Table of Contents
Fetching ...

Improving Google A2A Protocol: Protecting Sensitive Data and Mitigating Unintended Harms in Multi-Agent Systems

Yedidel Louck, Ariel Stulman, Amit Dvir

TL;DR

The paper addresses the vulnerability of Google's A2A protocol to mishandling of sensitive data in multi-agent systems. It proposes protocol-level enhancements—explicit user consent, ephemeral and granular tokens, native strong customer authentication, and direct user-to-service data channels—within a semi-trusted threat model. Empirical evaluation against prompt-injection attacks shows substantial leakage reduction and minimal latency impact, with a concrete DirectDataFlowController achieving zero leakage in tested scenarios. Collectively, the work offers a practical path to privacy-preserving, auditable, and regulation-compliant A2A deployments in generative multi-agent environments.

Abstract

Googles A2A protocol provides a secure communication framework for AI agents but demonstrates critical limitations when handling highly sensitive information such as payment credentials and identity documents. These gaps increase the risk of unintended harms, including unauthorized disclosure, privilege escalation, and misuse of private data in generative multi-agent environments. In this paper, we identify key weaknesses of A2A: insufficient token lifetime control, lack of strong customer authentication, overbroad access scopes, and missing consent flows. We propose protocol-level enhancements grounded in a structured threat model for semi-trusted multi-agent systems. Our refinements introduce explicit consent orchestration, ephemeral scoped tokens, and direct user-to-service data channels to minimize exposure across time, context, and topology. Empirical evaluation using adversarial prompt injection tests shows that the enhanced protocol substantially reduces sensitive data leakage while maintaining low communication latency. Comparative analysis highlights the advantages of our approach over both the original A2A specification and related academic proposals. These contributions establish a practical path for evolving A2A into a privacy-preserving framework that mitigates unintended harms in multi-agent generative AI systems.

Improving Google A2A Protocol: Protecting Sensitive Data and Mitigating Unintended Harms in Multi-Agent Systems

TL;DR

The paper addresses the vulnerability of Google's A2A protocol to mishandling of sensitive data in multi-agent systems. It proposes protocol-level enhancements—explicit user consent, ephemeral and granular tokens, native strong customer authentication, and direct user-to-service data channels—within a semi-trusted threat model. Empirical evaluation against prompt-injection attacks shows substantial leakage reduction and minimal latency impact, with a concrete DirectDataFlowController achieving zero leakage in tested scenarios. Collectively, the work offers a practical path to privacy-preserving, auditable, and regulation-compliant A2A deployments in generative multi-agent environments.

Abstract

Googles A2A protocol provides a secure communication framework for AI agents but demonstrates critical limitations when handling highly sensitive information such as payment credentials and identity documents. These gaps increase the risk of unintended harms, including unauthorized disclosure, privilege escalation, and misuse of private data in generative multi-agent environments. In this paper, we identify key weaknesses of A2A: insufficient token lifetime control, lack of strong customer authentication, overbroad access scopes, and missing consent flows. We propose protocol-level enhancements grounded in a structured threat model for semi-trusted multi-agent systems. Our refinements introduce explicit consent orchestration, ephemeral scoped tokens, and direct user-to-service data channels to minimize exposure across time, context, and topology. Empirical evaluation using adversarial prompt injection tests shows that the enhanced protocol substantially reduces sensitive data leakage while maintaining low communication latency. Comparative analysis highlights the advantages of our approach over both the original A2A specification and related academic proposals. These contributions establish a practical path for evolving A2A into a privacy-preserving framework that mitigates unintended harms in multi-agent generative AI systems.
Paper Structure (30 sections, 3 equations, 8 figures, 3 tables)

This paper contains 30 sections, 3 equations, 8 figures, 3 tables.

Figures (8)

  • Figure 1: A2A’s core mechanism. The AgentCard provides identity-aware task and tool metadata to support discovery and execution across agent systems.
  • Figure 2: Threat model for the A2A protocol in a semi-trusted multi-agent environment. Solid arrows indicate legitimate communication flows; dashed red arrows indicate attack vectors including prompt injection, token replay, scope escalation, and unverified endpoints.
  • Figure 3: Example booking workflow in A2A illustrating overprivilege, long token lifetimes, and absence of explicit user consent.
  • Figure 4: Booking process flow that pauses at sensitive actions until explicit user approval is obtained using USER_CONSENT_REQUIRED State
  • Figure 5: Configuration of Agent 1 in N8N with access restrictions but retention of sensitive data in memory.
  • ...and 3 more figures