--- title: "Agentic Trust Architecture: The Missing Protocol Layer" scope: > The structural gap between what MCP and A2A enable (agent action) and what enterprises require (verifiable, governed, auditable action). Covers the trust layer problem, non-human identity explosion, OWASP Agentic Top 10, governance failure modes, and the emerging standards race. Directly extends the Architecture and Trust threads from the TokenArch research corpus. date: 2026-06-07 author: TokenArch Research status: active credibility_note: > Gold: OWASP, NIST-style primary frameworks, Veza real-world identity data. Silver: Gartner, IBM, BCG, PwC, CrewAI. Bronze: vendor and boutique surveys. Contextual: MCP/A2A announcements, AAIF, NightClaw. tags: - agentic-ai - trust-architecture - mcp - a2a - governance - security - non-human-identity - enterprise-ai related_files: - research/sources/cybersecurity-enterprise-ai.md - research/sources/architecture-trends.md - research/sources/cybersecurity-implications.md --- # Agentic Trust Architecture: The Missing Protocol Layer *Research date: June 7, 2026 · Status: Active · Author: TokenArch Research* Gold/Silver-sourced (OWASP, Veza, Gartner, IBM, BCG) --- ## Card Preview (Research Observatory) - 65% of enterprises use AI agents — but only ~8% have integrated cross-agent governance. - IBM: AI breaches cost $670K more when shadow AI is involved, and 97% lacked AI access controls. - Gartner: 40% of enterprises will demote or decommission autonomous agents by 2027 due to governance failures. --- ## What This File Covers MCP is now infrastructure. A2A reached v1.0 in March 2026. Sixty-five percent of enterprises report agents in production or scaling. Yet no ratified standard exists that makes the connection between an agent and a tool **verifiable** — not just functional. This file maps the gap: what exists, what it does, what it cannot do, and what is being built to close it. It is the direct continuation of the Architecture and Trust threads already in this corpus, updated to June 2026 with sourced data. --- ## 1. The Numbers That Define This Moment These figures surfaced repeatedly across 12 independent research threads. They set the context for everything below. | Metric | Value | Source | Tier | |--------|-------|--------|------| | Organizations with AI agents in production or actively scaling | 65% / 81% | CrewAI State of Agentic AI 2026, Feb 2026 | Bronze | | Enterprises using AI agents in some form | 79% | PwC AI Agent Survey 2025 | Silver | | Enterprise apps expected to include AI agents by end of 2026 | 40% (projected) | Gartner, via multiple secondaries | Silver | | Enterprises with integrated cross-agent governance | 7–8% | fifthrow.com enterprise survey analysis, April 2026 | Bronze | | Enterprises that will demote/decommission agents by 2027 due to governance failures | 40% (projected) | Gartner, May 26, 2026 | Silver | | Organizations that experienced AI model/application breaches — share lacking AI access controls | 97% of breached orgs | IBM Cost of a Data Breach 2025 (Ponemon) | Silver | | Share of all breached orgs lacking AI governance policies | 63% | IBM Cost of a Data Breach 2025 | Silver | | Shadow AI breach cost surcharge vs. low/no shadow AI | +$670K per incident | IBM Cost of a Data Breach 2025 | Silver | | Organizations breached due to shadow AI | 1 in 5 | IBM Cost of a Data Breach 2025 | Silver | | Companies generating material AI value at scale | 5% | BCG AI Radar / Build for the Future 2025 | Silver | | AI agent share of total AI value (2025 → 2028E) | 17% → 29% | BCG AI Radar 2025 | Silver | | Non-human identities (NHIs) vs. human identities in enterprise | 17:1 | Veza State of Identity & Access 2026 | Gold | | Dormant and orphaned accounts | 38% dormant / 8% orphaned | Veza State of Identity & Access 2026 | Gold | The production/governance gap is the defining condition of the current moment. Agents are in production. The controls are not. --- ## 2. The Protocol Stack as It Stands Today ### 2.1 MCP: From Experiment to Infrastructure Model Context Protocol, released by Anthropic in November 2024, was donated to the Linux Foundation's Agentic AI Foundation (AAIF) on December 8–9, 2025. The AAIF is a directed fund under the Linux Foundation, co-founded by Anthropic, Block, and OpenAI, with supporting organizations Google, Microsoft, AWS, Cloudflare, and Bloomberg. What MCP does: standardizes how AI agents connect to tools, APIs, and data sources. Often described as "USB-C for AI" — a single connection standard that replaces custom integration for each tool pair. Current scale markers (as of early 2026): - 10,000+ active public MCP servers (Contextual — Anthropic, Dec 2025) - 97M+ monthly SDK downloads across Python and TypeScript (Contextual — Anthropic) - Remote MCP server deployments up ~4× since May 2025 (Bronze — MCP Manager analysis) - Adopted in ChatGPT, Gemini, Microsoft Copilot, VS Code, Cursor (Contextual — vendor docs) - Enterprise managed MCP servers launched by Google (BigQuery, GKE, GCE) (Contextual — Google) The 2026 MCP specification introduced enhanced