Improving Google A2A Protocol: Protecting Sensitive Data and Mitigating Unintended Harms in Multi-Agent Systems

TL;DR

This paper enhances Google's A2A protocol to better protect sensitive data and reduce harms in multi-agent AI systems by introducing explicit consent, ephemeral tokens, and secure data channels, validated through adversarial testing.

Contribution

It proposes specific protocol-level improvements for A2A, including consent orchestration and scoped tokens, grounded in a structured threat model, to enhance privacy and security.

Findings

Reduced sensitive data leakage in adversarial tests

Maintained low communication latency with enhancements

Outperformed original A2A and related proposals in security

Abstract

Googles A2A protocol provides a secure communication framework for AI agents but demonstrates critical limitations when handling highly sensitive information such as payment credentials and identity documents. These gaps increase the risk of unintended harms, including unauthorized disclosure, privilege escalation, and misuse of private data in generative multi-agent environments. In this paper, we identify key weaknesses of A2A: insufficient token lifetime control, lack of strong customer authentication, overbroad access scopes, and missing consent flows. We propose protocol-level enhancements grounded in a structured threat model for semi-trusted multi-agent systems. Our refinements introduce explicit consent orchestration, ephemeral scoped tokens, and direct user-to-service data channels to minimize exposure across time, context, and topology. Empirical evaluation using adversarial prompt injection tests shows that the enhanced protocol substantially reduces sensitive data leakage while maintaining low communication latency. Comparative analysis highlights the advantages of our approach over both the original A2A specification and related academic proposals. These contributions establish a practical path for evolving A2A into a privacy-preserving framework that mitigates unintended harms in multi-agent generative AI systems.