Risks from the protocols, standards, and mechanisms through which agents discover, connect to, and interact with other agents, tools, skills, and services. Covers A2A, MCP, function calling, skills/plugins, event-driven triggers, and human-in-the-loop channels.
A2A, MCP, function calling, skills/plugins, and event-driven architectures solve real interoperability problems. These risks do not argue against adopting these protocols. They document the trust boundaries, governance gaps, and attack surfaces created when agents discover, connect to, and interact with other agents, tools, skills, and services through these mechanisms. Enterprise integration standards (API gateways, service mesh, OAuth) govern traditional service-to-service communication. None were designed for autonomous callers that dynamically discover and invoke capabilities at runtime.
A2A, MCP, function calling, skills/plugins, and event-driven architectures solve real interoperability problems. These risks document the trust boundaries, governance gaps, and attack surfaces created when agents discover, connect to, and interact with other agents, tools, skills, and services. How the communication and capability-acquisition infrastructure creates governance gaps that no existing framework addresses.
What makes these risks specifically agentic is the dynamic nature of capability discovery and invocation. Traditional API integrations are defined at design time, reviewed by architecture teams, and governed through change management. Agent communication protocols allow agents to discover new capabilities at runtime, connect to previously unknown services, and compose skills in combinations that were never tested together.
Enterprise architects, API governance teams, security architects, third-party risk management teams, and any organization adopting A2A, MCP, or agent-to-agent communication protocols.
| Critical | High | Moderate | Low |
|---|---|---|---|
| 3 | 6 | 0 | 0 |
Manipulated or spoofed Agent Card causes other agents to delegate tasks to an imposter, send sensitive data to an unauthorized endpoint, or trust capabilities that do not exist.
A compromised or malicious MCP server can inject adversarial content, expose unintended tools, or serve as a data exfiltration channel.
Agent autonomously discovers and installs a skill, expanding its own capability set without human approval. Skill installation bypasses change management controls.
Agent-to-agent delegation across organizational boundaries creates dynamic third-party relationships that TPRM does not cover.
Agents within the same institution may use different protocol versions, creating silent interoperability failures with semantic errors.
An adversary who can publish to an event stream can trigger agent actions at will. Event infrastructure was designed for stateless consumers, not autonomous actors.
Agent's effective capability set grows beyond what was registered, tested, or approved. Runtime capabilities diverge from registered capabilities.
Agents communicating through human channels can be indistinguishable from human participants. No policy requires agents to identify themselves.
Skills designed independently can interact in unintended ways when composed. Each skill in isolation was safe. The composition creates emergent risk.
A2A, MCP, and agent communication protocols require governance frameworks that existing API management does not provide. Our advisory engagements help institutions govern dynamic capability discovery and cross-organizational delegation.
Schedule a Briefing