MCP, A2A, and GenAI Observability Crosswalk
Version: 1.0.1
Date: 2026-07-16
Status: Informative
Purpose
Define how OAIES contracts record security and telemetry evidence for Model Context Protocol authorization, Agent2Agent interoperability, and OpenTelemetry Generative AI semantic conventions.
Why
Protocol compatibility does not establish authorization, trustworthy delegation, or operational assurance. OAIES records the policy boundary and evidence references around protocol-native messages and telemetry without redefining those protocols.
MCP authorization crosswalk
| MCP authorization concern | OAIES evidence | Relationship |
|---|---|---|
| Protected-resource metadata and authorization-server discovery | MCP Server Record authorization.resourceMetadata and authorizationServer |
evidence-supports |
| OAuth authorization-code flow with PKCE for user-delegated access | MCP authorization mode/scopes and evidence reference | partial |
| Resource Indicators and token audience validation | audienceValidated; security-review evidence |
evidence-supports |
| No token passthrough to downstream services | tokenForwardingProhibited: true |
evidence-supports |
| Least-privilege and incremental consent | Scope inventory; Tool Contract delegation and least-privilege review | partial |
| Client registration and identity trust | Security-review evidence | partial |
Local stdio trust boundary |
Deployment transport, local-process mode, trust-boundary statement | partial |
MCP servers must validate that tokens were issued for that server. A token received from an MCP client must not be forwarded as the server’s credential to another resource.
A2A crosswalk
| A2A concern | OAIES evidence | Relationship |
|---|---|---|
| Agent discovery and Agent Card | Agent Definition identity, role, communication protocol, capabilities through tool refs | partial |
| Authentication scheme declaration | Agent communication authentication; deployment security evidence |
evidence-supports |
| Task lifecycle and terminal states | Agent termination criteria, failure policy, safe state | partial |
| Messages, parts, and artifacts | Versioned messageSchema; Evidence Bundle digests for durable artifacts |
partial |
| Streaming and asynchronous operations | Runtime telemetry and failure/timeout evidence | no-mapping |
| Per-task authorization and delegation | Agent authority, allowed/prohibited actions, approval gates, delegated user context | partial |
| Cross-agent trust | Workload identity, signed messages where required, artifact validation, no transitive trust | partial |
A2A interoperability does not mean one agent may exercise another agent’s privileges. The receiving agent must re-authorize each requested operation against local policy.
OpenTelemetry GenAI crosswalk
| GenAI semantic-convention signal | OAIES correlation | Required handling |
|---|---|---|
| Model/provider operation spans | Model Record ID/version and AI System Manifest component ref | Record stable registry IDs in addition to provider attributes |
| Agent spans | Agent Definition ID/version | Correlate delegated tasks without treating trace context as authorization |
| Tool execution spans | Tool Contract ID/version, side-effect and risk class | Record outcome and policy decision; redact arguments/results |
| MCP operation spans | MCP Server Record ID/protocol version | Capture transport, server identity, error class, and latency |
| Token usage and duration metrics | Evaluation/operational evidence | Apply cardinality budgets; preserve billing-source reconciliation |
| Input/output content attributes and events | Context/Prompt classification | Disabled by default; opt in only after privacy and retention approval |
| Error attributes | Incident correlation | Use stable error taxonomy; never put secrets or raw prompts in status text |
OpenTelemetry semantic conventions can be marked stable, experimental, or development independently by signal and version. Pin the semantic-convention version in telemetry configuration and Evidence Bundles; do not copy an unstable attribute into a permanent compliance contract without an adapter.
How
- Pin MCP, A2A, and OpenTelemetry semantic-convention versions per deployment.
- Register each server and agent before connectivity is enabled.
- Bind protocol capabilities to explicit Tool Contracts and agent authority.
- Use OAuth resource/audience restrictions, workload identity, or mTLS according to the protocol and deployment; never infer authorization from discovery metadata.
- Propagate trace context only as correlation data. Re-authenticate and re-authorize every trust-boundary crossing.
- Emit metadata by default; capture prompt, completion, tool arguments, or artifacts only under an approved data policy.
- Preserve redacted traces, configuration, schema versions, and test results in a digest-addressed Evidence Bundle.
Equivalence limits
OAIES does not certify MCP or A2A protocol conformance and does not redefine their wire formats. OpenTelemetry-compatible telemetry does not prove control effectiveness, complete trace coverage, or correct authorization. Protocol projects and OpenTelemetry do not endorse this crosswalk.
Tradeoffs
| Benefit | Cost |
|---|---|
| Protocol records make trust boundaries auditable | Version churn requires adapters and migration tests |
| Common telemetry correlates model, agent, and tool activity | High-cardinality and content capture create cost/privacy risk |
| Local re-authorization limits privilege propagation | Additional checks increase latency |
Anti-patterns
- Discovery equals trust: accepting an Agent Card or MCP metadata document without authenticated origin and policy review.
- Trace context equals identity: using trace headers as credentials or authorization evidence.
- Token passthrough: forwarding a client bearer token to a downstream API.
- Telemetry data lake: recording raw prompts, completions, memory, or tool payloads by default.
- Semantic-version drift: changing attribute names in-place without pinning and translation.
Enterprise considerations
Use centralized IAM policy with resource-specific audiences, managed workload identities, key rotation, and revocation. Apply regional data routing, tenant isolation, retention, legal hold, and subject-rights handling to telemetry. High-impact inter-agent actions require attributable user delegation or an approved service authority.
Authoritative sources
- Model Context Protocol — Authorization
- Model Context Protocol — Security best practices
- Agent2Agent Protocol specification
- OpenTelemetry GenAI semantic conventions
- OpenTelemetry semantic-convention stability
Sources accessed 2026-07-16. The deployment record must pin the exact protocol and semantic-convention versions actually implemented.
Checklist
- MCP resource metadata, scopes, audience validation, and no-passthrough rule are verified
- A2A peers are authenticated and every task is locally authorized
- Protocol versions and message schemas are pinned
- Trace context is used only for correlation
- Content telemetry is disabled by default and explicitly approved
- No protocol-conformance or endorsement claim is inferred from OAIES validation
Changelog
1.0.1 — 2026-07-16
- Narrowed protocol and telemetry mappings to evidence support, partial coverage, or no mapping.
1.0.0 — 2026-07-16
- Added MCP authorization, A2A, and OpenTelemetry GenAI mappings.