Agent2Agent protocol adoption exposes new NHI governance gaps

At a glance

What this is: This is an independent analysis of Google’s Agent2Agent protocol and what its adoption means for secure, auditable non-human identity governance.

Why it matters: It matters because A2A turns agent communication into an identity and access problem that affects NHI, autonomous, and broader IAM programmes at the same time.

By the numbers:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• 71% of IT teams have been advised on AI agent data access, only 47% of compliance teams, 39% of legal teams, and 34% of executives have the same visibility.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, and organisations failing to scope AI access properly are 4.5x more likely to experience a security incident.

👉 Read Apono's analysis of Agent2Agent protocol adoption and NHI governance

Context

Agent2Agent, or A2A, is a protocol for letting independent software agents discover each other, negotiate how they will communicate, and exchange tasks over scoped authentication. In practice, that shifts agent collaboration out of brittle point-to-point integrations and into a governed identity workflow, which is why the topic sits squarely in NHI and emerging autonomous access management.

The security gap is not whether agents can talk. It is whether teams can explain who approved the token, which agent initiated the request, how long the privilege existed, and how that activity fits existing access review, audit, and least-privilege controls. A2A makes those questions operational, not theoretical.

For IAM, PAM, and NHI programmes, the protocol is a useful signal that agent communication is becoming normalised. The harder work is making sure discovery, token issuance, telemetry, and offboarding remain visible to the same governance controls that already cover service accounts, workload identities, and other non-human identities.

Key questions

Q: How should security teams govern Agent2Agent communication in production?

A: Treat every agent as a governed non-human identity, not just a service integration. Require ownership, scoped authentication, traceable task IDs, and lifecycle offboarding before the first production workflow goes live. If an agent can discover peers and request access at runtime, it belongs inside identity governance and audit processes.

Q: Why do short-lived tokens not fully solve agent-to-agent risk?

A: Short-lived tokens reduce persistence, but they do not guarantee correct authorisation, audience scoping, or accountability. An agent can still misuse a valid token within its lifetime, and investigators may still struggle if traceability is incomplete. The control problem shifts from secret storage to runtime evidence and policy enforcement.

Q: What do teams get wrong about agent discovery and Agent Cards?

A: They often treat discovery as a harmless convenience layer. In reality, an Agent Card advertises capabilities, endpoints, and auth methods, which makes it part of the trust decision. If discovery is not governed, agents can find and call services that were never meant to be broadly reachable.

Q: How can organisations tell if agent-to-agent governance is actually working?

A: Look for consistent token scoping, complete trace coverage, and the ability to answer who initiated each task, which agent consumed it, and what downstream systems were touched. If those questions require manual log correlation or cannot be answered quickly, the governance model is still incomplete.

Technical breakdown

Agent discovery and agent cards create a new trust boundary

A2A uses an Agent Card, typically exposed as a small JSON document, to advertise an agent's endpoint, skills, and supported authentication methods. That simplifies discovery, but it also makes the card part of the trust boundary because another agent can use it to decide whether and how to connect. In identity terms, the card is not just metadata. It is a machine-readable access invitation that can be consumed at runtime. Once discovery is standardised, policy has to decide which agents are allowed to find each other, not just which humans can request access.

Practical implication: treat agent discovery records as governed identity objects and restrict who can publish, register, and consume them.

Short-lived OAuth and OIDC tokens reduce persistence, not risk

A2A leans on short-lived tokens so agents can authenticate with minutes-long credentials instead of hardcoded secrets. That improves blast-radius control, but it does not remove the need to bind each task to a clear identity, audience, and purpose. The security model changes from secret storage to runtime authorisation. If token issuance, audience scoping, and traceability are weak, the environment may still be auditable only in fragments. The value is in reducing standing access, not in assuming that expiry alone creates security.

Practical implication: enforce audience scoping and task-level traceability for every token rather than relying on short TTLs alone.

Telemetry is what makes multi-agent activity governable

A2A includes trace IDs and structured logs so agent-to-agent requests can be stitched into existing observability stacks. That matters because multi-agent workflows can fail in ways traditional application logs miss, especially when one agent calls another and then chains into a third service. Without consistent trace correlation, teams lose the ability to answer basic governance questions about provenance, escalation, and completion. In an identity programme, telemetry is not an afterthought. It is the evidence layer that makes machine delegation reviewable and reconstructable after the fact.

Practical implication: require end-to-end trace correlation before allowing A2A traffic into production workflows.

Threat narrative

Attacker objective: The objective is to move from legitimate-looking agent collaboration to distributed execution that is hard to attribute, contain, or review cleanly.

1. Entry occurs when one agent discovers another through its published Agent Card and obtains the connection details and supported authentication flow.
2. Escalation occurs when the calling agent receives a scoped OAuth or OIDC token and uses it to invoke downstream tasks across services and workflows.
3. Impact occurs when chained agent interactions execute sensitive actions with incomplete audit coverage, making accountability and investigation difficult.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agent-to-agent communication turns identity into a runtime control plane: A2A does not simply connect systems, it creates negotiated machine trust between independent actors. That means discovery, authentication, audience scoping, and audit evidence all become part of the identity layer rather than a surrounding implementation detail. The implication is that IAM teams can no longer treat machine messaging as separate from access governance.

