TL;DR
2026 has redrawn the multi-agent map.
Two years ago, getting an agent from vendor A to talk to an agent from vendor B meant writing custom integration code — which is shorthand for spaghetti, lock-in, and the kind of pain that pushes most product managers to cut the feature instead of building it.
This year flipped. Two protocols have become real standards:
- MCP (Model Context Protocol) from Anthropic — for agents talking to tools (APIs, databases, filesystems) — 97M downloads per month, 5,800+ servers, 300+ clients, adopted by OpenAI, Google, Microsoft.
- A2A (Agent2Agent) from Google, donated to the Linux Foundation — for agents talking to agents — 150+ organizations, 22,000+ GitHub stars, in production at Azure AI Foundry and Amazon Bedrock AgentCore.
On the runtime layer, OpenClaw (by Peter Steinberger) became the most-starred GitHub project, surpassing React in 60 days — from 100K stars in January to 250K+ in March.
NVIDIA shipped NemoClaw (enterprise distribution with NeMo Guardrails plus NIM). Cisco launched DefenseClaw (security layer announced at RSAC 2026). And the Linux Foundation formed the Agentic AI Foundation with Anthropic, OpenAI, AWS, Google, Microsoft, Cloudflare, Block, Bloomberg, Intuit, Replit, Samsung, PayPal, Salesforce, and SAP as founding members.
Here's what I want to walk you through — and why you need to understand both protocols before writing your first line of multi-agent code this year.
The Setup: When Agents Couldn't Talk Without Pain
Rewind to 2024. Our team took on a proof-of-concept where one agent collected customer requests, a second agent queried Odoo for the data, and a third wrote the response.
Sounds simple, right?
In practice:
- Agent 1 ran on framework A — its own API
- Agent 2 ran on framework B — different request format
- Agent 3 used vendor C — different auth model entirely
What we ended up writing was glue code between three systems with no shared standard. Every time one of those vendors changed their API, the whole pipeline needed a refactor.
The customer paid a non-trivial monthly bill just to keep the integration alive. We barely shipped real features — most of our hours went to keeping the seams together.
I remember thinking, "If we had HTTP for agents, we'd be miles ahead by now."
In 2026, HTTP for agents arrived.
A2A is the HTTP of the agent era. MCP is the ODBC of the agent era.
They aren't competitors — they're two layers of the same stack.
The Two Protocols Every Architect Needs to Know
MCP (Model Context Protocol) — Agent to Tools
Anthropic released MCP in late 2024 with a single goal: standardize how AI agents reach the outside world:
- Hit APIs
- Query databases
- Read and write filesystems
- Call third-party tools
Before MCP, every vendor had its own tool-calling format. OpenAI did function calling one way, Anthropic another, Google a third. Anyone building a tool that worked across LLMs ended up writing 3-4 layers of adapters.
After MCP — write the MCP server once, and it works with Claude, GPT, Gemini, and pretty much any local model.
The numbers that made MCP undeniable in 2026:
- 97M SDK downloads per month (Python plus TypeScript)
- 5,800+ MCP servers in public registries
- 300+ MCP clients (IDEs, CLI tools, agent frameworks)
- First-class adoption from Anthropic, OpenAI, Google, Microsoft
Use MCP when: an agent needs external resources (APIs, DBs, filesystems, third-party SaaS).
A2A (Agent2Agent) — Agent to Agent
Google released A2A in April 2025. In 2026, Google donated it to the Linux Foundation, making it a vendor-neutral standard.
A2A's goals:
- One agent can discover another with the right capability
- Send a task without knowing the internal implementation
- Receive a response in a standard format
- Authentication and authorization handled systemically
The 2026 numbers:
- 150+ contributing organizations
- 22,000+ GitHub stars
- Production deployments in Azure AI Foundry and Amazon Bedrock AgentCore
- Official SDKs: Python, JavaScript, Java, C#/.NET, Golang
- Donated to the Linux Foundation — governance no longer tied to Google
Use A2A when: multiple agents (possibly from different frameworks, vendors, or teams) need to collaborate.
