You configured your AI agent — an autonomous program that acts on your behalf — with a neat list of tools. Search the web. Read a file. Create a Jira ticket. Each one a predictable function: input goes in, output comes out, like a vending machine. You know what it costs, how long it takes, and what it can't do. Comfortable.
But what if some of those "tools" aren't functions at all? What if behind the same callable interface hides another autonomous AI — one with its own tools, its own reasoning chain, and its own ability to rack up your bill? Your orchestrating agent has no way to know the difference.
Google Erased the Line
On April 22, at Cloud Next in Las Vegas, Google shipped ADK (Agent Development Kit) 1.0 — stable releases across Python, Go, Java, and TypeScript. The headline feature: ADK natively supports both MCP tools (Model Context Protocol — a universal plug standard for connecting AI to external services, like USB but for data) and A2A agents (Agent-to-Agent protocol — a way for AI agents to talk to each other as peers). Both are now callable from the same orchestrating agent. Thomas Kurian, Google Cloud CEO, declared "the era of the pilot is over" — 150 organizations already run A2A in production.
Same Menu, Very Different Kitchens
In code, there's a technical distinction. Local tools go into a tools= parameter. Remote A2A agents go into sub_agents=. Clean separation on paper. But the LLM — the large language model, the brain behind Gemini, ChatGPT, Claude — sees both as callable options on the same menu. It picks "search_web" or "ask_finance_agent" with zero metadata about what's on the other end of the call.
An MCP tool is stateless: input in, output out, deterministic, fast. An A2A agent is a non-deterministic reasoner that might invoke its own tools, make multi-step decisions, run for minutes, and build up its own context window — the amount of text the AI holds in working memory. The A2A AgentCard — the agent's self-description file — carries authentication schemes and skill descriptions. What it doesn't carry: a statefulness flag, a cost estimate, or an idempotency declaration (whether calling it twice produces the same result or creates a duplicate action).
Three Things Break at Once
Permission scoping. A "tool" that's secretly an agent can escalate privileges through its own tool calls — calls your orchestrator never authorized and never sees.
Cost budgets. An agent can burn unpredictable tokens — word-chunks the AI processes, roughly ¾ of an English word — on internal reasoning that never appears in your logs. Your $0.002 tool call quietly becomes a $0.50 agent session.
Retry logic. Re-calling a failed function is safe. Re-calling a failed agent might create duplicate orders, send duplicate emails, or start a second negotiation with another AI. Idempotent vs. non-idempotent — and nothing in the protocol tells you which.
Security researchers have already flagged the math: deploying just ten MCP plugins creates a 92% probability of at least one exploitable vulnerability. An academic analysis found that A2A's OAuth 2.0 tokens lack strict expiration requirements — leaked tokens stay valid for hours or days. And agent cards are self-reported: agents declare their own capabilities with no independent verification. Trust me, I'm an agent.
The Missing Trust Signal
Neither MCP nor A2A carries a field that says "I'm a dumb function" vs. "I'm an autonomous reasoner with a credit card." Both protocols now live under the Linux Foundation's Agentic AI Foundation (co-founded December 2025 by OpenAI, Anthropic, Google, Microsoft, and AWS), but a unified capability-declaration standard doesn't exist yet. Developers must manually audit every integration point — the kind of work that doesn't scale and that nobody does until something explodes in production.
What You Should Do Right Now
Until that standard arrives, the only sane default: treat every tool call as a potential agent delegation. Session-level spending caps. No automatic retries. Per-call permission scoping. Doesn't matter if the endpoint looks like a simple search function — assume it has opinions.
The tool-agent boundary was always a convenient fiction. Google just made that visible in production infrastructure used by 150 organizations across the industry. Every security model built on "tools are safe, agents are dangerous" needs rebuilding from scratch. Your vending machine might be sentient now — and it definitely has its own API keys.