Standing privilege is the wrong baseline for multi-agent systems: A2A's short-lived tokens and task-scoped calls expose how much of today's NHI practice still assumes persistent access. That assumption collapses when agents can discover peers, request access on demand, and complete work in short bursts. The implication is that access governance has to start from ephemeral delegation, not from long-lived entitlements.

Runtime observability is now a control, not just an operations feature: Trace IDs, structured logs, and token attribution are what make A2A defensible in enterprise environments. Without them, compliance teams inherit a delegation chain they cannot reconstruct, and security teams inherit an incident they cannot scope cleanly. The implication is that telemetry must be designed as evidence for identity governance, not merely as debugging output.

A2A broadens the gap between human IAM and machine governance: Human programmes still rely heavily on approval workflows, recertification cycles, and accountable operators, but agent interactions compress those timelines. An autonomous or semi-autonomous exchange can begin and finish before a reviewer ever sees it. The implication is that enterprise identity strategy now has to govern both the human sponsor and the non-human executor in the same control model.

Ephemeral credential trust debt: A2A reduces the lifespan of credentials, but it does not reduce the number of trust decisions that must be made correctly at runtime. Every short-lived token still depends on the right audience, scope, and delegation path. The implication is that security teams must measure whether short-lived access is actually auditable, not merely short-lived.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
• From our research: Organisations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious, according to the 2026 Infrastructure Identity Survey.
• That governance gap is why OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework now matter for identity teams, not just AI specialists.

What this signals

Ephemeral delegation will become the default control expectation for agent systems: As A2A-style interaction patterns spread, programmes that still depend on persistent credentials will carry avoidable trust debt. With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per the 2026 Infrastructure Identity Survey, the gap is already visible in practice.

Agent discovery needs to be governed like access publishing: Once an Agent Card or registry becomes the lookup layer for machine work, exposure decisions start to resemble entitlement decisions. That means security leaders should expect the governance boundary between service discovery and access management to keep shrinking, especially in environments that use OWASP Agentic AI Top 10 patterns.

Runtime evidence will separate usable from unusable agent governance: The organisations that can answer who requested access, which task used it, and where the action landed will be the ones able to scale agentic workflows without surrendering auditability. That is where identity provenance gap becomes the practical concept: if provenance is missing, policy may exist but governance does not.

For practitioners

• Classify A2A agents as governed non-human identities Map every agent that can discover peers or send tasks into your NHI inventory, then assign ownership, lifecycle, and offboarding responsibility before production rollout. If an agent can obtain a token and act, it belongs in identity governance.
• Bind each agent task to a unique audit trail Require trace IDs, signed task identifiers, and central log forwarding for every A2A transaction so investigators can reconstruct who initiated the action, which token was used, and which downstream systems were touched.
• Limit token audience and lifetime by task class Set the shortest practical token lifetime and constrain each token to a single audience and workflow boundary. Avoid reusable credentials for agent-to-agent calls, especially where tasks can cascade across infrastructure or data services.
• Review agent discovery as an access decision Treat registration in an Agent Card directory or registry as a controlled publishing process, with approval gates for sensitive skills, privileged endpoints, and cross-domain discovery. Discovery should be as governed as API exposure.
• Test incident response for chained delegation Practice containment scenarios where one agent triggers another and then fans out into additional systems, so your teams know how to revoke access, halt task propagation, and preserve evidence before the chain completes.

Key takeaways

• A2A makes agent collaboration an identity governance problem because discovery, task exchange, and token use all happen at runtime.
• Short-lived credentials help shrink persistence, but they do not replace the need for scoped authorization, traceability, and ownership.
• Security teams should treat agent cards, trace IDs, and offboarding as mandatory controls before multi-agent workflows reach production.

Key terms

• Agent Card: An Agent Card is a machine-readable discovery object that tells other agents what an agent can do, where it is reachable, and which authentication methods it supports. In governance terms, it becomes part of the trust boundary because it can influence runtime access decisions and inter-agent connectivity.
• Ephemeral Delegation: Ephemeral delegation is the practice of granting access only for a narrowly defined task and only for as long as the task needs it. For autonomous or semi-autonomous agents, the governance challenge is proving that the delegation was correctly scoped, observed, and revoked in time.
• Task-Scoped Token: A task-scoped token is a short-lived credential issued for one specific agent action or workflow boundary. It reduces standing access, but it is only effective when the audience, purpose, and expiry are tightly controlled and the resulting activity is fully traceable.
• Identity Provenance: Identity provenance is the ability to reconstruct which identity initiated an action, how it was authorised, and what downstream systems it touched. In multi-agent environments, provenance is what turns logs and tokens into usable governance evidence rather than disconnected telemetry.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Apono: What is Agent2Agent (A2A) Protocol and How to Adopt it? Read the original.