The Protocol Stack Nobody Audited

A production enterprise agent rarely speaks one protocol. It speaks four. The Model Context Protocol connects an agent to its tools; Agent-to-Agent, or A2A, connects an agent to other agents; the Agent Communication Protocol, or ACP, carries lightweight REST messaging between services; and the Agentic Commerce, or UCP, layer handles catalog and checkout when an agent transacts. Vendors already describe a “complete enterprise stack” that uses all four together, each one a complement to the others rather than a competitor.

Each protocol was designed in isolation, by a different team, with its own authentication model and its own idea of what to record. MCP's own 2026 roadmap lists structured audit trails and SIEM integration as future work rather than shipped guarantees. A2A states that credentials are obtained through an out-of-band process outside its scope. ACP is minimal HTTP by design and documents no audit standard. UCP scopes its signatures to a single transaction.

The result is a gap that no single protocol's documentation describes, because no single protocol owns it. Each protocol's audit log is complete within its own boundary. The trouble is that an agent's work crosses boundaries, and the seam between two complete logs is where accountability quietly disappears.

The four protocols are genuinely complementary, and that is precisely what makes the gap easy to miss. MCP, introduced by Anthropic and reporting tens of millions of SDK downloads, is the agent-to-tool layer. A2A — contributed by Google to the Linux Foundation in 2025, reaching v1.0 in April 2026 with backing from more than a hundred and fifty organizations including AWS, Cisco, Microsoft, Salesforce, SAP, and ServiceNow — is the agent-to-agent layer. ACP, originating at IBM Research and likewise donated to the Linux Foundation, is the lightweight HTTP-native messaging layer. UCP is Google's agentic-commerce layer for cart, catalog, and checkout.

Read individually, each design document is reasonable. A2A explicitly calls itself complementary to MCP rather than a replacement, and the ecosystem maps that vendors publish place the four protocols side by side as a layered stack. The problem is not in any one document. The problem is that the four documents were never read together, because no document is responsible for the composition.

One honest scoping note belongs here at the start. UCP is the narrowest of the four, confined to commerce, so the audit-gap argument is strongest for the MCP, A2A, and ACP triad and weakest where it reaches for UCP. We carry that caveat through the rest of the paper rather than burying it.

The closest thing to an empirical anchor for the gap is the confused-deputy problem within MCP. At RSAC 2026, the Coalition for Secure AI's “Securing MCP” work framed the question an auditor must be able to answer: who authorized this action, through what chain, and with what scope? When a token is passed downstream and re-used, the deputy acts on the original principal's authority without anyone recording the chain that delegated it. The Coalition's Agentic IAM Framework responds with signed manifests, continuous authorization, and on-behalf-of tokens.

That framework addresses the confused deputy within the MCP layer. It does not reach across protocol boundaries, and that limit is the whole point. The MCP layer has its own concrete CVE record — the mcp-remote flaw, CVE-2026-30624, scored CVSS 9.6 across a package with hundreds of thousands of downloads — which establishes that the intra-layer problem is real, not hypothetical.

Here is the discipline this paper insists on. No public breach has been attributed to a cross-protocol audit failure as of this writing. The confused deputy is a documented intra-MCP problem; extending it across an A2A delegation into an MCP tool call is an analytical inference, not a reconstructed incident, and we label it as one.

Because the gap is structural rather than a single defect, the response is a posture rather than a patch. Four questions turn an uncorrelated stack into an auditable one. None requires a tool that does not exist; each requires deciding to audit the composition instead of the parts.

1. 01Correlate across boundaries. Carry a single correlation identifier from the first A2A delegation through every MCP tool call, ACP message, and UCP transaction it triggers, so a reviewer can reassemble one request from four logs. Without a shared identifier, each protocol's complete log is an island, and the request that crossed them all leaves no through-line.
2. 02Unify the authorization chain. Record actor, action, resource, and the authorization that permitted it in one schema across all four layers — and treat A2A's out-of-band credential acquisition as an audit discontinuity to be closed, not a detail to be waved through. A delegation whose granting step is invisible is a delegation no auditor can defend.
3. 03Know where the logs go. Establish what your MCP gateway actually records and where it ships those records, then ask the same of every other protocol in your stack. A gateway that audits the MCP layer well can still leave you with no view of the A2A delegation that called it or the ACP message that followed.
4. 04Map the stack to the regulation. The frameworks that govern you — NIST AI RMF, the EU AI Act, SOC 2, HIPAA — ask for system-level reconstruction, not per-layer fragments. Map your composed stack, not each protocol in isolation, against the obligation, because the regulator audits the system the agent runs, not the protocol diagram.

The companion in-depth paper develops each protocol's auth and audit model against its primary design document, traces a single request across all four layers, maps the regulatory exposure, and sketches what a cross-protocol audit surface would actually require. For the comparison table, the worked request path, and the proposed event schema in full, read the in-depth companion .

The four protocols are not broken. Each does its job, audits its own layer, and was designed responsibly for the boundary it owns. The accountability void is not in any of them; it is in the space between them, which none of them claims and none of them documents.

An enterprise that audited MCP has not, by that act, audited its agent stack. It has audited one layer of four. The work that remains — a correlation identifier across boundaries, a unified authorization chain, a known destination for every protocol's logs, and a map of the composed system against the regulation — is the work of auditing the seams, and it begins with admitting the seams exist.

For the same reason the MCP supply chain needed governance rather than a hotfix, the agent protocol stack needs an audit of its composition rather than four audits of its parts. The parts are accounted for. The composition is not.