I went looking for the next big thing in multi-agent AI and found a billing dispute waiting to happen.
That’s not where I expected to land. The story everyone was telling sounded clean. In December 2025, the Linux Foundation formed the Agentic AI Foundation, pulling the warring protocols under one neutral roof. Anthropic brought MCP. Block brought goose. OpenAI brought AGENTS.md. Google had already donated A2A back in June. Somewhere between 146 and 170 organizations signed on, depending on which count you trust.
If you only read the headlines, the conclusion writes itself. The protocol turf wars are over. The agents can finally talk to each other. Interoperability: solved.
I believed that for about a day.
Then I started pulling on the thread, and the clean story came apart in my hands. Because a shared foundation tells you where the standards live. It tells you nothing about who pays when one company’s agent walks into another company’s system and starts doing work that costs money.
That second question has no answer yet. And the more I looked, the more I became convinced it’s the only question that matters.
The Year Agents Got Jobs
First, the part that’s actually real, because it’s easy to lose it in the noise.
Something genuine shifted in the last year, and it wasn’t reasoning getting smarter. It was infrastructure getting serious. The whole industry moved from showing off agent demos to building what you’d have to call control planes – the boring plumbing that lets an agent actually do a job inside a company. Runtime. Identity. Memory. Sandboxing. Observability. Governance.
Microsoft pushed hardest. Its Foundry hosted agents are headed for general availability in early July 2026, bundled with toolboxes, procedural memory, and a governance layer called ASSERT. Google folded agent development, orchestration, security, and a template library called Agent Garden into its Gemini Enterprise platform. AWS chased both through Bedrock AgentCore, adding managed agents, web search grounding, gateway integrations, and a Well-Architected Agentic AI Lens for teams shipping to production.
Here’s the part that stuck with me. These agents aren’t free-floating bots anymore. They’ve got corporate identities. Microsoft backs them with Entra IDs – the same directory system that governs human employees. They have permissions. They leave audit trails. Pega, Cohesity, Hyland, and others started wrapping agents in compliance and workflow controls instead of selling raw autonomy.
The agents got jobs. They got badges. They got bosses.
So the real story of the past year isn’t that agents got smart. It’s that they got hired. And once you frame it that way, the next question stops being technical and starts being almost bureaucratic: what happens when your employee has to deal with somebody else’s employee?
Why „Standardized“ and „Solved“ Are Different Words
I want to be careful here, because this is exactly where the easy story trips.
When I first read about the Agentic AI Foundation, I caught myself nodding along to the obvious conclusion. Big logos, one roof, problem solved. It took me an embarrassingly long time to notice that I’d swallowed a sleight of hand. Membership in a foundation is not the same thing as systems that work together. Governance converged. Security didn’t.
Look at what actually sits under that shared roof and the gaps open up fast. MCP runs its own auth model – recently bumped to OAuth 2.1, and still messy in practice by every account I could find. A2A uses a different scheme entirely. The trust handling differs again at other layers. There’s no single identity that flows cleanly across all of them.
And the protocols don’t even cover the same ground. MCP is about tool and context access – how an agent reaches a database or calls an API. A2A is about agents talking to agents. Neither one says a word about authorization across company lines, about reversing a transaction gone wrong, about who’s left holding the bill.
A2A’s own published roadmap makes this plain. It still lists an interoperability spec, registry consolidation, and security best practices as future work. Not shipped. Future. The people building it are telling you, in their own documentation, that the hard parts aren’t done.
So when a vendor recap says protocols are „converging,“ that word is doing a lot of quiet work. Convergence happened – in governance. The turf wars over whose standard wins did cool off, and that’s real. But the thing most readers hear in that word – that agents from rival systems can now safely transact across company boundaries – is just not true. The standards process got organized. The trust problem stayed open.
That distinction is the whole article. Vendor language smudges it on purpose. I’d rather hold it up to the light.
The Trap I Almost Walked Into
For a while I thought the missing piece was cryptography. That felt right, and there’s a clean version of the argument.
Picture it. Your company’s procurement agent, built on one framework, needs to negotiate with a vendor’s sales agent, built on another. Internal permissions are useless here – they only mean something inside their home directory. So you need some cryptographic handshake, some way for an agent to prove to a total stranger that it’s genuinely authorized to act for its employer. The protocols don’t do that yet. There’s your gap. Watch for the startups that build the cryptographic clearinghouse, and you’ve spotted the next big sector.
I had that paragraph half-written before it fell apart on me.
