Six competing standards, two acronym collisions, and a security crisis are shaping the infrastructure layer that will determine how AI agents buy, sell, and coordinate on your behalf.
If you’ve been paying attention to AI infrastructure announcements over the past six weeks (and really, who hasn’t), you might have noticed something unusual: the major tech companies are no longer just building AI models. They’re building the plumbing for AI agents to conduct business autonomously; discovering products, negotiating prices, executing payments, and coordinating with other agents, without a human clicking “buy.”
The problem is that everyone is building their own plumbing. And right now, the landscape looks less like a standard and more like a standards collision.
Six Protocols, Six Weeks
Between late September 2025 and mid-February 2026, the following agentic infrastructure protocols entered the market or achieved significant milestones:
MCP (Model Context Protocol) from Anthropic became the de facto standard for connecting AI platforms to external tools and data sources. Originally released in 2024, its November 2025 specification update cemented it as the foundational backend layer. Microsoft now exposes Dynamics 365 business logic through MCP servers. Nearly every other protocol in this space declares MCP compatibility.
ACP (Agentic Commerce Protocol) launched in September 2025 as a joint effort by Stripe and OpenAI. It handles agent-to-merchant checkout flows and powers Instant Checkout inside ChatGPT. Stripe’s Shared Payment Tokens (SPT) provide the credential isolation layer underneath.
UCP (Universal Commerce Protocol) was announced by Google at the National Retail Federation conference on January 11, 2026, with an extraordinary coalition of partners: Shopify, Etsy, Wayfair, Target, and Walmart. UCP aims to be the end-to-end agentic commerce standard—covering discovery through checkout through post-purchase—and explicitly orchestrates A2A, MCP, and a new payments layer called AP2, developed with PayPal.
A2A (Agent-to-Agent Protocol) migrated from Google to the Linux Foundation in 2025, bringing 150+ supporting organizations. It handles multi-agent coordination—the layer where AI agents talk to each other rather than to tools or merchants.
WebMCP landed on February 10, 2026, as a W3C Draft Community Group Report co-authored by Google and Microsoft. It extends MCP into the browser through a new API (navigator.modelContext), letting websites expose structured actions directly to AI agents visiting their pages. Chrome 146 Canary has early preview support.
Microsoft’s Copilot Checkout was announced January 8, 2026, at NRF, powered by Shopify for product catalog, PayPal and Stripe for payments, and integrated into Microsoft’s Dynamics 365 ecosystem. Notably, Microsoft did not release its own protocol. It positioned itself as an integrator, consuming Stripe’s ACP and Google’s standards through its existing infrastructure.
The Naming Problem Nobody Is Talking About
Here is a fact that should concern every enterprise architect evaluating this space: the acronym “ACP” currently refers to two entirely different protocols operating at different layers of the stack.
| Agentic Commerce Protocol | Agent Communication Protocol | |
| Developers | Stripe + OpenAI | IBM / BeeAI |
| Layer | Commerce checkout | Agent-to-agent coordination |
| Function | Agent-to-merchant transactions | Multi-agent task delegation |
| Status | Beta — live in ChatGPT | Merging into A2A under Linux Foundation |
Two protocols, one acronym, different architectural layers.
Stripe’s ACP handles how an AI agent checks out with a merchant. IBM’s ACP (now merging into A2A) handles how AI agents coordinate tasks with each other. These are not variations on a theme. They operate at completely different layers of the stack with completely different functions. Yet both are called “ACP” in their official documentation.
For businesses evaluating vendor proposals, compliance frameworks, or integration architectures, this collision creates real confusion. When a vendor says “we support ACP,” which ACP do they mean?