"MCP + A2A = TCP/IP for the AI Era"
This is where most people get confused — MCP and A2A are not competitors.
Picture a real network stack:
- TCP/IP handles packets, routing, addresses
- HTTP/HTTPS sits on top — handles request/response
In the multi-agent stack:
- MCP lives at the agent ↔ tool layer (fetch data, call functions)
- A2A lives at the agent ↔ agent layer (delegate tasks, coordinate workflows)
A real flow:
- User asks Agent A: "Summarize last month's sales."
- Agent A (Claude) realizes it needs an Odoo specialist — it calls Agent B (a custom GPT-based agent) via A2A
- Agent B receives the task, then uses MCP to query the actual Odoo database
- Agent B returns structured results to Agent A via A2A
- Agent A writes the human-language summary for the user
Every production multi-agent system in 2026 will use both protocols together — not one or the other.
A2A Anatomy — Every Piece on the Table
The Agent Card — An Agent's Business Card
The heart of A2A is the Agent Card — a JSON manifest every agent publishes that says, "Here's who I am, what I do, how to reach me."
High-level structure (I won't dump real JSON, but here's what's inside):
- identity: name, version, description, owner
- capabilities: what the agent can do — written in natural language another agent can parse
- skills: specific functions or workflows (e.g.,
summarize_document, query_inventory)
- endpoints: URLs where other agents send tasks
- security: supported auth methods (API key, OAuth, mTLS)
Self-describing is A2A's key insight — the consuming agent doesn't need to read your docs first. It can parse your Agent Card and reason about which skill to call and how.
Think of an Agent Card as an OpenAPI spec written for an AI to read — not a human.
Communication Flow (5 Steps)
When Agent A wants Agent B to do work, the flow looks like this:
- Parse task intent — Agent A figures out what it needs (e.g., "I need to classify a document")
- Locate target — Search the trusted agent registry for anyone with a
classify_document skill
- Construct payload — Build a JSON payload with task_id (unique), message content, optional context
- HTTP POST — Send to Agent B's endpoint with auth headers
- Process and respond — Agent B processes the task and returns status plus result
The whole flow is HTTP-based — no proprietary transport, no binary protocol. That makes debugging as easy as a regular REST API.
Security Model
This is where A2A breaks from older approaches — agents don't need to expose internal memory, tools, or proprietary logic to each other.
Agent A sends Agent B a task. How B does the work is B's black box. A only sees the result.
A2A's security baseline:
- API keys 32+ characters — random, high-entropy
- X-Agent-Key header — credentials in headers, never in URLs
- HTTPS / TLS 1.3+ — no plain HTTP in production
- Trusted agent list — each agent keeps a whitelist of allowed peers
- Mutual authentication — both sides verify each other's identity
A rule I always enforce: keep the trusted agent list under 10 agents in production.
Why 10? Two reasons:
- Blast radius control — if one agent is compromised, we want the damage bounded
- Audit feasibility — logs from 10 agents talking to each other can actually be audited; 50 agents in a mesh cannot
If 10 feels too small, you're probably over-decomposing. Consolidate agents that do similar work.
OpenClaw — The Phenomenon That Passed React
Why It Grew This Fast
OpenClaw is an open source project from Peter Steinberger with a simple concept: an AI agent that lives with you full-time — self-hosted, persistent, traceable.
Timeline:
- January 2026: passed 100K stars
- March 2026: hit 250K+ stars, surpassing React as the most-starred GitHub project
- All in 60 days — no project has ever moved that fast
Why people piled in:
- Self-hosted — no cloud lock-in, runs on your own infrastructure
- Persistent — the agent is always there, not session-bound
- Structured message passing — every message has a schema, so it's auditable
- Heartbeat architecture — the agent checks its task list at intervals and either acts or waits
- "Claws" — long-running autonomous agents with their own personality and memory
Architecture in Plain Terms
OpenClaw has three main parts:
- Local gateway process — runs in the background on the user's machine
- Messaging integration — connects to Slack, Discord, email, or enterprise chat
- LLM-powered agent — the thing that thinks and responds
What makes enterprises pay attention:
- Every message passes through a controllable gateway
- Structured = JSON logs ready for audit
- Modular = swap LLM backends without rewriting
NemoClaw (NVIDIA) — Enterprise Wrapper
NVIDIA saw OpenClaw and built its own enterprise distribution called NemoClaw.