The problem is the whole thing rests on a transaction that barely happens. I went looking for live, production business-to-business agent commerce – one company’s agent actually doing paid work inside another company’s system, at scale, right now. I found nothing. Not a case study, not a practitioner war story, not a vendor brag. Business-to-business agent commerce is, at the moment, a ghost town.
That reframed the entire problem for me. The honest version isn’t „an urgent crisis is blocking enterprises today.“ Enterprises aren’t blocked, because almost none of them are trying. The honest version is stranger and more interesting: the industry is pouring concrete for a kind of transaction that hardly exists yet. The infrastructure is racing ahead of the use case.
Which means I have to be straight about what I’m not claiming. I’m not saying companies are stuck right now, agents jammed at the border waiting for a handshake protocol. They aren’t. I’m not predicting that „agent clearinghouses“ are inevitable, or that cross-org agent identity is the next billion-dollar market. Those are plausible bar-stool bets, and that’s all they are. I couldn’t find the evidence to print them, so I won’t.
What I’m claiming is narrower and, I think, harder to dodge. The rails being laid right now have a seam in them. And that seam runs straight through money.
Follow the Meter
Here’s the move that finally made the whole thing click for me. Stop thinking about the agents talking. Start thinking about the meter running.
Those managed runtimes – Foundry and the rest – aren’t just identity systems. They’re metering systems. Inside them, an agent’s actions are turning into billable events. A tool call. A model invocation. The kind of per-action billing you can already see in products like Copilot Credits, where sub-agent work gets priced and charged. The control plane is quietly becoming a metering plane, where the orchestration trace doubles as a billing ledger.
I should flag my own footing here, because it matters for whether you trust the rest. The „metering plane“ framing is mine – my way of describing what I see, not a phrase the vendors use or a category with a market report behind it. The solid, documented part is narrower: tool calls and model usage get metered and billed, and you can read that off the pricing pages. The grander claim – that every memory write and every sub-agent hop is already a line item – is something I’d want to see on an actual SKU sheet before I leaned on it. So I’ll lean only on what the pricing pages can hold: agent work is being turned into money, action by action, and that machinery is real today.
Now run the agents back through that frame and watch what happens.
Your procurement agent crosses into the vendor’s system and triggers work. Real work, that costs real money on the vendor’s meter. And immediately you’ve got questions no protocol on earth currently answers.
Whose ledger is the true one – yours or theirs? Did your agent actually have the authority to run up that charge? Was the work even performed, or just logged? If the charge is wrong, who reverses it, and how? When the agent misfires and burns money it shouldn’t have, who eats the loss?
This is why the cryptographic identity gap matters – but not for the reason I first thought. Identity isn’t a security puzzle that happens to touch billing. It’s the other way around. Identity is the thing that has to exist before you can even recognize a charge as legitimate. Before anyone can send an invoice across that boundary and expect it honored, both sides need to prove which agent did what, on whose authority. Crypto identity is the receipt. Without it, there’s no enforceable bill.
That’s the reframe that turned this from a thought experiment into something with weight. The trust gap isn’t abstract. It’s commercial. And there’s a crucial detail in how those rails are being built that explains why the seam exists at all: the metering is being built inward-first. Every one of these systems is designed to bill inside a single company – chargeback between your own departments. Nobody’s building the cross-company meter, because the cross-company transaction doesn’t exist yet. The gap between organizations isn’t an oversight somebody forgot. It’s a byproduct of building the inside first and worrying about the outside later.
Whose Meter Wins – and the Question the Meter Can’t Touch
Even if you nail the identity piece, you’ve only solved half the problem. And the half you’ve solved is the easy half.
Sort out cryptographic identity and you can answer „what happened, and who pays.“ You know which agent acted, under whose authority, and what it cost. That’s the billing question, and a clean enough identity layer closes it.
But there’s a second question that crypto doesn’t touch, and conflating the two is where I think most of the coverage goes soft. Suppose the agent was fully authorized. The handshake checked out, the permissions were real, everything was above board. And it still did something terrible. Committed your company to a contract you didn’t want. Leaked data it shouldn’t have. Tripped a regulation.
Who’s accountable for that?
That’s liability, and it’s a different animal entirely. Identity tells you who pressed the button. It tells you nothing about who’s responsible when pressing the button – with full permission – was the wrong move. No cryptographic proof closes that gap, because it isn’t a technical gap. It’s legal.
The reassuring thing I found is that this isn’t a void we invented. The law has chewed on this exact question for centuries, just with humans instead of agents. When an employee or a contractor acts within their authority and still causes harm, principal-liability and agency doctrine decide who’s on the hook. That body of law is old, deep, and battle-tested. The new and unanswered part is only this: does it stretch to cover a piece of software acting as an agent? Nobody’s mapped it cleanly. But we’re not staring at a blank page – we’re staring at a very old page and asking whether a new kind of actor fits on it.
