The Five Structural AI Threats Every Agent-to-Agent Protocol Leaves Unaddressed

Before comparing protocols, let’s be precise about what the threat surface actually looks like. These are not hypothetical attack classes. They emerge directly from how agentic systems are built in 2026.

T1: Unauthenticated Communication Boundaries

When Agent A sends a message to Agent B, what does Agent B actually verify? In virtually every deployed protocol today, the answer is: nothing cryptographic. At best, a bearer token. At worst, a string identifier that any process could forge.

This matters more than it sounds. An agent that receives a forged command from a compromised peer cannot distinguish it from a legitimate instruction. There is no mechanism for “I know exactly who sent this and I can prove it.” Trust is TOFU: trust-on-first-use. Once a session is established, identity claims are taken at face value.

NEXUS addresses this through dual-layer identity: every agent carries a Decentralized Identifier (DID) and a SPIFFE Verifiable Identity Document (SVID). These are cryptographically bound. An agent cannot impersonate another without possessing its private key. The AIM (Agent Identity Manifest) signs the capability declaration. Every CAEL message envelope carries a signature.

T2: Unbounded Delegation Chains

Modern agentic systems delegate. An orchestrator delegates to a researcher. The researcher delegates to a code executor. The code executor delegates to a filesystem agent. At each hop, the question is: what permissions does this sub-agent carry?

Most protocols do not answer this. They have no concept of scope attenuation at the delegation boundary. A sub-agent can, in principle, carry the same permissions as the root — or more. If an orchestrator has access to email, database, and file system, its delegates inherit those capabilities by default unless someone manually scoped them down.

NEXUS enforces scope monotonicity at the protocol level. The Verifiable Capability Credential (VCC) binds a delegation to a specific, narrowing scope. A sub-agent cannot hold capabilities that were not explicitly in its parent’s grant. AISM Invariant I-2 (Monotonic Scope Narrowing) is not a policy suggestion — it is enforced in the CAEL delegation envelope.

Maximum delegation depth is set at four hops with a hard circuit breaker. No delegation chain can exceed this regardless of what the application code says.

T3: Memory Injection

Long-running agents maintain persistent memory. That memory shapes future decisions. An adversary who can write to that memory can steer the agent’s behavior across sessions without touching the model itself.

This is the Adversarial Task Persistence Attack (ATPA). The injection does not need to be clever. “IGNORE PREVIOUS INSTRUCTIONS” in a cross-session memory write is enough to redirect an agent’s purpose — if there is no validation gate on the write.

NEXUS Memory Vaccine implements drift detection on every proposed memory write. Incoming content is compared semantically against the agent’s established purpose embedding. Content that deviates above the drift threshold triggers a HARD_BRAKE: the write is blocked, logged to the incident corpus, and surfaced for human review. Cross-session and permanent writes require cryptographic provenance (owner DID + embedding hash). Session writes are purged at session end.

None of the protocols below implement any of this.

T4: Privilege Escalation at Tool Execution

Every tool call is an authorization decision. The question is not just “can this agent call this tool” — it is “with these specific arguments, at this delegation depth, from this context compartment, should this tool execute right now?”

Coarse-grained capability gates miss the cases that matter. An agent with legitimate read_file scope should not be able to call read_file(path=”../../etc/passwd”). An agent with database access in TASK_CONTEXT should not be able to access CREDENTIAL_SURFACE. These distinctions require per-call argument inspection, not just capability category checks.

NEXUS Guardian provides per-call argument-level enforcement running at sub-millisecond latency outside the agent process. Agents cannot read, modify, or override Guardian policies — OPA runs as an isolated sidecar.

T5: No Audit Chain

When something goes wrong with an agentic system, the first question is: what did it do and why? Answering this requires a complete, tamper-evident, non-repudiable record of every action the agent took.

Most protocols produce logs. Logs are mutable. Logs can be deleted. Logs do not cryptographically bind the acting agent to the action.

NEXUS produces NOR (NEXUS Output Receipt) records: cryptographically signed audit receipts for every tool call, memory write, delegation, and identity assertion. NOR records are OCSF-mapped for direct SIEM integration. A denied action produces OCSF class 6002 (POLICY_VIOLATION). An allowed action produces a receipt proving it was authorized. The chain cannot be retroactively altered without invalidating the hash.

The Protocol Comparison

Now let us apply these five threat categories to the four protocols most commonly deployed in production agentic systems.

MCP (Model Context Protocol)

MCP solves a real problem: connecting AI models to external tools in a standardized way. It does this well. What it does not do is govern the agents using those tools.

The core MCP architecture does not assign a cryptographic identity to the agent making a tool call. The _meta field carries optional metadata but carries no authentication. There is no delegation governance. There is no memory provenance. There is no audit trail beyond application-level logging.

