Agentic Resource Discovery: Can AI Agents Trust Tools?

Artificial Intelligence Published: 11 min read Pravesh Garcia
Agentic Resource Discovery: Can AI Agents Trust Tools?
Rate this post

For as long as software has existed, a person chose the tools. You installed the app. You clicked allow. You picked which service saw your data. Agentic Resource Discovery quietly rewrites that deal. It lets AI agents find, judge, and connect to their own tools, with no human picking from a menu first.

Google and Microsoft announced the draft standard together on June 17, 2026, and nine other big tech names signed on (Google Developers Blog).

Almost all the coverage since has aimed at engineers. This one won’t. The interesting question isn’t how the JSON works. It’s what shifts when an agent shops for its own capabilities and then vouches for another agent’s trustworthiness. Should you be comfortable with that?

What Just Happened, in Plain Terms

The spec is young. It’s a v0.9 draft under the Apache 2.0 license, openly labeled a proposal rather than a finished standard (ARD specification). The backing, though, is not small. Eleven companies put their names on the Agentic Resource Discovery spec: Google, Microsoft, GitHub, Hugging Face, Cisco, Databricks, GoDaddy, Nvidia, Salesforce, ServiceNow, and Snowflake (CIO).

They didn’t just publish a document. Working code shipped the same day. GitHub added an Agent Finder inside Copilot, Hugging Face launched a Discover Tool over its Skills and Spaces, and Cisco opened its AGNTCY Agent Directory (Hugging Face).

Why the coordination? Google stated the gap bluntly. An agent needs to know “where does the right capability live, which one should I use, and how do I verify it is safe to connect to,” and “there is no standard way to answer those questions across organizations” (Google Developers Blog).

The Problem: Agents Stuck With Hardcoded Toolboxes

Picture how an AI agent works today. Someone wires it up with a fixed set of tools ahead of time. A weather API here, a database connection there, maybe a code interpreter. The agent can be clever inside that box. It can’t reach past the walls someone built for it.

That was fine when agents were rare. It breaks at scale. Microsoft points out that there are “orders of magnitude between what any single agent can see and what resources are actually out there,” with the tool ecosystem already in the hundreds of thousands and growing daily (Microsoft Command Line).

The clumsy workaround has been to dump every tool description into the model’s context window and let it pick. Hugging Face’s engineers call that what it is: an approach “limited by the context budget” (Hugging Face). You can only paste in so much before the model runs out of room to think.

Meanwhile the demand curve is bending hard. Gartner expects 40% of enterprise apps to carry task-specific AI agents by 2026, up from under 5% in 2025 (Gartner), and 33% of enterprise software to include agentic AI by 2028, up from less than 1% in 2024 (Gartner). Agents are going from science project to load-bearing infrastructure. And they’ve had no shared way to find each other. That gap is the one Agentic Resource Discovery targets.

How Agentic Resource Discovery Actually Works

Strip away the jargon and the design is simple. Agentic Resource Discovery has two moving parts.

The first is a file. Any organization can publish a plain manifest called ai-catalog.json at a standard, well-known path on its own website. Each entry describes one capability the organization offers: an agent, an MCP server, a Skill, an API, even a link to another catalog (Google Developers Blog). Think of it as a shop posting its inventory list where anyone’s software can read it.

The second is a registry. A registry crawls those catalogs across the web, indexes them, and answers plain-language questions like “find me a tool that can book flights” with ranked matches (AI Catalog spec). It’s a search engine, except the searcher is a machine, not you.

How an AI agent moves from catalog to registry to verification to connection under ARD

One detail matters more than it looks. Finding a tool is not the same as being allowed to use it. Discovery and authorization stay separate steps by design, so turning up a capability in a registry grants nothing on its own (Inside ARD, Medium). The permission gate still lives in whatever access system an organization already runs.

Does it work today? Sort of. One developer who built a catalog the week of launch found he could stand one up “in an afternoon,” yet three days in, most partner companies hadn’t published one themselves (Todd O’Rourke). He also hit a quiet failure mode. A firewall that blocks unfamiliar visitors hands a registry crawler a 403 error while your browser sees a normal page, so a catalog can vanish from the index with no warning (Todd O’Rourke).

ARD Is Not MCP, and That Confusion Is Everywhere

If you follow AI at all, you’ve heard of the Model Context Protocol. People keep asking whether this replaces it. It doesn’t, and the mix-up is worth clearing up.