So keep the two questions apart, because the vendors won’t. Billing asks what happened and who pays. Liability asks who’s accountable when an authorized action was still wrong. Crypto identity is necessary for the first and useless for the second. Any story that blurs them into one „trust“ problem is doing the reader a disservice.
The Tax That Grows Faster Than the Work
The last piece is about cost. Not the price of any single transaction – the cost of sorting out the mess when transactions multiply.
Every time you add another organization to an agent workflow, you don’t just add a participant. You add a meter. A policy stack. A log stream. A whole new surface where two records can disagree and somebody has to reconcile them. The expensive part of cross-company agent work won’t be the work. It’ll be the arguing about the work afterward.
And here’s the part worth getting right – this cost doesn’t grow in a straight line. With agents talking to agents, the reconciliation surface scales with the number of pairwise connections between them, which climbs roughly as N times N-minus-one over two. Add players to the mix and the number of places two ledgers can clash grows much faster than the number of players. Three parties is manageable. Ten parties is a swamp.
Now, I have to fence this hard, because it’s the easiest place in the whole piece to bluff. That formula is a heuristic, not a measurement. It’s the shape of the problem, drawn from how connections multiply in any network, not a number I pulled off a production dashboard. I have no traces, no benchmarks, no field data putting a dollar figure on cross-company agent reconciliation – because, again, almost nobody’s running it yet. If you ever see me or anyone else slap a percentage on this, treat it as fiction. The honest claim is only the shape: this cost grows faster than the thing it’s attached to. That’s enough to take seriously and not one inch more.
It’s worth noticing there are really two taxes stacked here, and they map onto the split from the last section. There’s billing reconciliation – lining up ledgers, reversing wrong charges, replaying the trace to see what actually ran. And on top of it sits liability reconciliation – assigning blame, invoking indemnity clauses, escalating to lawyers or arbitrators when an authorized action went bad. Different work, different people, different cost. The first you might automate someday. The second drags in humans by its nature, and humans are the most expensive part of any system.
One word I kept tripping over deserves a flag, because a sharp reader will catch it. „Rollback“ gets used for two unrelated things, and people slide between them without noticing. There’s financial rollback – reversing a charge, a billing operation. And there’s execution rollback – undoing what the agent actually did out in the world. Reversing a charge is one kind of hard. Un-sending an email, un-signing a contract, un-leaking a file is a completely different kind of hard, and often just impossible. Lump them together and you’ll badly underestimate how stuck a bad cross-company transaction can get.
What I’d Watch, and What I’d Ignore
So where does this leave the breathless headline I started with – protocols solved, agents free to roam?
In the bin, mostly. Not because nothing happened. Something real happened: the governance fights ended, and the internal plumbing got genuinely good. But the leap from „good internal plumbing“ to „safe commerce between strangers“ is a leap nobody’s made, and the vendors have every reason to let you assume it’s already been made for you.
The strongest case against my whole framing is that I’m fussing over a problem that solves itself. The optimist would say: of course the cross-company meter doesn’t exist – the transaction doesn’t exist yet either, and when companies actually want to do this, the rails will follow the demand the way they always do. Build it when it’s needed. Why borrow trouble?
It’s a fair shot, and I won’t pretend it’s silly. But I don’t fully buy it, for one reason. The choices being locked in right now – inward-first metering, fragmented auth, identity that stops at the company wall – aren’t neutral. They’re shaping what the cross-company version will have to overcome later. You don’t get to redesign the foundation once the building’s up. The seam I’m describing is getting poured into concrete today, while everyone’s looking at the smooth surface and calling it finished.
So here’s what I’d actually watch. Not the foundation press releases – those count logos, not working systems. Watch for identity that’s built to mean something to an outside party, not just the home directory. Watch for shared audit formats two companies could both trust. Watch for revocation – the ability to yank an agent’s authority and have the other side honor it. Watch for any serious attempt to bind a cryptographic identity to a legal responsibility, because that’s the bridge between the billing problem and the liability problem, and right now there’s no bridge at all.
And the thing I’d ignore? Any sentence with „marketplace“ in it that implies safe inter-company agent workflows already work. They don’t. The standards that would make them work – authorization proofs, revocation, real rollback – aren’t written.
The agents learned to talk this year. That part’s done, and it’s genuinely impressive. But talking was always the easy part. The hard part starts the moment the talking turns into work that costs money – and on that, the only honest answer right now is that nobody’s decided whose meter gets to say so.