security features including Human-in-the-Loop guidance for high-risk actions and expanded audit hooks. Earlier research from April 2025 identified prompt injection, unauthorized file exfiltration through tool combination, and lookalike tool attacks as critical vulnerabilities. The spec now has governance and traceability options baked in — but implementation quality is per-deployment, not protocol-enforced. **What MCP does not do:** MCP is a connection standard. It does not track *why* a tool was called, *whose authority* authorized it, or *whether the action complied* with enterprise policy. Every MCP hop is functionally authenticated but semantically ungoverned. ### 2.2 A2A: Agent-to-Agent at v1.0 Google announced A2A on April 9, 2025. The Linux Foundation received the donation on June 23, 2025. Version 1.0 — the first production-stable release — shipped in March 2026, confirmed by the A2A Protocol community (a2a-protocol.org) and a LinkedIn post from Technical Steering Committee member Darrel Miller on March 11, 2026. The A2A TSC represents AWS, Cisco, Google, IBM Research, Microsoft, Salesforce, SAP, and ServiceNow. Over 50 technology partners at v1.0 include Adobe, Atlassian, Box, Cohere, Intuit, LangChain, MongoDB, and PayPal. What A2A does: enables AI agents built on different frameworks to delegate tasks, coordinate workflows, and pass state across organizational and vendor boundaries. Where MCP governs how an agent uses a tool, A2A governs how agents talk to other agents. Key v1.0 features (Contextual — A2A docs, Google OSS blog, TSC updates): - Signed Agent Cards: cryptographic identity verification per agent - Web-aligned architecture: familiar load-balancing and TLS patterns - Cross-framework interoperability in production The A2A ecosystem has expanded. The A2Family now includes AP2 (Agent Payment Protocol), A2UI (Agent to User Interface), and UCP (Universal Commerce Protocol), extending A2A's open extensibility model for specific coordination domains. **The complementary split:** MCP handles internal tool integration. A2A handles external coordination between autonomous entities. In the current stack, MCP is the southbound interface (agent→tool) and A2A is the eastbound interface (agent↔agent). Neither addresses the northbound governance question: who authorized this, can it be proven, and does it trace to policy? ### 2.3 The Missing Layer The original TokenArch research framing described the trust gap as: "MCP is like TCP/IP — it moves messages. The TLS equivalent, the thing that makes the interaction verifiable, hasn't been built yet." As of June 2026, that remains structurally accurate, though the build-out is now active. The gap is not conceptual — it is an implementation and ratification gap. What is being built: | Initiative | What It Does | Status | Tier | |------------|-------------|--------|------| | OWASP Top 10 for Agentic Applications 2026 | Defines the 10 critical risks for autonomous AI; provides actionable mitigations | Released Dec 2025, 100+ experts | Gold | | OWASP Agentic Security Initiative (ASI) | Ongoing threat modeling, exploit roundups, AIUC-1 crosswalk | Active Q2 2026 | Gold | | Veza NHI research | Real-world identity data: 17:1 NHI:human, dormant/orphaned accounts | 2025–2026 reports | Gold | | Cisco DefenseClaw | Security governance for agentic AI, open source | v0.6.6 released June 2026 | Bronze | | FINOS Common Controls | Financial services agent governance baseline | Active | Silver | | NightClaw (TokenArch) | File-based protocol + deterministic audit/change-log for workspace-level agent governance | Open source, Apache 2.0 | Contextual | | NVIDIA NemoClaw | Guardrails framework for LLM-powered agents | Active | Bronze | | MCP 2026 security guidance | Human-in-the-loop gates, auditability hooks | Released; implementation per-deployment | Contextual | | A2A v1.0 Signed Agent Cards | Cryptographic agent identity per agent | Released March 2026 | Contextual | The pattern: every major framework vendor and security organization is building governance on top of the connection protocols. The connection protocols have landed. The governance layer is being built in parallel by multiple parties, without a ratified cross-stack standard. --- ## 3. The Non-Human Identity Problem This is the underrated structural condition that changes the security calculus. Traditional identity security governed human-to-system access. Zero-trust architectures extended this with continuous authentication, least-privilege, and assume-breach principles. Most implementations stop at human identity. Agentic AI breaks this boundary. Every agent that connects to tools, APIs, databases, and other agents creates or consumes Non-Human Identities (NHIs): service accounts, API keys, authentication tokens, certificates. What is new is the rate of creation, the depth of access, and the absence of governance. Current NHI landscape as of 2026: - NHIs outnumber human identities by 17:1 in modern enterprises (Gold — Veza State of Identity & Access 2026). - Other estimates range from 20:1 (Cloud Security Alliance, 2024) to 50:1 or higher (One Identity; Forrester) depending on scope; all are directionally consistent. - 38% of enterprise accounts are dormant; 8% are orphaned — attack surface that traditional governance tools cannot visualize (Gold — Veza). - 13% of organizations in IBM's 2025 study reported breaches of AI models or applications; of those, 97% lacked proper AI access controls (Silver — IBM newsroom). - 63% of all breached organizations in the IBM study lacked AI governance policies (Silver — IBM). Agents spawn NHIs in security blindspots that often receive broad, persistent access without the safeguards applied to human identities. The failure mode: over-permissioned service accounts, credentials embedded in code, inactive certificates — no malware, no obvious exploit, just poor NHI hygiene cascading into significant loss. **The structural problem:** Zero-trust's core principle — "never trust, always verify" — requires that every principal be known, authenticated, and authorized at each access event. When principals spawn at machine speed and inherit privileges without review, the principle degrades. Policy-makers are responding: US and EU regulators are explicitly calling out AI access control and NHI governance; IBM and Veza data quantify the risk. Compliance requirements still trail deployment reality. --- ## 4. OWASP Top 10 for Agentic Applications: The Threat Surface Mapped The OWASP Top 10 for Agentic Applications 2026 is the most authoritative public mapping of the agentic threat surface, developed by 100+ industry experts and released December 2025 (Gold). The ten categories (using official OWASP ASI enumeration): | # | Risk | Core Concern | |---|------|-------------| | ASI01 | Agent Goal Hijack | Prompt injection or context poisoning redirects agent objectives | | ASI02 | Tool Misuse & Exploitation | Agent invokes tools in unintended ways or at unintended scope | | ASI03 | Identity & Privilege Abuse | Agent assumes or escalates privileges beyond declared authorization | | ASI04 | Agentic Supply Chain Vulnerabilities | Compromised MCP servers, tool definitions, or upstream agents | | ASI05 | Excessive Autonomy | Agent executes multi-step actions without adequate human oversight | | ASI06 | Memory & Context Poisoning | Persistent memory stores corrupted by adversarial inputs | | ASI07 | Insecure Output Handling | Agent-generated content weaponized in downstream systems | | ASI08 | Rogue Agent / Uncontrolled Resources | Agent triggers uncontrolled consumption of compute, API calls, storage | | ASI09 | Audit & Traceability Failure | Actions taken with insufficient audit trail for investigation | | ASI10 | Additional risks per final spec | See OWASP GenAI for full description | OWASP's Agentic Security Initiative publishes Q1 2026 Exploit Round-ups documenting real-world production incidents from January–April 2026 (Gold). OWASP GenAI also published the AIUC-1 crosswalk: a bidirectional mapping between AIUC-1 requirements and the Agentic Top 10. **Memory as an attack surface:** ASI06 (Memory & Context Poisoning) has emerged as a high-priority vector. OWASP's "Memory Is a Feature. It Is Also an Attack Surface" analysis shows how persistent memory turns prompt injection into a durable compromise. --- ## 5. Governance Failure Modes: Why 40% Will Fail Gartner research in May 2026 warns that enterprises applying uniform governance across all AI agents — regardless of autonomy level or scope — are heading toward widespread deployment failures (Silver). Projection: by 2027, 40% of enterprises will demote or decommission autonomous AI agents due to governance gaps identified only after production incidents. Gartner highlights a four-level governance model: 1. **Level 1 — Observe:** Read-only access to defined data sources; outputs to requesting user only. No writes. 2. **Level 2 — Advise:** Generates recommendations for human review; still no writes. 3. **Level 3 — Act with Approval:** Full read-write access, but each action requires explicit human approval. 4. **Level 4 — Act Autonomously:** Agent executes independently with strong monitoring, guardrails, and circuit breakers. The practical implication: a document summarization agent and an invoice-approval or CRM-write agent cannot share a governance tier. Three governance failure patterns: - **Capability audit gap:** No inventory of what each agent can actually do (read-only vs read-write, systems touched, transaction authority). - **Production incident discovery:** Gaps are discovered via incidents. In IBM's 2025 data, AI-related breaches took longer to detect than traditional breaches, and 97% had no AI access controls. - **10/20/70 inversion:** BCG shows that 70% of AI value depends on process and org change, yet most programs over-invest in models and under-invest in governance and operating model. --- ## 6. The Production/Governance Gap in Detail Updated June 2026 figures on the adoption vs governance split: - 65% of enterprises use AI agents; 81% have fully adopted or are actively scaling (Bronze — CrewAI 2026). - 79% say AI agents are being adopted in their companies (Silver — PwC). - Only 7–8% of organizations possess integrated cross-agent governance (Bronze — fifthrow.com analysis). - 40% of enterprise applications projected to include AI agents by end of 2026 (Silver — Gartner). Production penetration has increased since earlier TokenArch corpus filings, but governance integration has barely moved. BCG's agentic AI value trajectory (Silver): agents account for ~17% of AI value in 2025, projected to 29% by 2028. Future-built companies (5%) allocate ~15% of AI budgets to agents and already see 5× revenue growth and 3.6× TSR vs laggards. --- ## 7. What a Governance-Ready Architecture Looks Like Drawing from NSCP (documented elsewhere in this corpus), NightClaw (open source, this organization), OWASP, Gartner, and production deployments, a governance-ready agentic architecture requires six properties: 1. **Capability declaration before deployment.** Every agent must declare read scope, write scope, systems touched, transaction authority, and external communication rights. 2. **Named transactions, not free-form action.** Writes go through named operations with declared preconditions — the bundle executor pattern used by NightClaw and emerging guardrail frameworks. 3. **Every-hop audit trail with two timestamps.** Effective vs recorded timestamps for each mutation enable point-in-time reconstruction and compliance evidence. 4. **Non-human identity governance as a first-class concern.** NHI inventory, least privilege, rotation, and deprovisioning on the same lifecycle as human identities. 5. **Human-in-the-loop gates for high-risk actions.** Align to Gartner Level 3 ("Act with Approval") and MCP 2026 guidance. 6. **Memory store integrity.** Versioned, append-only, tamper-evident memory with integrity checks before each session. --- ## 8. The Semantic Collision Problem An unresolved challenge at the MCP layer: semantic collisions. Different MCP servers reuse identical command names for different semantics. An agent connected to dozens of MCP servers faces a vocabulary disambiguation problem that becomes a security problem when the wrong tool is invoked. This is distinct from prompt injection (ASI01). It is a structural consequence of standardizing the wire format before the vocabulary. Mitigation paths: - **Context engineering:** Deliberate design of what tool metadata and examples are provided in-context. - **Vocabulary standardization:** AAIF working groups are exploring shared naming patterns and ontologies, but no standard exists yet. Agents connecting to more than ~20 MCP servers in production face this as an active operational risk. --- ## 9. Where This Is Going: 12-Month View Based on standards trajectories, Gartner projections, and NHI proliferation, the 12-month outlook from June 2026: - **Standards convergence (high confidence):** MCP and A2A continue to formalize their complementary roles; AAIF pushes vocabulary standards; A2A v1.x adds governance hooks. - **Production incidents as forcing function (high confidence):** Gartner's 40% decommission projection implies visible incidents; these will drive governance, not the other way around. - **NHI governance as the next identity crisis (medium–high):** The 17:1 NHI:human ratio and dormant/orphaned account rates suggest a coming remediation wave. - **Emergent trust-layer standard (medium, 12–18 months):** Likely to originate from AAIF or OWASP rather than a single vendor. - **Context engineering as a discipline (medium):** Both semantic collisions and MCP token costs push toward dedicated "context engineer" roles inside enterprises. --- ## Sources & Tiers (Summary) Gold, Silver, Bronze, Contextual tiering follows the Source Credibility Framework on research.html. Key Gold sources here: OWASP Agentic Top 10, OWASP ASI exploit reports, Veza State of Identity & Access. Silver: IBM Cost of a Data Breach 2025, IBM AI breach press release, BCG AI Radar, Gartner governance research, PwC AI Agent Survey. Bronze: CrewAI State of Agentic AI 2026, fifthrow.com governance survey synthesis, MCP Manager adoption analysis. Contextual: Anthropic and AAIF MCP announcements, A2A v1.0 documentation and TSC updates, Google Open Source blog, NightClaw open source docs. --- ## Analyst Notes These are interpretive claims, not sourced facts. The current moment rhymes with the 2000s SOA governance problem: integration arrived before governance. The difference is speed and blast radius. Agents can initiate financial transactions, modify live records, and send external communications without per-human action. The Gartner 40% decommission projection may understate the real governance failure rate. Organizations that get ahead of this do not start with policy documents. They start with infrastructure: deterministic write paths, NHI inventory, memory integrity checks, capability declarations, and MCP/A2A-aware monitoring. Governance then becomes an expression of what the infrastructure already makes observable and controllable. --- *File: research/sources/agentic-trust-architecture.md · TokenArch Research Observatory · June 7, 2026*