Same core, plus:
- One-command installation — for enterprise IT that doesn't want to assemble it
- NeMo Guardrails — content and behavior safety layer
- Native NVIDIA model support (NIM) — call NIM models directly
- GPU hardware optimization — full tensor core utilization
- OpenShell isolation — network and filesystem isolation
- Real-time policy approval — every external access requires a policy check
- Full local inference — data never leaves the device
That last point is the killer for PDPA workloads — prompts and responses never leave the customer's server, which is the perfect fit for any workflow involving personal data.
DefenseClaw (Cisco) — Security Layer
Launched at RSAC 2026, Cisco's DefenseClaw is the security layer for agentic AI:
- Scans agent skills — checks declared skills for risk patterns
- Verifies MCP servers — confirms MCP servers come from trusted sources
- Inventories AI assets — builds an asset registry of agents across the org
- Combined with Zero Trust + NVIDIA OpenShell — fits into Cisco's Zero Trust framework
In my view, DefenseClaw + NemoClaw + OpenClaw is the most comprehensive agent security stack on the market right now — built for enterprises that need defense-in-depth at regulatory levels.
ACP — The Sister Protocol You Can't Skip
What ACP Is
ACP (Agent Client Protocol) shipped alongside A2A but with a different scope:
- A2A: agent ↔ agent (autonomous)
- ACP: agent ↔ client (IDE, CLI, chat UI)
ACP builds on JSON-RPC 2.0 for easy developer integration.
What ACP standardizes:
- Prompt transmission — how clients send prompts to agents
- Streaming responses — token streaming, partial results
- Session management — separate sessions, persistent context
- Tool calling — calling tools through the client (e.g., the IDE provides file content)
Why It Matters with OpenClaw
OpenClaw adopted ACP early in 2026. The result:
OpenClaw can call any other agent that implements ACP — including:
- Claude Code
- OpenAI Codex
- Qwen Code
- Gemini CLI
You can run OpenClaw as an orchestrator that picks the best-in-class model for each task — no single-vendor lock-in.
That's the moment when multi-vendor agent collaboration became a commodity, not a research project.
Practical Guide: 5 Phases to Make Two Agents Talk
This is the implementation pattern my team uses. Take it and run.
Phase 1: Gateway Activation
Each OpenClaw instance needs its own Gateway bound to a unique port.
Example:
- Agent 1: port 18789
- Agent 2: port 18790
The Gateway:
- Exposes A2A endpoints (HTTP)
- Handles incoming task requests
- Verifies authentication
- Routes to the right skill
Watch out: in production, never expose ports directly. Front them with a reverse proxy plus WAF.
Phase 2: Agent Card Creation
Write the agent's JSON manifest — tell other agents what you can do.
Checklist for an Agent Card:
- name, version, description (in human language an AI can parse)
- skills array — each with a name and natural-language description
- endpoints — where other agents POST tasks
- auth requirements — credential format
- example payloads — helps other agents calibrate
Pro tip: the best skill descriptions include example input and expected output. Other agents (which are LLMs) make far better decisions when given few-shot examples.
Phase 3: Credential Generation
API keys between agents must be:
- 32+ characters — random, from a secure RNG
- Environment variables — never hardcoded, never in source
- X-Agent-Key header — sent on every request
- Mutual — both sides hold and verify each other's keys
In production, I recommend:
- Use a secret manager (HashiCorp Vault, AWS Secrets Manager, on-prem equivalent)
- Rotate keys quarterly
- Have a kill switch — revoke instantly if a key leaks
Phase 4: Custom Skill / Bridge Implementation
Even though A2A is a standard, native A2A support in some frameworks is still experimental.