The Stack Is Real, and It Has Five Layers
Despite the naming chaos, a coherent architecture is emerging. The protocols organize into a five-layer stack, with each layer handling a distinct function:
| Layer | Protocol | Key Players | What It Does |
| Browser Interface | WebMCP | Google + Microsoft | Lets websites expose tools to AI agents visiting in a browser |
| Commerce Logic | UCP / ACP | Google coalition / Stripe + OpenAI | End-to-end agentic commerce or agent-to-merchant checkout |
| Agent Coordination | A2A | Google → Linux Foundation | Multi-agent communication and workflow orchestration |
| Payment Settlement | SPT / AP2 | Stripe / Google + PayPal | Scoped tokens and secure mandates for agent-initiated payments |
| Backend Tools | MCP | Anthropic | JSON-RPC protocol connecting AI to external data and services |
The emerging AI agent protocol stack, February 2026.
The key insight is that these protocols are not competitors in the way that, say, Betamax competed with VHS. They operate at different layers and are increasingly designed to interoperate. UCP explicitly orchestrates A2A and MCP. Stripe’s Agentic Commerce Suite auto-supports both UCP and ACP. WebMCP complements backend MCP rather than replacing it. The competition is primarily at the commerce logic layer; Google’s coalition versus Stripe and OpenAI’s; not across the full stack.
The Security Question Nobody Expected
While protocol architects were carefully designing credential isolation and scoped payment tokens, the market delivered a stress test nobody planned for. OpenClaw, an open-source autonomous agent runtime initially positioned as an agentic enhancement/replacement for Apple’s Siri went viral in late January 2026, gaining over 60,000 GitHub stars in 72 hours. It connects large language models to messaging platforms like WhatsApp and Telegram and gives them access to system tools.
The security findings arrived quickly. Cisco’s Talos team documented data exfiltration and prompt injection through unvetted third-party skills. Bitsight observed more than 30,000 exposed instances in under two weeks, with attackers bypassing the AI layer entirely to exploit WebSocket APIs. CrowdStrike released enterprise detection tooling, effectively classifying OpenClaw as a threat vector. Anthropic began banning users who powered OpenClaw with Claude credentials.
OpenClaw is not a protocol. It’s an agent runtime, a *consumer* of protocols. But its rapid adoption exposed a critical gap: the protocols being designed assume that the AI systems using them will behave reliably. If the underlying model hallucinates a protocol name, misattributes a corporate sponsor, or conflates two standards sharing an acronym, all of which we have documented occurring in flagship models during routine technical conversations, then the carefully designed credential isolation and payment scoping can be undermined not by a security flaw but by a reasoning failure.
What Enterprise Leaders Should Do Now
Map the stack, don’t pick a winner. The protocol landscape is consolidating around interoperability, not winner-take-all competition. Understanding which layer each protocol occupies matters more than choosing sides.
Demand acronym specificity from vendors. If a vendor or integration partner says “we support ACP,” ask which one. If they can’t answer immediately, that’s a signal they haven’t done the architectural mapping.
Audit agent runtimes, not just agent models. The OpenClaw episode demonstrated that the attack surface for agentic AI isn’t just the model, it’s the runtime environment connecting the model to real-world actions. Enterprise security teams should be evaluating agent runtimes with the same rigor they apply to any software consuming credentials and executing transactions.
Watch the commerce layer competition. Google’s UCP coalition (with Shopify, Target, Walmart, Etsy, and Wayfair) versus Stripe and OpenAI’s ACP is the most consequential standards battle in this space. Where Stripe goes, payment infrastructure follows. Where Google’s retail partners go, product catalogs follow. The commerce layer winner will shape how AI agents shop for the next decade.
The agentic protocol stack is being built in real time, by competing coalitions, with overlapping acronyms, on top of AI systems that don’t always know which protocol they’re talking about. The infrastructure will mature. Will businesses understand it before their AI agents start using it on their behalf? The explosive interest and concern around agents overtaking their environment with the launch of OpenClw has been more exaggerated than the threat itself, but it does speak to a potential looming reality that business needs to be ready to deal with. It’s indeed a brave new world that has such creatures in it.
