The Agent-to-Agent Protocol (A2A) is an open standard that defines how AI agents from different systems communicate, delegate tasks, and share results with each other.

‍

Main takeaways

• A2A enables multi-agent workflows to span organizational and vendor boundaries without custom, one-off integrations.
• Developed by Google and donated to the Linux Foundation, A2A complements MCP: MCP governs agent-to-tool connections; A2A governs agent-to-agent connections.
• Every A2A interaction is a trust decision. Without proper authentication and scope controls, agents can be manipulated into sharing data or taking actions they shouldn't.
• As multi-agent deployments grow, A2A introduces a new class of non-human identity relationships that security teams need to govern.

What is the Agent-to-Agent Protocol?

Most AI agent protocols address how a single agent connects to tools and data sources. A2A addresses a different problem entirely: how agents talk to each other. Before A2A, multi-agent interactions were largely ad hoc—each integration required custom engineering, with no consistent framework for authentication, capability negotiation, or task delegation across different systems or vendors. A2A establishes that common language.

‍

Originally developed by Google, A2A was donated to the Linux Foundation in mid-2025 for neutral, community-driven governance. It uses standard communication patterns—JSON-RPC, Server-Sent Events—and is designed to be composable with other protocols, including MCP.

‍

How A2A works

At its core, A2A defines three things:

• Capability discovery—How one agent advertises what it can do, so other agents can find it and understand how to interact with it.
• Structured messaging—A consistent format for sending tasks, receiving results, and managing long-running or asynchronous workflows.
• Security handshake—How agents authenticate to each other, negotiate permissions, and establish what each is authorized to access or do.

In practice, this means an orchestrating agent can identify a specialized agent, delegate a subtask to it, receive a result, and pass it along—all without the humans who designed each agent having to build a custom integration between them.

The security implications

A2A makes multi-agent AI powerful. It also makes it harder to govern.

‍

When agents can discover and communicate with each other at runtime, the set of potential interactions is no longer fixed. An agent with broad permissions could be leveraged by another agent—potentially one with different trust levels or from a different vendor context—to access data or perform actions it wasn't explicitly intended for.

‍

Key risks in A2A deployments:

• Unauthorized delegation—An agent receives a task from an unverified or poorly scoped agent and acts on it without proper authorization checks.
• Permission inheritance—A well-permissioned agent is used as a relay by a less-trusted agent to access resources it couldn't reach directly.
• Audit gaps—Multi-agent workflows can span multiple systems and vendors; reconstructing what happened, and which agent made which decision, becomes difficult without comprehensive logging.
• Scope creep—Agents built for narrow tasks gradually interact with more agents and data sources than originally intended, expanding their effective permissions.

Governing A2A in the enterprise

A2A requires organizations to treat every agent as an identity with defined trust boundaries. That means applying the same governance principles used for human and non-human identities: least-privilege access, mutual authentication, continuous monitoring, and clear lifecycle management.

‍

Visibility is the starting point. Organizations deploying A2A-enabled agents need to know which agents exist, what they're authorized to do, and which other agents they're communicating with—before an incident surfaces that information for them.

‍

See how Nudge Security discovers AI tools, integrations, and non-human identities across your SaaS environment →