Every task between your A2A agents passes through ACAI's compliance pipeline — PII detection, data classification enforcement, skill authorization, and tamper-proof audit logging. Register your agents, apply a policy, and hand your auditor a report.
A2A agents delegate tasks to other agents — querying databases, processing patient data, running financial analysis, and executing multi-step workflows. When the auditor asks which skills were invoked, what data flowed between agents, and whether PII was exposed — you need answers in seconds.
The A2A Layer intercepts every agent task, enforces your compliance policy, and generates the evidence. Same A2A protocol, same agents — compliance built in.
Four steps. Every agent task. Automatic.
Register your A2A agents — name, URL, auth method, skill constraints, and maximum data classification level. One dashboard, all your agents.
Pick a compliance template (HIPAA, SOC 2, PCI DSS, etc.) or build a custom policy. Set skill allow/block lists, classification ceilings, and task duration limits.
Point your A2A client at the ACAI A2A endpoint. Every JSON-RPC task is intercepted — PII scanned, classification enforced, skills authorized — then forwarded to your agent.
Audit trail fills automatically. Generate framework-mapped compliance reports covering skill authorization, PII handling, and classification enforcement. Hand your auditor a report.
Everything you need to make agent-to-agent tasks compliant — without changing your agents.
Every message part and artifact passes through PII detection before reaching upstream agents — and again before results reach the caller. 14+ PII patterns plus NER-based entity recognition.
Whitelist approved skills or block dangerous ones per-agent. Policy enforcement happens at the proxy layer — your A2A agent never sees unauthorized skill requests.
Four classification levels — Public, Internal, Confidential, PHI. Set a maximum classification per agent. Tasks that exceed the agent's classification ceiling are rejected before they leave the proxy.
Every A2A task logged with skill names, message parts (redacted), task state transitions, classification level, PII findings, and latency. Immutable records with correlation IDs.
One-click evidence exports for HIPAA, SOC 2, PCI DSS, GDPR, CCPA, NIST 800-53, and FERPA. Reports cover skill authorization, PII handling, classification enforcement, and complete task logs.
Automatic circuit breaking on failing A2A agents. Configurable thresholds, half-open recovery, and health checks. Your compliance proxy stays up even when agents don't.
The A2A Layer speaks native A2A — no SDK changes, no client modifications.
Full Server-Sent Events support for tasks/sendSubscribe. Task state transitions stream through the compliance layer in real time — submitted, working, completed.
Native JSON-RPC 2.0 at the wire level. Request IDs, error codes, task lifecycle — all preserved. Your A2A client doesn't know the proxy exists.
Set maximum task duration per agent. Long-running tasks that exceed the limit are automatically flagged and can be terminated. Compliance meets operational control.
Bearer tokens, API keys, or no auth — the A2A Layer handles authentication to your agents. Secrets stored encrypted (AES-256-GCM) in the backend.
Set a max data classification per agent. An agent marked 'Internal' rejects tasks carrying Confidential or PHI data — before the request leaves the proxy.
Allow-list and block-list skills per agent. Only approved skills get proxied. Blocked skills return a policy violation — logged, audited, reported.
Get notified when the A2A Layer launches — or explore the AI Layer and MCP Layer for AI inference and MCP compliance.