Is MCP Losing Its Edge? A One‑Year Review and the Rise of A2A

1. MCP One‑Year Update: Late Patches and Experimental Features

On 2025‑11‑25 the Model Context Protocol (MCP) celebrated its first anniversary. The 2025‑11‑25 specification introduced four core updates that expose both the protocol’s evolution and the limitations of its original design.

Task abstraction (SEP‑1686) – an experimental primitive that lets an agent launch a task, receive a handle, and poll for results later. It supports states such as working, input_required, completed, failed, and cancelled. The feature is marked experimental, indicating that long‑running task support is still not production‑grade a year after release.

Client Registration overhaul – the complex Dynamic Client Registration is replaced by URL‑based Client ID Metadata Documents (CIMD). Clients now present a controlled URL as their client_id, and the authorization server fetches metadata from that URL, simplifying registration and enabling a decentralized trust model.

Security and enterprise‑grade hardening – new requirements include local server installation security (SEP‑1024), default scope definitions (SEP‑835), OAuth client‑credentials support for machine‑to‑machine (M2M) authorization (SEP‑1046), and enterprise identity‑provider policy control (SEP‑990). These patches address previously reported high‑severity vulnerabilities (e.g., command injection, token leakage, session hijacking) that had CVSS scores up to 9.6.

Sampling with Tools – the server can now issue sampling requests that embed tool definitions, allowing the server‑side agent to run its own reasoning loops using client tokens. This adds server‑initiated multi‑step inference capability, albeit arriving late in the protocol’s lifecycle.

Overall, the update reads like a series of “fix‑the‑holes” patches rather than a forward‑looking redesign.

2. From MCP to A2A: A Paradigm Shift in Agent Communication

MCP assumes a centralized host (e.g., Claude Desktop or Zed editor) that synchronously pulls resources, prompts, and tools from multiple MCP servers. This single‑direction, short‑lived interaction works well for simple tool‑calling scenarios but struggles with complex, long‑running, multi‑agent collaborations.

In contrast, A2A was built from the start for peer‑to‑peer agent collaboration. Every participant can act as both client and server, enabling bidirectional asynchronous communication. A2A introduces an Agent Card (a JSON self‑description) and a robust Task abstraction that is core to the protocol, providing full lifecycle management, progress tracking, and artifact output.

Security in A2A follows a “Secure by Default” philosophy: built‑in enterprise identity, role‑based access control (RBAC), audit logging, and reliance on mature web standards (HTTP, Server‑Sent Events, JSON‑RPC). MCP’s security, by comparison, is retrofitted and still exhibits risks such as session‑ID exposure in URLs and unsigned tool definitions.

Extensibility also diverges. MCP adds an Extension mechanism to plug new capabilities without altering the core spec, hinting at core rigidity and risking ecosystem fragmentation. A2A’s Agent Card naturally accommodates new abilities, avoiding separate extension layers.

3. Ecosystem and Industry Support

A2A enjoys backing from over 50 technology leaders—including Google Cloud, Atlassian, Salesforce, Workday, and GitLab—forming an alliance that reduces single‑vendor lock‑in and accelerates enterprise adoption. MCP’s ecosystem, while growing (≈2,000 registered servers), remains concentrated in developer‑tool and personal‑productivity niches.

4. Outlook for Agentic Systems

The rapid evolution of agent communication protocols underscores the need for developers and decision‑makers to understand these architectural trade‑offs. MCP is suited for single‑agent, short‑lived, tool‑heavy use cases; A2A better serves multi‑agent, long‑running, collaborative workloads. Choosing the right protocol shapes future system design, security posture, and ecosystem compatibility.