Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Google and Microsoft are backing ARD for AI agent discovery.
- ARD could help agents find tools, skills, and other agents.
- The same discovery layer may also create new security risks.
I’m always a bit nervous when a (oh, heck, I’m gonna say it) cabal of giant corporations that are normally fierce rivals starts working together on a project.
This time, Google, Microsoft, GoDaddy, Hugging Face, NVIDIA, Salesforce, ServiceNow, Databricks, Snowflake, GitHub, and Cisco are all announcing a new standard called Agentic Resource Discovery (ARD), an open specification for publishing, discovering, and verifying AI capabilities across the web. Google and Microsoft both have blog posts announcing the partnership.
Last time we had something this big, it was the Project Glasswing announcement, which brought together 12 giant rivals that intended to use Anthropic’s highly restricted Mythos AI model to find and fix cybersecurity infrastructure vulnerabilities. As we’ve been following for the past few days, Mythos (and its neutered little buddy Fable) have been, uh, inferencus interruptus by the US government.
Also: Why Anthropic suddenly pulled Fable 5 and Mythos 5 for everyone
I find it particularly interesting to note that the ARD announcement does not include either OpenAI or Anthropic among the participating partners.
Beyond our rogues’ gallery of partners, why is this such an important announcement? Let’s dig in.
The discovery gap holding agentic AI back
Back in 2024, Anthropic introduced MCP (Model Context Protocol). This standardized how AI systems and all sorts of servers can share data. In a ZDNET article introducing the protocol, ZDNET’s Steven Vaughan-Nichols described it as “The key to unlocking AI’s full potential in the enterprise, the cloud, and beyond.”
In reality, MCP solved part of the puzzle. MCP allows any properly configured server to talk intelligently to AI agents, assuming that all the governance and authentication are in place. Definitely read Steven’s article to fully understand the capabilities MCP provides.
Also: 40% of enterprises will scrap AI agents – 3 ways to ensure yours don’t fail
To use an analogy, MCP makes apps possible. But until there’s an app store, it’s hard to find and use those apps. ARD, wildly oversimplified, is intended to be that app store.
AI agents are increasingly relying on tools, skills, and other agents that are spread across teams, networks, organizations, and platforms. But finding those resources is often difficult. Each AI agent or client is only able to use resources that have been “explicitly connected to it.”
This limits agents. Ramanathan Guha, technical fellow at Microsoft, explains that “AI is only as capable as its wiring allows.” In other words, he says, “AI can only use what it’s been explicitly wired to use. Everything else may as well not even exist.”
In other words, AI agents need their own search engine to find resources they can use.
A search engine for the agentic web
When it comes to our current pre-ARD situation, Microsoft likens it to what the web was like before search engines. Do you remember the early Yahoo, where human indexers created directory trees of websites by topic? It wasn’t exactly complete. If your site wasn’t on it, nobody could find you.
Google’s blog post says, “Just as the open web democratized information, ARD democratizes AI resource discovery.”
Also: Treat your AI agents like eager but misguided human interns – before you lose control
But we’re not really talking about a search engine like Google was (before it so heavily incorporated AI) or DuckDuckGo still is. It’s not an interface where humans type in something and search engine results are presented. ARD is search, yes, in that agents can query ARD nodes for what they know.
But the goal for ARD isn’t to be one giant database of links. Instead, it’s a framework for discovery services. There will be some general-purpose discovery services, but enterprises can create their own and control access, too.
Rao Surapaneni, VP and GM of business applications at Google Cloud, says, “The true potential of agentic AI has been limited by silos.” Expanding on that idea, he says, “By removing centralized gatekeepers, we’re empowering any agent to discover, trust, and utilize resources across platforms, unlocking a new era of interoperability.”
How catalogs and registries work
There are two main architectural components in ARD: catalogs and registries. Continuing our search engine analogy, think of catalogs as analogous to web pages. As the Google blog post says, “Registries act as search engines for the agentic web.”
To establish a catalog, an organization hosts an ai-catalog.json file at a published path on its own domain. Registries crawl catalogs, index their contents, and return matching capabilities with metadata to verify the publisher before connecting.
Also: How to build better AI agents for your business – without creating trust issues
Of course, there’s a big concern here. If you let agents just decide to use tools they find on the web, baaaad things could happen. To overcome this, domain ownership serves as the cryptographic foundation for identity and trust. Essentially, the fact that a catalog is hosted on Microsoft.com, ZDNET.com, or whatever domain hosts a catalog establishes that the catalog has been vetted by the owners of that domain. As I’ll discuss later, this may lead to security concerns.
The hierarchy is modeled on DNS. Microsoft’s Guha says, “This gives ARD an architectural property closer to DNS than to ordinary web search.”
Security considerations
Of course, this also gives attackers a new reason to target domains, deployment pipelines, and catalog files. ARD is designed to sit before invocation, helping an AI client decide which capability to use before the client connects through the resource’s own protocol. Microsoft’s Ramanathan Guha describes ARD as the layer that helps the client choose the capability and then gets out of the way.
To be fair, ARD is not just a random file on a random domain. The spec includes registries, discovery services, publisher metadata, and, in production settings, cryptographic trust metadata. Google also points to enterprise controls such as Agent Identity, trust manifests, egress policies, and pinned tools.
Also: Over 80% of US government agencies already use AI agents – and it’s only the beginning
But the concern remains: The open-web model is still domain-anchored. If the domain, DNS, server, repository, or deployment path is compromised, the catalog becomes a tempting, high-leverage target. ARD may improve discovery and verification, but it does not eliminate the need for ordinary security controls, authorization, governance, allowlists, code review, signing, monitoring, and policy enforcement.
Look, I’m not going to say I know security better than Google, Microsoft, and Cisco. But that added high-value target should be a source of concern for anyone adopting the use of ARD.
Reference implementations
Vendors are wiring ARD into their projects. The blog posts list the following three implementations as examples of ARD in use.
GitHub launched Agent Finder, built on ARD, which lets Copilot discover and call MCP servers, skills, tools, and agents at runtime from a public or private registry.
Also: Building an agentic AI strategy that pays off – without risking business failure
Hugging Face has a Discover Tool, another ARD reference implementation, which offers semantic search to “thousands of Skills and MCP Servers to connect to your agent.” Can you see why this stuff worries me just a little bit?
Google supports ARD through Agent Registry in its Gemini Enterprise Agent Platform, with native support slated for the “coming months.”
An open spec and an open invitation
The specification for ARD is available now, licensed under Apache 2.0 and built on the AI Catalog data model from a Linux Foundation working group. The Google blog says, “The agent ecosystem works best when it is decentralized and open.”
Also: What you’ll pay for AI agents will be wildly variable and unpredictable
You can read more about the ARD spec at AgenticResourceDiscovery.org. There’s also a GitHub registry for the spec available.
Is ARD the kind of plumbing AI agents need, or does it create a bigger attack surface than it solves? Let us know in the comments below.
You can follow my day-to-day project updates on social media. Be sure to subscribe to my weekly update newsletter, and follow me on Twitter/X at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, on Bluesky at @DavidGewirtz.com, and on YouTube at YouTube.com/DavidGewirtzTV.
