The Prompt Economy is all about promise and execution. The promise is easy to see in all the announcements from companies like Visa, Mastercard, Google and others that continue to dominate the news. The execution can be seen as CFOs move from experimentation to action. Somewhere in the middle are the developers and the protocols needed to create the right agentic infrastructure.
That middle is starting to take shape as agentic AI gains traction. A good example can be seen in this post from Cisco. It explains how two emerging protocols are shaping the next phase of agentic AI development: the Model Context Protocol (MCP) and Agent-to-Agent (A2A). MCP helps large language models understand and use external tools by translating complex APIs into natural language. This makes it easier for developers to connect AI systems to real-world software. MCP has spread quickly because it solves a practical problem: models struggle to work directly with raw APIs at scale, especially as tools change or multiply. MCP gives AI a clearer, more reliable way to interact with those tools.
The article argues that MCP alone is not enough as systems grow more complex. As the number of tools increases, the information sent to the model can become too large to manage efficiently. This is where A2A plays a complementary role. A2A allows agents to discover and coordinate with other agents using high-level descriptions of what each agent can do, rather than listing every tool in detail. Barton compares this to computer networking, where early systems worked at a local level before adding routing layers to scale. Used together, MCP handles precise tool execution while A2A manages agent-to-agent coordination. The key takeaway is that developers do not need to choose between the two. Durable, production-grade agentic systems will rely on both as part of a layered architecture.
“This is not an MCP versus A2A decision; it is an architectural one,” the post reads, “where both protocols can be leveraged as the system grows and evolves.”
Dual Agents
Dual agents have also shown up in new thinking from Google. A new report in Search Engine Journal on Google’s SAGE research explains how agentic AI systems are being trained to perform deeper, more complex search tasks. SAGE, short for Steerable Agentic Data Generation for Deep Search with Execution Feedback, is designed to teach AI agents how to answer hard questions that require multiple searches and several steps of reasoning. Earlier training datasets focused on simpler questions that could be solved quickly, which left AI agents unprepared for real-world research tasks. Google’s work shows how agents can be trained using harder questions and continuous feedback so they learn when to search again, when to stop, and how to reason across sources.
The article also highlights what this research means in practice, especially for how content is found and used by AI systems. In testing, deep research agents often relied on the top-ranked search results and favored pages that brought key information together in one place. When a single page answered several parts of a question clearly, the agent did less searching elsewhere. The takeaway is that classic search still matters. Clear structure, strong relevance, and high rankings remain critical. Agentic AI does not replace traditional search behavior. It builds on it, using the same signals to decide which sources to trust and when to move on.
Advertisement: Scroll to Continue
Risk Appetite
All of which comes with calculated risk. That risk was the subject of a NVIDIA Developer post last week that lays out why agentic AI systems introduce a new class of security risk for developers and enterprises. Unlike traditional software, agentic tools can write and execute code, call external tools, and act with the same system permissions as a human user. That power makes them productive, but it also expands the attack surface.
The report explains that the most serious threat comes from indirect prompt injection, where malicious instructions are hidden in places like code repositories, configuration files, or tool responses. Once ingested, those instructions can cause an AI agent to take harmful actions without the user realizing it.
The article argues that managing this risk requires strong operating system–level sandboxing, not just application-level controls. Manual approvals alone are not enough, because they create fatigue and encourage careless clicks. NVIDIA recommends blocking network access by default, preventing file reads and writes outside a defined workspace, protecting all agent configuration files, and isolating agent execution using virtualization.
The core message is that agentic systems must be designed with containment in mind from the start. Security should assume the agent will execute untrusted code and plan accordingly. Teams that build these controls early can benefit from automation without putting sensitive data, systems, or intellectual property at risk.
