150 organizations signed on. Six percent trust what they signed on for. The gap between those numbers is not a problem to solve — it’s the work itself.
One hundred and fifty organizations support Google’s Agent-to-Agent protocol. Six percent of companies trust AI agents to autonomously manage core business processes.
Those two numbers — from the Linux Foundation’s April 2026 press release and a Harvard Business Review Analytic Services survey of 603 technology leaders — ought to be irreconcilable. They are not. They describe two entirely different organizational decisions, and the canyon between them is where the next phase of the agent economy will be won or lost.
In spring 2025, three competing agent communication standards launched within weeks of each other. Google announced A2A on April 9, backed by AWS, Cisco, Microsoft, Salesforce, SAP, and ServiceNow. IBM Research launched the Agent Communication Protocol (ACP) in March to power its BeeAI platform. Cisco’s Outshift incubator unveiled AGNTCY alongside LangChain and Galileo the same month.
By August 2025 — five months later — all three had consolidated under the Linux Foundation umbrella. IBM folded ACP into A2A, joining the Technical Steering Committee alongside Google, Microsoft, and AWS. Cisco’s AGNTCY merged its infrastructure components. The combined protocol incorporated ACP’s edge-native resilience with A2A’s cloud-oriented design. BeeAI switched to A2A.
Five months. For rough context, HTTP/2 took approximately seven years to consolidate from Google’s SPDY experiment. OAuth 2.0 took about four years to replace its predecessor. USB-C has been trying to displace older connectors for the better part of a decade. Agent protocols managed a three-way consolidation faster than most committees can schedule a meeting cadence.
There are two ways to read this speed. The generous read: the agent ecosystem learned from two decades of standards wars and opted for cooperation over fragmentation. The less generous read: nobody had enough production deployments to create switching costs worth fighting over. When IBM “immediately saw alignment” with A2A, it may have been less about philosophical alignment and more about the practical reality that neither protocol had enough users locked in to make the merger painful.
IBM doesn’t typically surrender standards quickly. The company maintained WebSphere, SOAP, and various proprietary middleware for decades. That IBM folded ACP into A2A in five months may be the most revealing data point in the entire one-year scorecard — not because it shows cooperation, but because it shows the absence of lock-in.
By any conventional standards-adoption metric, A2A’s first year was a success. The protocol went from 50+ supporting organizations at launch to 150+ by its first anniversary. GitHub stars hit 22,000. Production SDKs expanded from Python-only to five languages: Python, JavaScript, Java, Go, and .NET. Azure AI Foundry, Amazon Bedrock AgentCore, and Google’s platforms all shipped integrations. The Linux Foundation claims production use across supply chain, financial services, insurance, and IT operations — though no named end-customer companies appear in the announcement.
An adjacent ecosystem bloomed. The Agent Payments Protocol (AP2) launched with 60+ supporting organizations, extending A2A with cryptographically signed mandates for payment coordination. A2UI emerged for agent-human interaction. Google’s Universal Commerce Protocol explicitly lists A2A as a transport binding alongside MCP. The whole stack got a marketing umbrella: the “A2Family.”
Meanwhile, Anthropic’s Model Context Protocol — which handles internal tool integration where A2A handles external agent coordination — hit 214 million monthly PyPI downloads for its Python package alone. The two protocols are complementary, and together they cover most of the agent communication stack.
The protocol layer is thriving. The question is what the protocol layer is connecting.
In July 2025, Harvard Business Review Analytic Services surveyed 603 business and technology leaders on their trust in AI agents. The results were stark:
The dissonance sits in a number that didn’t make the headlines: 72% of respondents believe AI agent benefits outweigh the risks. The gap between “this is valuable” and “I trust it” is 66 percentage points.
The HBR survey predates A2A v1.0, which shipped in March 2026, so trust levels may have shifted since. But the structural pattern — broad enthusiasm paired with narrow deployment — shows up at every layer of the stack. The Stack Overflow Developer Survey from April 2026 reports that 84% of developers use AI coding tools daily, but only 29% trust AI-generated code in production without review. That’s a 55-point gap between use and trust at the individual developer level, mirroring the organizational gap almost exactly.
Forrester reinforced the economic version of this skepticism in October 2025, projecting that enterprises would defer 25% of planned AI spend into 2027. Only 15% of AI decision-makers reported an EBITDA lift from AI in the prior twelve months. Support for a standard is free. Budget commitment is not.
The trust gap is not a perception problem. McKinsey — the firm that advises Fortune 500 companies on AI agent deployment strategy — ran a red-team exercise against its own internal AI platform, Lilli. An autonomous agent compromised the platform and gained broad system access in under two hours, according to Bessemer Venture Partners’ 2026 cybersecurity analysis.
This is not a startup with a half-baked prototype. This is McKinsey’s internal security team testing McKinsey’s own infrastructure. Under two hours.
The security data compounds. IBM’s 2025 Cost of a Data Breach Report measured the average cost of a shadow AI breach at $4.63 million — a $670,000 premium over standard breaches. Gartner projected that 40% or more of agentic AI projects would be canceled by end of 2027 due to escalating costs, unclear business value, or inadequate risk controls. A Dark Reading poll found that 48% of cybersecurity professionals identify agentic AI as the single most dangerous attack vector.
The protocol problem — “how do agents talk to each other?” — has a clean answer. A2A solved it. The trust problem — “how do I know this agent won’t compromise my systems?” — doesn’t have a protocol-level answer. It requires identity verification, authorization scoping, behavioral monitoring, and incident response. A protocol is a wire format. Trust is an organizational capability.
