NHI, MCP, A2A & AI Agents as Gooey Centers

NHI, MCP, A2A & AI Agents as Gooey Centers

Originally published on LinkedIn: https://www.linkedin.com/pulse/nhi-mcp-a2a-ai-agents-gooey-centers-jonathan-sander-1nwye/


Google Cloud’s A2A announcement set off many conversations. Some set A2A up in opposition to Anthropic’s MCP - which is silly. Many said this was more evidence for the “death of programming.” I also think that’s silly.

I’ve already been thinking about how MCP relates to NHI (Non-Human Identity) and planning to write something about it. A2A came and made me rethink how NHI is impacted by this growing world of Agentic AI systems. Just like every other part of Agentic AI, A2A has a relationship with NHI.

What’s interesting to me is the subtle differences between the A2A and MCP use of NHI.

But first, let’s get on the same page.

I’m assuming if you’ve clicked on this you’ve already got the Anthropic Model Context Protocol (MCP)[1] well understood and you’ve likely read up on Google Cloud’s A2A (Agent2Agent) Protocol[2]. Within hours of Google’s announcement, I saw the extremely helpful posts by Dharmesh Shah of Hubspot[3] (a happy Astrix customer) and David Mataciunas of AQ22[4] - both using the same graphic showing the relationship between MCP & A2A. I’ll link everything below if you want to read it all.

2 posts on A2A + MCP with the same great diagram

Even after reading a bunch more and playing with the tech, the thoughts from those posts are the ones that stick with me.

Dharmesh makes the point that A2A is a smart evolution to a young, growing field. David says: “MCP connects an AI agent to tools & data and A2A connects an AI agent to other agents” - which makes it clear these are complementary.

Where does this intersect with NHI?

The nature of both MCP and A2A is connection. Agents connecting to resources, and agents connecting to one another. If you’re security minded, every time you hear something is connecting, you hope that the connection is well secured.

Part of that is making sure the connection is authenticated. The very over-hyped notion of “zero trust” really boils down to “every connection should be authenticated every time.” It doesn’t take any more steps to conclude these MCP and A2A connections will be using NHIs. Even where the agents will be acting on behalf of humans, they will still be using resources that are not directly delegated to the human. And many of the agents will be totally autonomous and therefore using only NHI.

Now we come to the subtle difference between how MCP and A2A may use NHIs.

I say “may” here because A2A is so new it’s hard to say how it may be rolled into real world production deployments.

MCP’s relationship with NHIs is pretty clear. The application using the agent will have some sort of authentication to the platform where the AI agent runs. Then the agentic processes will have any number of connections through MCP calls to resources. Each of these will need to use some form of credential to talk to the resources on the other side of those calls, as shown in figure 1.

Figure 1 - The AI Agent at the center of the applications using it and the MCP connected systems it will access using NHIs

For A2A, the types of credentials, how those will be issued and managed, where the audit trails of those authentications will live, and all the other aspects of the identity security is still largely TBD.

However, one thing that already seems clear is that these will be buried more deeply in the architectures of these agentic systems than those used by MCP. MCP is all about the agents reaching out, but A2A is about the agents talking amongst themselves.

Where those communications between agents will represent possible threats, auditing those conversations, and being able to (potentially) limit those comms will be a bigger challenge because they are not at the edges of the systems but living in the core of it.

The fear I have based on this subtle difference is that we are potentially entering a new “gooey center” model.

Many security models used to rely on the “crunchy shell” of a network (i.e. on firewalls, VPNs, etc.) to protect the resources in the “gooey center” which would not have any real protections because they were “out of reach” by anyone but those you already trusted.

If people start building agentic systems with the idea that the agents are all trusted and therefore can talk to one another with minimal protections and oversight, the agents become the new “gooey center.”

My hope is that we keep taking zero trust seriously and approach the A2A communications just as cautiously as the MCP communications. No one would let an LLM call their production database with highly privileged rights and no authentication or controls.

Hopefully they will see one agent calling another agent with full access to that database without the same level of controls is also very dangerous.

References: