Agent handoffs fail in the space between "the protocol delivered the message" and "the next actor is allowed to act."
That gap is where most teams are still under-designing their agent stacks.
The new protocol layer matters. Model Context Protocol gives applications a standardized way to expose context, resources, prompts, and tools to models. Agent-to-agent protocols such as A2A make agent communication, capability discovery, task coordination, and information exchange more legible across systems. That is real infrastructure progress. It means the agent stack is getting plumbing instead of every integration being a bespoke wire job.
But plumbing is not permission.
A protocol can tell one system how to call another system. It does not, by itself, decide whether this agent is allowed to touch the customer record, whether the previous step was sufficiently reviewed, whether memory should persist, what evidence must travel with the work, or what human has to approve the next action.
Those are operating questions. They need an operating artifact.
The artifact I would start with is an authority envelope.
The handoff is the risk boundary
Most agent-team diagrams make the handoff look too clean: planner hands to researcher, researcher hands to writer, writer hands to reviewer, reviewer hands to publisher. Boxes, arrows, roles.
That picture hides the important question: what exactly crosses the arrow?
If the answer is only "the prompt" or "the latest message," the receiving agent is being asked to reconstruct too much. It has to infer the goal, the current state, the allowed authority, the unresolved risks, the evidence behind prior decisions, and the boundary between suggestion and permission.
That is how agent teams become confident and sloppy at the same time.
The handoff should be treated as a state-transfer event. A new actor is about to continue work it did not originate. Before it acts, it needs a packet that says what has been decided, what has not been decided, what it may do, what it may not do, and what proof exists.
That packet is the authority envelope.
What an authority envelope carries
An authority envelope is not a new protocol. It is the operational layer above the protocol.
The protocol moves the envelope. The envelope explains whether the next move is allowed.
A useful envelope has at least eight fields:
- Goal: the business or product outcome this handoff is serving.
- Current state: what is known, what changed, and what artifact is being passed forward.
- Authority: what the receiving agent is allowed to do without another approval.
- Constraints: what it must not change, publish, delete, expose, or assume.
- Evidence: links, citations, logs, screenshots, tests, or readbacks that justify the current state.
- Open risks: the unresolved issues the next actor must preserve or resolve.
- Human gate: whether a person must approve the next step before execution.
- Next allowed action: the narrow action the receiver is being asked to take now.
That last field matters. Without it, every handoff becomes an invitation to improvise.
The point is not to make agents bureaucratic. The point is to stop pretending that a fluent continuation is the same thing as a safe continuation.
Protocols make exchange legible. Envelopes make action auditable.
MCP and A2A are useful precisely because they make parts of the exchange explicit.
MCP defines a client-server architecture where applications can share context with models and expose tools and resources. Its tool documentation is also careful about trust: tool invocation can be model-controlled, and implementations are expected to design the user interaction model, including confirmation or denial paths for sensitive actions.
A2A similarly focuses on interoperability between opaque agentic applications. Its specification describes agents discovering capabilities, negotiating interaction modalities, managing collaborative tasks, and exchanging information without requiring access to each other's internal memory or tools. Its enterprise guidance leaves authorization responsibility with the serving side after authentication, and secondary credentials are obtained outside the core protocol flow.
That is the right division of labor. The protocol should not pretend to be the full operating model for every company, surface, and risk level.
But builders should read that division clearly: if the protocol does not own your approval policy, your rollback path, your proof standard, or your memory boundary, then your system still needs a place where those decisions live.
The authority envelope is one candidate for that place.
A concrete envelope shape
Here is the simplest version I would want before letting one agent hand work to another in a production-adjacent workflow:
goal: "Prepare a customer-safe recommendation for renewal outreach."
current_state:
artifact: "draft recommendation"
summary: "Usage increased, support burden decreased, expansion signal is moderate."
changed_since_last_gate: "Added pricing sensitivity note."
authority:
allowed:
- "summarize account history"
- "draft internal recommendation"
- "request missing evidence"
not_allowed:
- "send customer email"
- "change CRM fields"
- "quote pricing"
constraints:
privacy: "Do not expose internal support notes verbatim."
brand: "No certainty claims about customer intent."
evidence:
- type: "source"
description: "usage dashboard readback"
- type: "source"
description: "support ticket trend summary"
open_risks:
- "pricing sensitivity has not been confirmed by account owner"
- "usage spike may be seasonal"
human_gate:
required_before: "external_send"
owner: "account owner"
next_allowed_action: "revise recommendation and flag evidence gaps"
This is not glamorous infrastructure. That is why it is useful.
It gives the receiving agent less room to hallucinate authority. It gives the reviewer a surface to inspect. It gives the system a durable record of why the next action was permitted. It turns "agent collaboration" from a vibe into a controllable workflow.
The anti-pattern: role chains without authority chains
A lot of agent-team demos show role chains: one agent researches, one writes, one critiques, one executes. The demo looks alive because each role speaks in its own voice.
But role assignment is not authority design.
A critic agent can say something is ready. That does not mean it has the authority to approve publication. A researcher agent can find a source. That does not mean it has established the source is sufficient for a public claim. A coding agent can pass tests. That does not mean it can deploy. A support agent can draft a reply. That does not mean it can send it to a customer.
The operating mistake is letting the role name smuggle in the permission model.
An authority envelope forces the distinction. It says: this is the role, this is the state, this is the permitted action, this is the evidence, and this is the gate that still belongs to a human or a narrower approval process.
That distinction will matter more as protocols improve, not less. Better interoperability increases the number of actions agents can reach. It does not automatically increase the number of actions they should be allowed to take.
What to inspect before you trust a handoff
If you are building agent teams, do not start by asking whether your agents can talk to each other. Assume that part gets easier.
Ask harder questions:
- Does every handoff carry the goal and current state, or only the latest message?
- Does the receiving agent know its authority boundary before it acts?
- Is there a field that explicitly says what is not allowed?
- Does evidence travel with the work, or does the reviewer have to reconstruct it?
- Are unresolved risks preserved across the handoff, or accidentally washed out by summarization?
- Is the human gate named before the system reaches the sensitive action?
- Can you audit why the next action was permitted?
- Can you roll back or pause a workflow when the envelope is incomplete?
These questions are boring in exactly the way production systems are boring. They turn agentic behavior into something an operator can reason about.
The real bottleneck
The next agent bottleneck is not whether agents can exchange messages. That layer is improving.
The bottleneck is whether the work can move through a system without losing authority, evidence, state, and accountability at every handoff.
Protocols make agents interoperable.
Authority envelopes make agent work inspectable.
If you are building a serious agent stack, you need both. But do not confuse them. The protocol gets the next agent in the loop. The envelope tells it what it is allowed to do once it gets there.
Sources
- Model Context Protocol Specification, 2025-06-18: https://modelcontextprotocol.io/specification/2025-06-18/
- MCP Server Features: Tools: https://modelcontextprotocol.io/specification/2025-06-18/server/tools
- MCP Base Protocol: Authorization: https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization
- A2A Protocol Specification: https://a2aproject.github.io/A2A/latest/specification/
- A2A Enterprise Ready Guidance: https://a2aproject.github.io/A2A/latest/topics/enterprise-ready/