A2A Just Hit Production at 150 Companies. Your Agents Are Now Making Phone Calls You Can't See.

The Agent2Agent protocol — A2A — just crossed a threshold that nobody outside the plumbing crowd noticed. At its one-year mark, the Linux Foundation announced A2A has more than 150 organizations behind it, deep integration across Google, Microsoft, and AWS, and — this is the word that matters — active production deployments in supply chain, financial services, insurance, and IT operations. It went from a Google blog post in April 2025 to a production-ready open standard in under a year. That basically never happens with a standard.

Here's what A2A actually is, stripped of the press release: a common language that lets agents from different vendors, built on different frameworks find each other, hand off tasks, and collaborate without a human in the loop. MCP let an agent talk to your tools. A2A lets your agent talk to someone else's agent. That's not a feature. That's a phone network. And the phones are already ringing.

You No Longer Have a Tree. You Have a Graph.

We've spent two years thinking about agents as things we operate. You give it a goal, it uses some tools, it reports back, you review. The whole mental model has a human at the top of the tree. A2A quietly removes that assumption. Once your procurement agent can call a supplier's fulfillment agent directly, and that agent can call a logistics agent, you no longer have a tree with a human at the root. You have a graph — autonomous systems negotiating with autonomous systems across company boundaries, at machine speed, and most of the conversation never surfaces to a person.

That's genuinely useful. It's also a category of system we have almost no operational muscle for. A2A solved the technical interoperability problem — discovery, structured messages, authentication — beautifully and fast. What it didn't solve, because no protocol can, is the organizational problem underneath: when your agent and my agent transact, who's liable for the outcome? When a five-hop agent chain produces a wrong answer, which hop owns the bug? When your agent commits you to a price, did you commit to that price? The protocol moved faster than the law, the audit framework, and the org chart — which is exactly the pattern that produces a great two years followed by a very expensive cleanup.

What This Changes About Your Job

If you're building anything multi-agent — and the Linux Foundation just told you 150 companies are doing it in production — three things change.

Observability is now cross-organizational, and you don't own half of it. You can trace your own agent's reasoning. The moment it hands off to a partner's agent over A2A, your trace goes dark and theirs lights up — on infrastructure you'll never see. Debugging a failed multi-agent transaction means reconstructing a conversation where you only have one side of the call log. Log every A2A message you send and receive, treat the boundary as a trust boundary, and assume you'll have to prove what your agent said and when.

"Authentication built in" is doing a lot of work in that sentence. A2A authenticates that the agent is who it claims to be. It does not establish that the agent is authorized to act on its principal's behalf for this specific transaction — that's your problem, and it's the same non-human-identity gap that's already eating enterprises alive. An authenticated agent making an unauthorized commitment is still an unauthorized commitment.

The blast radius now extends past your perimeter. A prompt-injection or a poisoned input in your agent doesn't just compromise your system anymore — it can propagate over A2A into your partners' agents as a perfectly well-formed, authenticated request. You've turned your supply chain into an attack-surface chain. Rate limits, sanity checks on inbound agent requests, and human-in-the-loop gates on anything that moves money or makes commitments are not paranoia. They're table stakes.

The Competitors Who Won't Share a Benchmark Are Co-Signing the Plumbing

I own four SaaS platforms and I build custom agents on Bedrock, so I read the "Google, Microsoft, and AWS all back A2A" line with a particular kind of attention. The competitors who won't share a benchmark are co-signing the plumbing — and that tells you something. They've all concluded that the value isn't in owning the protocol; it's in being the most useful node on the network. Standardization at the connection layer is how you make the layer above it — orchestration, governance, observability — the thing worth paying for. A2A is free and open precisely so the hyperscalers can sell you everything that wraps around it.

So here's the strategic read for anyone making platform bets right now. Adopting A2A is correct — fighting the standard is how you get stranded. But the protocol being open does not make the ecosystem neutral. The real lock-in moved up a floor: to whoever runs your agent registry, your A2A traffic governance, your cross-agent audit trail. That's the layer to evaluate with your eyes open, because "we speak the open standard" will be true on every vendor's slide while the thing you actually can't leave is the control plane sitting on top of it.

The deeper thing I keep coming back to: we are standing up an economy of agents transacting with agents across company lines, in production, at 150 companies, and the question of who is accountable when two autonomous systems agree to something dumb does not have an answer yet. The protocol works great. The protocol was never the hard part. The hard part is that we've built machines that can make commitments on our behalf and we haven't decided whether we meant to be bound by them. We're going to find out the way we always do — in an incident review, after the agents have already shaken hands.

Sources: A2A Protocol Surpasses 150 Organizations, Lands in Major Cloud Platforms, Sees Enterprise Production Use | Linux Foundation · What Is Agent2Agent (A2A) Protocol? | IBM · Announcing the Agent2Agent Protocol (A2A) | Google Developers Blog · Agent2Agent (A2A) | GitHub