The May 2026 MCP security refresh addressed some authentication surface at the server layer (RFC 9207 issuer validation, stateless core). These are correct improvements. They do not address any of T1 through T5 above. A server that knows who issued the OAuth token still does not know which agent made the call, under what delegation, with what scope constraints.

AI SAFE2 v3.0 score: 11/25. High P1 (tools isolation), weak P2, near-zero P3, minimal P4, minimal P5.

NEXUS bridge: NEXUSMCPBridge wraps any MCP tool call in a CAEL envelope. The MCP server receives a valid tools/call request. NEXUS context travels in _meta fields, which MCP-native servers ignore. NEXUS-aware servers consume it. No code changes to existing MCP servers required.

ACS (Agent Control Standard)

ACS is the most architecturally serious of the current field. The Guardian integration pattern intercepts tool calls before execution and evaluates them against policy. The per-call argument inspection is genuinely valuable — it catches “legitimate credential, illegitimate specific argument” attacks that capability-category gates miss.

What ACS v0.1.0 lacks is identity. The StepContext.agent.id is a bare string. There is no cryptographic binding between that string and the actual running process. An agent can claim any identity. There is no delegation graph that prevents scope amplification across hops. There is no memory provenance layer. The NOR analog is partial.

The NEXUS-ACS bridge (NEXUSACSBridge) is fully backward-compatible. NEXUS DID identity flows in the agent.id field (satisfying ACS’s string requirement) plus the nexus: extension block (providing DID, SPIFFE ID, VCC scope chain). ACS Guardians that do not understand NEXUS ignore the extension block. The result is NEXUS identity governance sitting underneath ACS argument enforcement — the two layers together close gaps neither closes alone.

AI SAFE2 v3.0 score (ACS alone): ~14/25. Strong P1 Guardian enforcement, weak L2 identity, no T3 memory governance, partial T5 audit.

Google A2A (Agent-to-Agent Protocol)

A2A is designed for orchestrating agents across organizational boundaries. It uses Agent Cards (.well-known/agent.json), HTTP + SSE, and OAuth/mTLS for transport security. The task-based architecture is clean.

A2A inherits whatever identity and scope controls the underlying OAuth setup provides. It does not provide delegation scope attenuation at the protocol level. Memory governance is out of scope by design. Audit trails are application-layer concerns. The maturity-level field in Agent Cards is informational, not enforced.

For cross-organization agent orchestration, A2A is the right choice at the transport layer. It is not a security protocol. NEXUS wraps it: NEXUSAIBridge translates CAEL envelopes to A2A task format. NEXUS context travels in message.metadata fields.

AI SAFE2 v3.0 score: 8/25. Transport security via OAuth/mTLS is real; everything above that layer is application responsibility.

OpenAI Agents SDK / Generic LLM Tool Calling

The OpenAI function-calling pattern and its equivalents (Anthropic tool-use, Gemini function declarations) provide tool dispatch. They do not provide identity, delegation governance, memory provenance, or audit. These are capability frameworks, not security frameworks.

NEXUS bridges to all of them: NEXUSOpenAIBridge wraps CAEL tool calls into the OpenAI tool-calls array format. LangChain (wrap_for_langchain), CrewAI (wrap_for_crewai), and generic REST endpoints (NEXUSRESTBridge) all have bridges. NEXUS context travels in metadata fields or x-nexus-* headers.

The SAFE2 Scorecard: Agentic AI Security Risk

P4 is 4/5 in stub mode. Production sentence-transformers deployment reaches 5/5. The single remaining gap is behavioral analytics over long time horizons — on the roadmap.

The Architecture That Closes All Five Threats

NEXUS-A2A is not another protocol competing with the ones above. It is the sovereign layer those protocols do not provide, running underneath them.

Agent (any framework)

   |

   NEXUS CAEL Envelope (signed, DID-bound, scoped)

   |

   +–> MCP Server (via NEXUSMCPBridge)

   +–> ACS Guardian (via NEXUSACSBridge)

   +–> A2A Peer (via NEXUSAIBridge)

   +–> LangChain / CrewAI (via NEXUSOpenAIBridge)

   +–> Any REST endpoint (via NEXUSRESTBridge)

   |

   Memory Vaccine (drift detection on every write)

   |

   OPA Guardian Sidecar (per-call policy, agents can’t touch it)

   |

   NOR Audit Chain (OCSF-mapped, SIEM-ready, non-repudiable)

The bridges preserve full compatibility. Non-NEXUS servers receive valid protocol messages and never know NEXUS is there. NEXUS-aware servers consume the additional governance context. The sovereign layer adds security without breaking existing infrastructure.