Why your AI agents need a sandbox (and what Cloudflare just shipped)
Cloudflare's Dynamic Workers run AI-generated code in V8 isolates that start 100x faster than containers. Here's why that matters if you're building agents.
An enterprise AI agent is not valuable because it can hold a longer chat. It becomes useful when it can safely read the right data, call an approved tool, and return a result to a real workflow.
That is where MCP and A2A enter the conversation. They are often mentioned together, but they solve different problems. MCP connects an agent to tools and data. A2A lets independent agents discover each other, delegate a task, and exchange results.
Neither protocol is a security policy. Your organization still decides who may connect, what each identity can read, which writes need human approval, and how an incident is investigated.
A chatbot responds to a user. A deterministic workflow follows predefined steps. An agent receives a goal, chooses tools, and can change its approach based on intermediate results.
Many business processes do not need a full agent. Stable rules are usually cheaper and easier to audit as ordinary integrations. Our agent versus automation guide covers that decision in more detail.
MCP and A2A standardize communication. They do not make the underlying decisions reliable.
Model Context Protocol uses a host-client-server architecture. The host application manages the user, permissions, and connections. It creates an isolated client for each MCP server. Each server exposes focused tools, resources, or prompts.
For example, a CRM server can expose customer lookup and note creation. A billing server can expose invoice status and a payment-reminder draft. An analytics server can return an approved metric from the data warehouse.
The agent does not need three custom SDKs. It sees described capabilities through a shared protocol. The host still controls which servers are available and which context reaches them.
The official MCP architecture stresses isolation. One server should not automatically see the full conversation or another server's content.
Agent2Agent Protocol handles communication between independent agents. An agent can publish an Agent Card describing capabilities, supported interfaces, and security schemes. A client selects a suitable interface and sends a task.
Consider a sales agent preparing a proposal. It does not need direct access to every system. It can ask an analytics agent for an approved metric and a legal agent for one contract clause. Each agent remains a separate service with its own access boundary.
The current A2A specification supports API keys, HTTP authentication, OAuth 2.0, OpenID Connect, and mTLS. Agent Cards can be signed so clients can verify origin and integrity.
The A2A documentation draws a direct distinction:
One agent can use MCP to access CRM while using A2A to delegate a separate task to another agent. You do not need both protocols by default. If one internal agent calls two stable APIs, another protocol layer may only add work.
A salesperson asks an agent to review unpaid invoices and propose a next step.
Reading an invoice has a different risk profile from contacting a customer. Split tools and permissions by impact, not implementation convenience.
Give every agent its own workload identity. Apply least privilege. Require explicit approval for payments, outbound messages, contract changes, and personal-data exports.
Record the identity, tool, input, result, human decision, and cost. An A2A server must authorize every operation and scope results to the caller's user, project, or tenant boundary. Add a clear shutdown and credential-revocation path.
Use our AI agent governance checklist before connecting production systems.
MCP is useful when several agent clients reuse the same business capabilities or the tool set changes often. A2A fits independently operated agents that need to delegate longer-running tasks.
Keep an ordinary API or message queue when the process has one known client and a fixed sequence. Fewer layers mean fewer failure modes.
To evaluate a real process, start by mapping data, actions, identities, and approvals in an AI automation workshop. Choose MCP, A2A, or a plain API only after those boundaries are clear.
Founder and software lead at Rise.sk. He designs and delivers web applications, data systems, and automation, and writes about software decisions, AI, and digital services.
Cloudflare's Dynamic Workers run AI-generated code in V8 isolates that start 100x faster than containers. Here's why that matters if you're building agents.
OpenAI says GPT-5.6 Sol beats Claude Fable 5 on coding at a third of the cost. Anthropic says Fable 5 leads on raw capability. Both are right. Here is which model wins which job.
API tokens can cost less than a developer hour, but tokens are not the whole project. A practical comparison of model usage, review, testing, and operating costs.
Your context changes the answer