A2A Project April 2026 HIGH
IBM ACP merger into A2A Confirmed Linux Foundation August 2025 HIGH
AAIF founding (MCP + A2A governance) All major labs + hyperscalers Linux Foundation December 2025 HIGH
Azure AI Foundry A2A integration Confirmed Microsoft announcement 2025-2026 HIGH
Amazon Bedrock AgentCore A2A Confirmed AWS announcement 2025-2026 HIGH
A2A v1.0 with Signed Agent Cards Released A2A Project GitHub March 12, 2026 HIGH
Attack vectors without mitigations 3 (injection, SSRF, credential escalation) Futurum / RSAC 2026 April 2026 MEDIUM-HIGH

Temporal tier: TIER 1 (April 2025–April 2026 sources)

Source credibility: MEDIUM — primary source documentation (Google, Linux Foundation, A2A spec) is HIGH credibility; production adoption claims are self-reported and lack independent verification; GitHub metrics are objective signals; security analysis (Futurum, RSAC 2026) is MEDIUM-HIGH independent analyst coverage.

The Security Gap: Three Problems With No Answers Yet

A2A v1.0 includes meaningful security infrastructure: mandatory TLS, OAuth 2.0/OIDC authentication, role-based access control per agent skill, and Signed Agent Cards that cryptographically verify agent identity. For organizations evaluating the protocol’s maturity, these features represent genuine progress over the v0.1 launch.

But three attack vectors raised at RSAC 2026 (Futurum Research, Fernando Montenegro) have no industry consensus mitigation:

Prompt injection across agent boundaries. When Agent A passes a document to Agent B for processing, a malicious payload embedded in that document can override Agent B’s intended behavior. The receiving agent cannot distinguish legitimate instructions from injected ones in the content it is analyzing. The A2A spec does not mandate input sanitization at agent-to-agent boundaries.

Server-Side Request Forgery at agent-to-resource boundaries. Agents that access internal systems on behalf of users can be manipulated to request unintended internal endpoints — potentially exposing infrastructure that was never intended to be agent-accessible. MCP’s connection to internal systems creates the attack surface; A2A’s delegation multiplies the number of agents that can reach it.

Credential escalation through delegation. When an orchestrator agent delegates a subtask to a specialist agent, the A2A spec’s least-privilege guidance is aspirational rather than mandatory. In practice, the specialist may inherit the orchestrator’s broader credential scope — gaining data access that exceeds what the task requires. An agent authorized to read financial summaries could inherit credentials that allow writes.

The analyst framing from RSAC 2026 is worth quoting directly: “The near-absence of A2A protocol security as a distinct conversation means protocol-layer risk will become a procurement question in 12-18 months.” The historical parallel is instructive — cloud API security gaps from 2012–2015 saw adoption run two to three years ahead of security governance frameworks. Organizations that waited to address this during due diligence, rather than proactively, faced more expensive remediations.

The governance action available today: require vendors to document how credentials are scoped at each delegation boundary before approving a multi-agent deployment.

What This Means for Your Organization

The decision mid-market CIOs face in 2026 is not whether to adopt A2A — if they are building on Azure, AWS, or Google Cloud, they are already using it at the platform layer. The decision is whether to engage consciously with the protocol or let it run as invisible infrastructure.

If your organization is buying from Microsoft, AWS, or Google for any agentic AI work: A2A is already your multi-agent transport. The action is not adoption — it is governance. Work with your security team to establish credential-scoping requirements for any multi-agent workflow before procurement sign-off.

If your organization runs a heterogeneous vendor stack (Salesforce + ServiceNow + custom agents): A2A is the protocol that eventually makes these agents talk to each other without custom integration code. Vendor roadmap timing is the variable — this is a 2026–2027 capability, not a 2026 production reality for most mid-market deployments. Planning for it now is reasonable; depending on it now is premature.

If your organization is evaluating custom agent development: The LangGraph and CrewAI frameworks have native A2A support. Building on these frameworks means building for interoperability — a wise default given that the enterprise application vendors (Salesforce, SAP, ServiceNow) are integrating A2A on their own timelines.

The governance action available today regardless of deployment stage: Establish a credential-scoping requirement for any multi-agent workflow. Before any agent can delegate a task to another agent, document what data access the receiving agent actually needs for that specific task and confirm the implementation enforces it. This is the one control that addresses all three RSAC attack vectors.

If this raised questions about how to structure agentic AI governance for your specific vendor stack, I’d welcome the conversation — brandon@brandonsneider.com.

Sources

  1. Google Developers Blog — “A2A: A New Era of Agent Interoperability” (April 9, 2025). Primary launch announcement. URL: https://developers.googleblog.com/en/a2a-a-new-era-of-agent-interoperability/ — Credibility: HIGH (primary source; vendor-authored)

  2. PR Newswire — “A2A Protocol Surpasses 150 Organizations, Lands in Major Cloud Platforms, and Sees Enterprise Production Use in First Year” (April 9, 2026). One-year milestone press release. URL: https://www.prnewswire.com/news-releases/a2a-protocol-surpasses-150-organizations-lands-in-major-cloud-platforms-and-sees-enterprise-production-use-in-first-year-302737641.html — Credibility: MEDIUM (official release; “150 organizations” reflects supporters, not verified production deployments)

  3. Google Cloud Blog — “Agent2Agent Protocol Is Getting an Upgrade” (July 31, 2025). v0.3 release notes. URL: https://cloud.google.com/blog/products/ai-machine-learning/agent2agent-protocol-is-getting-an-upgrade — Credibility: HIGH

  4. A2A Project — Official Specification (v1.0, March 12, 2026). URL: https://a2a-protocol.org/latest/ — Credibility: HIGH (specification document)

  5. A2A Project — Enterprise-Ready Security Specification (v1.0). URL: https://a2a-protocol.org/latest/topics/enterprise-ready/ — Credibility: HIGH

  6. A2A Project — GitHub Repository (a2aproject/A2A). URL: https://github.com/a2aproject/A2A — Credibility: HIGH (verifiable metrics)

  7. Linux Foundation — “Agentic AI Foundation Formation Announcement” (December 2025). AAIF governance structure. URL: https://www.linuxfoundation.org/press/linux-foundation-announces-the-formation-of-the-agentic-ai-foundation — Credibility: HIGH (neutral governance body)

  8. Anthropic — “Donating MCP and Establishing the Agentic AI Foundation” (December 2025). URL: https://www.anthropic.com/news/donating-the-model-context-protocol-and-establishing-of-the-agentic-ai-foundation — Credibility: HIGH (primary source)

  9. Futurum Research / Fernando Montenegro — “RSAC 2026: The AI Tragedy of the Commons and the Future of Agentic Security” (April 2026). URL: https://futurumgroup.com/insights/rsac-2026-the-ai-tragedy-of-the-commons-and-the-future-of-agentic-security/ — Credibility: MEDIUM-HIGH (independent analyst; qualitative; no survey methodology disclosed)

  10. Blocks and Files — Independent A2A/AAIF Analysis (December 2025). URL: https://blocksandfiles.com/2025/12/11/a2a-aaif-ai-agents/ — Credibility: MEDIUM-HIGH (independent tech journalism)

Brandon Sneider | brandon@brandonsneider.com April 2026