So you write a "bridge skill" — a skill that:
- Accepts natural-language user requests (e.g., "Ask the personal-assistant agent to summarize today's email")
- Translates them into structured A2A task payloads
- Sends to the right endpoint
- Receives the response and translates it back to human language
From a developer perspective, a bridge skill is an adapter layer — it stays in place until the framework ships full native support.
Phase 5: Testing and Verification
Before production, the test pattern I use:
- Happy path — trigger an outbound request, verify both sides logged it
- Auth failure — send a request without a key, expect 401
- Timeout — Agent B delays response 30+ seconds — how does Agent A handle it
- Partial response — Agent B returns incomplete data — does A reject or accept partial
- Malformed payload — send JSON with the wrong schema — verify graceful error
Edge case most people forget: idempotency. If A sends the task twice (network retry), does B do the work twice or detect the duplicate and return a cached result?
Real Use Cases
1. Code → Review → Deploy Chain
Common pattern dev teams adopt:
- Agent A (OpenClaw + Sonnet): writes code from spec
- Agent B (Claude Code): reviews code — finds bugs, suggests improvements
- Agent C (Codex): deploys to staging
All three talk via A2A. Each uses MCP to reach git, CI/CD, and monitoring.
Result: developers approve the final step. No tab-switching.
2. Customer Service Multi-Agent
- Agent A (intake): classifies the customer request — what's being asked, how urgent
- Agent B (FAQ): handles FAQ-style questions with answers and sources
- Agent C (escalation): hands off to a human with summarized context
A2A handles coordination. MCP reaches the CRM, knowledge base, and ticket system.
3. Document Processing Pipeline
- Agent A: OCR plus raw text extraction
- Agent B: classifies document type and structures the data
- Agent C: validates against business rules and writes to the DB
Each agent is best-in-class for its domain — instead of one monolithic agent that does everything passably.
Common Pitfalls (From Team Experience)
1. Going Multi-Agent Too Early
This is the #1 mistake I see. Teams read about agents, then immediately reach for multi-agent.
The truth: most workflows are fine with a single ReAct agent. Coordination overhead eats your ROI.
Hold off on multi-agent until:
- A single agent hits a benchmark ceiling you can measure
- The work has clear specialization boundaries
- The orchestration ROI exceeds the complexity cost
2. Loose Agent Cards
If your Agent Card under-describes capabilities, the calling agent makes wrong decisions and picks the wrong skill.
Best practice:
- Skill descriptions need examples
- Specify input/output format clearly
- State edge cases and limitations explicitly
A good skill description isn't short — it's precise.
3. No Trust Boundaries
Opening A2A to any agent that has the API key = unbounded blast radius.
Best practice:
- Explicit
trusted_agents whitelist
- Keep the list ≤ 10 in production
- Review the list every quarter
Don't use the "if you have the key, you're trusted" pattern. That's implicit trust, and it doesn't scale.
4. Synchronous-Only Communication
A2A supports async and push notifications, but most teams build everything sync.
Result: blocking pipelines. Agent A waits for B, which waits for C. Everyone waits.
Use async when:
- The task takes >10 seconds
- Agent A doesn't need the result to do other work
- A webhook or callback URL exists for B to call back
5. Forgetting the Audit Trail
A2A messages must log everything — input, output, timestamp, agent ID, correlation ID.
Especially under PDPA:
- Log retention policy (how long to keep)
- Redact PII in logs
- Access control on the logs themselves
- Correlation ID across the full flow so you can trace across agents
I've seen a customer get audited and have logs missing one hop. Arguing with a regulator about that is rough.
6. Security Through Obscurity
API keys in source = leaked the moment you push (even to a private repo).
What you need:
- Secret manager as the single source of truth
- Quarterly key rotation (minimum)
- Kill switch and revocation procedure
- Alerting if a key is used from an unexpected IP
Don't assume a private repo is safe. Insider risk and accidental exposure happen more often than you'd think.
How to Pick Your Stack — Decision Tree
Do agents need to talk to each other?
├── Yes → A2A
│ ├── Internal only? → A2A + private network + internal registry
│ └── Cross-org? → A2A + Linux Foundation registry + mTLS
└── No → MCP alone is enough
Do agents need to call tools?
