Date: 2026_05_19 Source: https://www.youtube.com/watch?v=zP6TnEiueEc Duration: 1242 Platform: YouTube Creator: AI News & Strategy Daily | Nate B Jones

Google Spent a Year Stitching MCP, A2A, AG-UI Together. I/O Today.¶

Overview¶

Google I/O day delivered a packed agentic agenda, but the real story underneath — what Nate argues is "much more interesting" — is the protocol layer Google has been building to drive the Agentic Revolution. Six protocols have launched in the past year, and Nate's framework maps them onto three fundamental questions every agentic system must answer: what can the agent use?, who can it work with?, and how does the human stay in control? Three protocols (MCP, A2A, AGUI) map cleanly onto those questions and are converging into the actual agent stack. The other three (A2UI, AP2, X42) sit in contested or highly domain-specific layers.

The Core Stack: Three Protocols, Three Jobs¶

1. MCP (Model Context Protocol) — Tool & Data Layer¶

MCP is the most widely adopted protocol in AI right now, with over 14,000 MCP servers available. It solves the most immediate pain: before MCP, every integration with tools (GitHub, Slack, Drive, Postgres, Stripe, Linear, Salesforce, internal APIs) looked like custom glue — tool definitions, auth patterns, parameter schemas, error handling all written from scratch. MCP standardizes this: a server exposes tools and resources, an agent host connects to it, and the model receives a usable description of what's available. New capabilities compose without every agent platform rebuilding every connector.

The critical nuance Nate emphasizes: MCP enables arbitrary code execution and arbitrary data access — by design. It was built for high-trust environments, and tool access is not a feature toggle. It's a security boundary you're crossing. Invariant Labs has published research on "tool poisoning attacks" — malicious instructions hidden inside tool descriptions exposed via MCP that can influence an agent through the very metadata that's supposed to make tools discoverable. If your team ships MCP servers, you still need scopes, approval flows, audit trails, and a real answer to which tools the agent can see in which context.

2. A2A (Agent-to-Agent) — Coordination Layer¶

MCP gets agents reach. But the moment an agent starts working, the second problem arrives: one agent can't know everything or own every capability. A procurement agent needs a supplier agent. A travel agent needs a hotel agent. A finance agent needs a tax agent. A software agent needs a security reviewer. Work is distributed across owners, permissions, domains, and expertise.

A2A turns that distribution into something agents can reason about. The core primitive is the agent card — a remote agent publishes a card describing what it is, what it does, which skills it exposes, where it can be reached, and how another agent ought to interact with it. The agent card is the first version of an operating contract with real terms, real interfaces, and real responsibility.

Google launched A2A with 50+ partners (Atlassian, Box, Cohere, MongoDB, PayPal, Workday). The partner list matters because A2A only works if agents really can cross product and company boundaries. But coordination isn't free — A2A adds latency, failure, permissions, and observability surfaces. A single product with a small toolset may not need agent coordination at all. The right question: does this workflow require delegated expertise or authority outside the primary agent? If yes, you need to decide what your agent can say about itself, what it can accept, what it can't share, what requires human approval, and how downstream results get validated.

3. AG-UI (Agent UI) — Human Control Layer¶

AGUI is easy to underestimate. Most people hear "agent UI" and think it's about driving the user interface — Nate argues that's not the best reading. The better reading: AGUI is about ensuring trust in agentic workflows. A long-running, non-deterministic agent capable of touching external systems needs far more than a final answer for a human to see. Humans need to observe the agent as it works, approve sensitive steps, correct course, inspect state, and understand why the agent is waiting.

Traditional web apps are built for call-and-response. They don't handle the streaming work agents do, or the fact that agents may discover new information mid-task. The chatbot experience is not enough for that. AGUI is the open candidate for the human control layer — it provides streaming, shared state, front-end tool calls, backend tool rendering, custom events, steering, and sub-agent composition.

Nate's take: AGUI belongs with MCP and A2A in the core stack, even if it's earlier on the adoption curve. An agent that can't show its work becomes supervision debt for humans. Many teams will ignore this layer until their agents start doing real work and generating real bucks — then they'll scramble to add approval buttons, logs, and progress spinners. None of those by themselves fix the root issue, which is finding the right control points, understanding what the agent is trying to do, what it's waiting for, and where the user needs to approve, deny, edit, or cancel.

The Contested Three: A2UI, AP2, X42¶

A2UI — Agent Generated Interfaces¶

Google's project for structured declarative UI instead of arbitrary HTML/JavaScript from a remote agent (which Nate calls "a security disaster waiting to happen"). The agent asks for components from an approved catalog; it cannot execute arbitrary interface code. That's the right direction — but A2UI is narrow. It's just one piece of the overall rendering question and doesn't establish a whole human control layer like AGUI does.

AP2 — Agentic Payments Protocol¶

Google's attempt to answer the most difficult question in Agentic Commerce: how does the ecosystem know the agent was authorized to buy? The key mechanic is the mandate — a cryptographically signed proof of what the user authorized. 60+ collaborators including American Express, Coinbase, Mastercard, PayPal, Salesforce, Union Pay, and World Pay. But a large collaborator list doesn't make something a standard in payments — the space is highly contested.

X42 — Machine-to-Machine Payments¶

Coinbase's HTTP-native payment protocol, adopted by Cloudflare. The use case is agent-to-agent payment for resources — an agent buys an API call, a data source, a document, or a benchmark run without setting up an account or negotiating a subscription. X42 and AP2 are adjacent but not the same: AP2 is about commercial trust and user authorization; X42 is about settling payments for resources between agents.

The Payments Layer Is Especially Contested¶

Stripe, Mastercard (Agentic Tokens), Visa (Intelligent Commerce), American Express (Agentic Commerce Experiences Developer Kit), and PayPal are all building their own commerce layers. PayPal is supporting AP2 but also building its own system. The payment space is so valuable that everyone wants to jump in — and Nate encourages builders to think in the customer-obsessed way Stripe does: for your customers who have to trust agents, how do you ensure the payment space is something they feel they can participate in, authorize an agent to transact in, and feel good that their wallet is secure, the payment is authorized, the payment will be completed, and their order will be done as expected?

Payment protocols are not just a technical choice — they're a customer experience choice.

The Strategic Framework: Substrates Shape Customer Experience¶

The overarching argument: the substrates for agents actually shape the customer experience. Before wrestling with any protocol, the right first question is: what are you actually building? Support triage? Procurement? Sales territory analysis? Customer renewal prep? Understand that specifically, and then ask how the substrate shapes the customer experience you need to drive — whether internal or external.

Summary¶

The agent protocol landscape is consolidating around three layers:

MCP, A2A, and AGUI map cleanly onto the three fundamental agentic questions. The other three are real problems worth tracking, but they're still under active debate and not settled standards.

🦐 Summary by Thrawn the Prawn — Strategic Analysis Division