The cleanest analogy going around: if MCP is the USB-C port that lets an agent plug into a tool, Agentic Resource Discovery is the search engine that tells the agent which port to plug into (Sidecar.ai). One is about connecting. The other is about finding. Hugging Face stacks the whole set: MCP calls tools, Skills feed instructions, A2A lets agents call other agents, and ARD is the discovery layer sitting in front of all of them (Hugging Face).

ARD as the discovery layer that finds the right port for an AI agent to plug into

MCP earned that spot. Anthropic launched it in November 2024. Within roughly a year it hit 97 million monthly SDK downloads and more than 10,000 active servers (The New Stack). OpenAI, Google, and Microsoft all adopted it, and governance moved to a Linux Foundation fund in December 2025. ARD doesn’t compete with that. As one engineer who built a working registry put it, ARD “is not a replacement for MCP, A2A, or Skills — it doesn’t define how you call a tool once you’ve found it. It’s purely the layer before invocation” (Inside ARD).

The Human Stakes: When an Agent Picks Its Own Tools

Here’s where it stops being a plumbing story. An agent that chooses its own tools is an agent making decisions no person reviewed first. Multiply that by the Gartner numbers above, and a lot of consequential software starts selecting its own capabilities on the fly.

We already have early warnings. Security researchers have documented agent-to-agent attacks where one agent impersonates another or escalates its access by exploiting the implicit trust between them. Picture a compromised research agent slipping hidden instructions to a downstream financial agent that then acts on them (Help Net Security). Discovery at web scale widens that door, because now agents meet tools and other agents nobody introduced them to.

Enterprises see it coming. Gartner expects 40% of CIOs to demand “guardian agents” by 2028: software whose only job is to watch, oversee, or contain what other agents do (Gartner). Read that number as a quiet confession. The people deploying agents already expect to need babysitters for them. If you want the sharper version of this worry, we’ve written about what happens to human control when agentic AI acts.

Can You Trust What an Agent Decided to Trust?

So an agent finds a tool it’s never seen. How does it know the tool is legitimate? This is the heart of it, and the answer is more modest than the launch language suggests.

Agentic Resource Discovery anchors trust in domain ownership. In Google’s words, “because these catalogs are hosted directly under the organization’s own domain, ownership of that domain serves as the cryptographic foundation for identity and trust” (Google Developers Blog). Read that carefully. It proves who published a catalog. It says nothing about whether the tool inside is any good, safe, or honest.

We have run this experiment before. Domain ownership as a proxy for trustworthiness is the same shortcut the early web leaned on, and the same one SEO spam spent two decades gaming. One independent analyst warns that if these trust manifests get “treated as decorative JSON instead of actively checked identity assertions, the system will drift toward theater,” and lists the obvious gaming vectors: duplicate tools with slightly different names, descriptions tuned to rank rather than to help (Medium: balaji bal). We built a whole discipline around gaming exactly this kind of signal.

Domain ownership as a proxy for trust when AI agents discover tools

There’s a subtler hole too. ARD’s trust layer is “attestation-based, not run-based” (Synscribe). A tool can wave around SOC 2, HIPAA, and GDPR badges plus a valid cryptographic identity while nothing in the protocol checks how it behaves once an agent connects. Nobody has stress-tested this at scale either. As one builder admitted, “nobody has tested what happens when a registry has to evaluate trust for 10,000 entries from 500 different publishers” (Inside ARD).

None of this is idle paranoia. It rhymes with why AI deception matters more than passing the Turing test: a system can present every correct signal and still optimize for something you never asked for.

What Agentic Resource Discovery Leaves Unsolved

The spec’s authors are honest that this is a first draft, and the gaps are real. Practitioner reviews line up on the same missing pieces. No authorization policy for actually invoking what you discover. No economic controls or quotas. No lifecycle rules for tools that get revoked or go stale. No built-in audit trail for the decisions an agent makes after discovery (Medium: balaji bal). Finding is solved. Almost everything after finding lands on you.

The accountability question is the loud one. If an agent picks a bad tool and something breaks, who’s on the hook? The Agentic Resource Discovery spec is silent. The law is not.