A2A launched in April 2025. Signed Agent Cards — the protocol’s mechanism for cryptographically verifying that an agent is who it claims to be — didn’t ship until A2A v1.0 in March 2026, eleven months later.
For the first eleven months of A2A’s existence, the protocol had no production-grade identity verification. Over a hundred organizations joined before the protocol could cryptographically verify an agent’s identity. Structurally, this is equivalent to launching a web commerce standard and adding HTTPS a year later.
The timing reveals a priority trade-off. The A2A team correctly prioritized adoption — get the wire format right, ship the SDKs, bring organizations on board. Adoption creates gravity. But adoption without trust creates a standard that everyone supports and nobody deploys for anything consequential. Signed Agent Cards were the right technical answer. They just arrived into an ecosystem that had already internalized A2A as a future commitment, not a present deployment.
Cisco’s AGNTCY infrastructure adds another temporal wrinkle. One of its four technical pillars is post-quantum cryptography support for agent messaging — designing for cryptographic threats that won’t materialize for a decade. Meanwhile, current agents can’t survive a two-hour red team. The security roadmap is simultaneously too far ahead and too far behind.
The trust gap echoes most clearly in the payments layer. AP2 launched with 60+ organizations supporting agent payment coordination. It’s a well-designed A2A extension — cryptographically signed mandates, full protocol compatibility, Linux Foundation governance.
Meanwhile, x402 — the Coinbase-backed payment protocol that represents the most advanced attempt at actual agent commerce — processes roughly $28,000 per day in real on-chain volume, according to CoinDesk’s analysis of Artemis-filtered data. That’s after a 92% decline from its December 2025 peak. The gap between ecosystem valuation (approximately $7 billion, driven primarily by associated token prices) and real daily commerce ($28,000) runs roughly 700-to-1.
Sixty-plus organizations support AP2. Twenty-eight thousand dollars flows through x402 per day. The pattern mirrors A2A at a more extreme scale: broad organizational endorsement running years ahead of production throughput. And the decay curve is telling — x402 peaked at 731,000 daily transactions in December 2025 before falling to 57,000 by February 2026. Something broke between the announcement cycle and sustained usage, and no post-mortem has been published. OpenAI’s ChatGPT Instant Checkout pilot — the highest-profile attempt at agent commerce — peaked at roughly 12 active Shopify merchants before OpenAI pivoted away from native checkout in March 2026.
The payments layer is where the trust gap becomes impossible to ignore, because payments require trust by definition. You can join a protocol working group without trusting agents. You cannot process agent-initiated payments without it.
The instinct is to ask when trust will catch up to adoption. The more useful question is whether the gap is temporary or structural — and protocol history suggests it’s both.
Trust has always lagged adoption in protocol history. HTTPS existed for years before browsers started flagging unencrypted sites as insecure; OAuth 2.0 was widely deployed before most implementations handled token revocation correctly; container orchestration went mainstream before anyone had production-grade secrets management. The pattern is consistent: the coordination problem gets solved first because it’s technical, and the trust problem gets solved second because it’s organizational. A2A is not exceptional in this regard. What’s exceptional is the scale of the gap and the stakes involved — these agents aren’t serving static pages, they’re executing business logic with real-world consequences.
Protocols solve coordination problems. They answer how — how agents find each other, exchange messages, negotiate capabilities. Trust solves authorization problems. It answers should — should this agent access this database, execute this payment, modify this system.
“How” questions have technical answers. “Should” questions require organizational judgment, legal frameworks, insurance models, audit trails, and incident response plans. A2A can standardize agent communication in a year. No protocol can standardize organizational risk tolerance on any timeline, because risk tolerance isn’t a technical parameter. It depends on industry, regulation, company size, breach history, and whether the CISO just read about McKinsey’s two-hour breach.
The gap will close. But it won’t close because A2A ships more features or because another press release announces another fifty member organizations. It will close when production deployments generate enough incident data, compliance precedent, and institutional knowledge to make the “should” questions answerable. Every organization that moves from “supporting A2A” to “deploying A2A in production” will have to build its own trust stack on top of the protocol layer — agent identity policies, permission boundaries, monitoring dashboards, rollback procedures, and the organizational willingness to accept that agents will sometimes fail. The organizations in the 150 are placing an infrastructure bet. The organizations in the 6% have already done the harder work of answering the trust questions for their specific context.
On April 9, 2026, A2A turned one. By any reasonable measure, it won the standards war before there was a war to fight. Three protocols, one Linux Foundation umbrella, five SDKs, 150 organizations, integration with every major cloud platform.
And six percent of companies trust agents to do real work.
The standard did its job — it gave agents a common language. The next job, building the trust infrastructure that makes organizations willing to let agents use that language for anything that matters, is harder, slower, and cannot be solved with a press release. It is being solved, one Signed Agent Card and one red-team exercise and one compliance audit at a time. It just doesn’t move at protocol speed.
One hundred and fifty organizations signed on. Six percent trust what they signed on for. The gap between those numbers is not a problem to solve. It’s the work itself.
The trust layer starts with provenance
A2A solved how agents talk. What’s missing is verifiable proof of what they do — cryptographic audit trails that make the “should” questions answerable. The essay argues trust closes one audit trail at a time. Chain of Consciousness builds that provenance layer on top of any protocol stack: every agent action gets a signed, timestamped, tamper-evident record.
Try Hosted CoC · pip install chain-of-consciousness · npm install chain-of-consciousness