├── Yes → MCP every time
│ ├── Claude → built-in MCP support (native)
│ ├── GPT → MCP via OpenAI SDK
│ ├── Gemini → MCP via Google ADK
│ └── Local LLM → MCP via Ollama / vLLM bridge
└── No (rare) → custom protocol (prepare for pain)
Need enterprise security?
├── On-prem inference critical → NemoClaw (NVIDIA)
├── Network/asset visibility → DefenseClaw (Cisco)
└── Both → NemoClaw + DefenseClaw stack
Don't let vendor marketing push you into an "all-in-one platform." Most of those are proprietary wrappers around standard protocols, plus lock-in on top.
If a vendor claims their "proprietary protocol is better than A2A/MCP," ask one question: "If I want to migrate next year, can I?"
The Standards Initiative — Who Sets the Rules
Linux Foundation Agentic AI Foundation
Formed in early 2026 with founding members who are the "who's who" of Silicon Valley plus enterprise tech:
- Anthropic, OpenAI — primary LLM providers
- AWS, Google, Microsoft — cloud providers
- Cloudflare — edge plus security
- Block, Bloomberg — fintech plus data
- Intuit, Replit — productivity plus dev tools
- Samsung — hardware plus consumer
- PayPal, Salesforce, SAP — enterprise plus payments
These 14 founders plus 130+ general contributors = distributed governance with no single veto.
NIST AI Agent Standards Initiative
On February 17, 2026, the US government (through NIST) launched a national AI agent standards initiative.
Three pillars:
- Industry-led standards — coordinating with the Linux Foundation, IEEE
- Open-source protocol development — supporting A2A, MCP, ACP
- Agent security research — research on adversarial agents and prompt injection at scale
Why it matters: this is the moment standards got government backing — credibility for enterprise procurement.
Why It Matters for Asian Businesses
Before 2025 — every vendor was proprietary. Lock-in was deep. Migrations were brutal.
After 2026 — open standards are real:
- Switch backends more easily (Claude → GPT → Gemini)
- PDPA compliance is easier with standardized log formats
- Audits become possible because schemas are clear
- Vendor risk drops — no panic when a vendor sunsets a product
For enterprise procurement, RFPs that require A2A + MCP support as a minimum became standard practice this year.
For the Enersys Team
As a Software House building multi-agent systems for clients, our approach has three principles:
1. Protocol-first design
We design for A2A on cross-agent communication and MCP on tool access from day one — not as a retrofit.
Result: clients aren't locked in to us or to a specific LLM vendor.
2. Audit-first observability
Every agent message that flows through our systems is logged in a structured, replayable format we can trace.
For Odoo automation that touches financial or HR data, the audit trail equals compliance.
3. PDPA at the protocol level
For Thai clients with PDPA obligations, we enforce data sovereignty at the protocol level:
- Agents handling PII run on-prem (NemoClaw style)
- A2A messages crossing trust zones are encrypted and signed
- Log retention policies are enforced via infrastructure
The deployment specifics for each client stay private, but the three patterns above are the default on every project we take.
Wrap-up — We're in the Era of the "Agent Internet"
Thirty years ago, the internet became real because of TCP/IP plus HTTP — standards that let computers talk regardless of vendor.
In 2026, we're walking the same path with agents:
- MCP = ODBC for agents — standardized tool connections
- A2A = HTTP for agents — standardized agent-to-agent communication
- OpenClaw + NemoClaw + DefenseClaw = web browser + web server + firewall for the agent era — the runtime that makes the standards usable
If you're in a business that needs AI in 2026, here's what to ask yourself:
- Does the system we're building have multiple agents?
- If yes, does it use A2A or proprietary?
- The tools agents need to call — are they MCP or custom adapters?
- If we change LLM vendors next year, does the system still work?
Answer those before writing code. Retrofitting protocols later is 5-10x more painful than getting it right from the start.
2026 isn't the year you choose between multi-agent or not. It's the year you choose between multi-agent done right or multi-agent that becomes legacy in 18 months.
If your team wants to talk through multi-agent architecture, the Enersys team is around.
Sources