California’s AB 316 took effect on January 1, 2026, and it kills the “the AI did it on its own” defense outright. Anyone who developed, modified, or used the system can’t hide behind its autonomy (Baker Botts). Singapore went further and built the first national governance framework aimed specifically at agentic AI, unveiled in January 2026. Compliance is voluntary; accountability is not. Organizations “remain legally accountable for their agents’ behaviours and actions” regardless (K&L Gates).

The security math backs the caution. Gartner projects that by 2028, a quarter of enterprise breaches will trace back to AI agent abuse (Gartner), and that a quarter of enterprise generative-AI apps will suffer at least five minor security incidents a year, up from 9% in 2025 (Gartner). The discovery layer sits on top of that risk. It doesn’t lower it. For the wider picture of rules catching up to autonomous systems, see our take on how governments are planning to regulate superintelligence.

Where This Points: The Quiet Making of an Agentic Web

Step back and a pattern shows up. Agentic Resource Discovery is the third piece of open agent infrastructure to land under Linux Foundation-style governance in under two years, after A2A, the agent-to-agent protocol Google shipped in 2025 and handed off with 150-plus organizations behind it (Google Open Source Blog), and MCP before that. The same handful of labs racing on everything else in AI are pouring the plumbing for a machine-to-machine web fast, and in the open.

Google reaches for the obvious metaphor: “just as the open web democratized information, ARD democratizes AI resource discovery” (Google Developers Blog). It’s a bigger claim than it sounds, and there’s a tell in who’s making it.

One of ARD’s three named editors is R.V. Guha. He created RSS. He co-founded Schema.org. Both are invisible standards that quietly shaped how ordinary people find information for two decades, and you’ve almost certainly never heard his name (Wikipedia). The same person has now written the discovery layer for the agent era. That’s the frame worth holding onto. This isn’t a sudden novelty. It’s the third chapter of a very old project, teaching the web how to organize itself, except this time the thing doing the finding, and the trusting, isn’t you.

So should you be comfortable with agents choosing their own tools? Not yet, and that’s the honest answer. The finding problem looks close to solved. The trusting problem — the one that decides whether any of this is safe to hand real decisions to — is still mostly a promise written in JSON. Watch what these agents connect to. Somebody should.

Frequently Asked Questions
What is Agentic Resource Discovery (ARD)?
Agentic Resource Discovery is a draft open standard, announced by Google and Microsoft on June 17, 2026, that lets AI agents find, evaluate, and connect to tools on their own instead of relying on a fixed, hand-wired toolbox. It works through two parts: a public catalog file that organizations publish on their own domain, and a registry that indexes those catalogs and answers plain-language discovery queries.
How is ARD different from the Model Context Protocol (MCP)?
They solve different problems. MCP is the standard way an agent calls a tool once it has one; ARD is the layer that helps the agent find the right tool in the first place. A common analogy: MCP is the USB-C port, and ARD is the search engine that tells the agent which port to plug into. ARD does not replace MCP, A2A, or Skills.
Who created and backs the Agentic Resource Discovery specification?
Google and Microsoft announced it jointly, with eleven named launch backers: Google, Microsoft, GitHub, Hugging Face, Cisco, Databricks, GoDaddy, Nvidia, Salesforce, ServiceNow, and Snowflake. Its three named editors are Junjie Bu of Google, R.V. Guha of Microsoft, and Shaun Smith of Hugging Face. Guha previously created RSS and co-founded Schema.org.
How does an AI agent verify that a tool it discovers is trustworthy?
ARD anchors identity in domain ownership: because a catalog is hosted on the publisher's own domain, control of that domain acts as the cryptographic proof of who published it. That confirms who a tool came from, not whether the tool is safe or good. Critics note the trust layer is attestation-based, not run-based, so nothing in the protocol checks a tool's actual behavior at runtime.
What is an ai-catalog.json file, in plain terms?
It is a simple manifest that an organization publishes at a standard path on its website, listing the AI capabilities it offers. Each entry describes one resource, such as an agent, an MCP server, a Skill, an API, or a link to another catalog. Registries crawl these files to build a searchable index of what tools exist and where they live.
Does ARD mean AI agents can act without a human choosing their tools first?
Yes, on the discovery side. An agent can locate and select a capability without a person picking it from a list. But discovery and authorization are deliberately separate: finding a tool does not grant permission to use it. The access gate still lives in whatever permission system an organization already runs.