A2A enables cross-organizational agent delegation creating dynamic third-party relationships that Third-Party Risk Management (TPRM) does not cover because no contract event triggers assessment.
A2A protocols enable agents to discover and delegate to agents operated by other organizations. This creates dynamic third-party relationships that are created at runtime, not at contract negotiation. An agent in Organization A discovers an agent in Organization B offering a matching capability and delegates work to Organization B's agent.
Traditional Third-Party Risk Management (TPRM) requires that before an organization uses a third party's services, a contract is executed, security assessment is conducted, and the relationship is formally established. TPRM creates bounded risk: the organization knows what third parties it depends on and can monitor them.
With A2A delegation, an organization may delegate to unknown third parties dynamically. An agent may discover Organization B's agent, delegate work, and complete the delegation all without any human approval or TPRM oversight. The governance gap is that A2A delegation creates third-party relationships that TPRM frameworks do not anticipate or control.
A US bank deploys an A2A ecosystem where bank agents discover and delegate to third-party agents. A customer onboarding workflow requires identity verification (Know Your Customer). The bank's KYC-Agent searches the A2A registry for available KYC providers and discovers that a financial technology company (FinTech-Corp) has published an agent offering "Global KYC Verification Service."
The agent's card indicates that FinTech-Corp's KYC agent is available, has required authentication, and supports the bank's data formats. The KYC-Agent delegates the identity verification to FinTech-Corp's agent without any human review or TPRM approval.
FinTech-Corp is not a formally vetted third party of the bank. The bank has no contract with FinTech-Corp, has not conducted security assessments, and does not monitor FinTech-Corp. FinTech-Corp's agent receives customer PII (name, address, identification document images, social security number) for verification.
What the bank does not know is that FinTech-Corp was recently acquired by a private equity firm with no banking experience and has not updated its security program. Over 2 months, 5,000 customer KYC records are exfiltrated and sold on the dark web. The bank cannot hold FinTech-Corp accountable because no contract exists. The bank is liable to its customers for the data breach.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 4 | Unknown third parties are difficult to monitor. Delegation to unknown agents may go undetected until breach is discovered externally. |
| A - Autonomy Sensitivity | 5 | High when agents autonomously discover and delegate to unknown third parties without human approval. |
| M - Multiplicative Potential | 4 | Affects every delegation to unknown third parties. At scale, agents delegate to many unknown providers. |
| A - Attack Surface | 4 | Unknown third parties are unvetted attack surfaces. Organization has no security oversight of third party. |
| G - Governance Gap | 5 | TPRM frameworks explicitly address contractual relationships; A2A creates non-contractual relationships outside TPRM scope. |
| E - Enterprise Impact | 5 | Enables data exfiltration by unknown third parties. Organization has no recourse or accountability. |
| Composite DAMAGE Score | 4.3 | Critical. Requires immediate architectural controls. Cannot be accepted. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human approves all third-party relationships before agents delegate. |
| Digital Apprentice | Low-Med | Agents escalate to human before delegating to unknown third parties. |
| Autonomous Agent | Very High | Agents autonomously discover and delegate to unknown third parties without approval. |
| Delegating Agent | Very High | Primary function is to discover and delegate to tools and agents. Unknown third parties are discovered dynamically. |
| Agent Crew / Pipeline | High | Crew agents may delegate to unknown third parties. Entire crew risk is exposed. |
| Agent Mesh / Swarm | Critical | Mesh architecture assumes agents discover and delegate to unknown peers. No TPRM oversight possible at scale. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| OCC Guidance | Partial | SR 13-19, SR 22-9 | Third-party risk management framework. | A2A and dynamic delegation relationships. |
| NIST AI RMF 1.0 | Partial | GOVERN 6.2, MANAGE 7.1 | Supply chain risk and resource management. | Dynamic third-party discovery and delegation. |
| NIST CSF 2.0 | Partial | ID.SC-1 (Supply Chain Risk) | Supply chain risk management. | Dynamic supply chain relationships. |
| EU AI Act | Minimal | Articles 9, 28 | Risk assessment and documentation. | Cross-border agent delegation. |
| GDPR Articles 28, 32 | Partial | Data Processing Agreements | Third-party data processing. | A2A delegation without DPA. |
Regulatory frameworks explicitly address third-party risk management. Regulators require that institutions maintain visibility and control over all third parties that access customer data or participate in regulated services. A2A delegation creates third-party relationships that are invisible and uncontrolled by TPRM.
Additionally, data protection regulations (GDPR, CCPA, PIPEDA) require Data Processing Agreements (DPAs) between data controllers and processors. A2A delegation between agents may transfer customer data to unknown third parties without DPAs in place. This is a direct violation of data protection requirements.
Cross-Organizational Delegation Without Governance requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing