Every agent protocol creates a trust boundary.
Agents do not become risky only when they get smarter. They become risky when they connect: to tools, other agents, files, accounts, browsers, workflows, and payment paths.
MCP
Model Context Protocol connects agents to tools, data sources, APIs, and local or remote capabilities.
- What tools are exposed?
- What files, APIs, or systems can be touched?
- What should be sandboxed or human-approved?
A2A
Agent-to-agent protocols let one agent request work from another agent or specialized service.
- Who is the other agent acting for?
- What authority is delegated?
- What work should be logged and reviewed?
ACP
Agent communication patterns coordinate messages between agents, applications, and people.
- Who can approve or reject actions?
- Where does context enter the workflow?
- What messages become business records?
ANP
Agent network and discovery patterns help agents find other agents, services, or capabilities.
- How is identity verified?
- How are capabilities described?
- What prevents misleading or stale listings?
AP2
Agent payment and transaction patterns create the highest-risk connection path because actions can move money.
- What spending limits exist?
- What requires human approval?
- What receipts, logs, and rollback paths exist?
Identity, Delegation, Provenance
Agents need clear boundaries around who they represent, what they are allowed to do, and what evidence proves it.
- Which identity is the agent using?
- What authority was delegated?
- Can the action history be audited?
ToolProof starts with the connection question.
Before an agent connects to a protocol, server, app, or workflow, review what it can touch and what controls should exist.
Check an MCP Server