OWASP proposes a way for enterprises to automatically identify AI agents

In anticipation of agents soon far outnumbering humans online, the Open Worldwide Application Security Project (OWASP) has developed a way to automatically identify AI agents before they interact with enterprise systems. It calls its plan Agent Name Service (ANS). 

The OWASP ANS proposal describes the initiative as “a novel architecture based on DNS addressing the lack of a public agent discovery framework. ANS provides a protocol-agnostic registry mechanism that leverages Public Key Infrastructure (PKI) certificates for verifiable agent identity and trust. The architecture features several key innovations: a formalized agent registration and renewal mechanism for lifecycle management; DNS-inspired naming conventions with capability-aware resolution; a modular Protocol Adapter Layer supporting diverse communication standards (A2A, MCP, ACP, etc.); and precisely defined algorithms for secure resolution.”

Like any other potential industry standard, ANS needs to clear political hurdles. It also needs to coexist with several established efforts to address the agent problem, including MCP from Anthropic, A2A from Google, ACP from IBM — and some even include Entra ID from Microsoft, which is the renamed version of Azure Active Directory. 

But analysts, along with some of the authors of the proposal, said that ANS is designed to coexist with and help those other efforts, not compete with them.

A diplomatic tightrope

The bigger issue with ANS is whether it is likely to get enough industry support to become a de facto standard, if not ultimately a de jure standard from a traditional standards group.

The authors of the OWASP proposal have to walk a diplomatic tightrope on that issue. While stressing that the proposal is an OWASP report and is not coming from any of their employers (Amazon, Intuit, Cisco and DistributedApps.ai), they also stress that each organization had to sign off on it, which could be seen as a tacit endorsement. One of the authors pointed to the companies on the paper’s review board, and the list of coordinators, all of whom also had to sign off on the report. That list includes SAP, NIST, Oracle, and the European Union (EU). 

A discovery service, not a communication protocol

Co-author Vineeth Sai Narajala, whose day job is serving as a genAI security engineer at AWS, pointed out that ANS addresses multiple important issues.

“The protocol-agnostic approach is especially forward-thinking, as it doesn’t try to impose yet another standard, but instead creates a unifying layer that works with multiple existing and emerging protocols. This pragmatic approach significantly increases the likelihood of adoption,” Narajala said. “Perhaps most notably, the security-first design with built-in PKI and formal verification methods addresses critical trust issues that could otherwise hamper the adoption of agent ecosystems in sensitive domains like healthcare, finance, and critical infrastructure.”

Narajala also directly addressed the interaction with some of the other approaches. 

“The confusion about ANS versus protocols like MCP, A2A, ACP, and Microsoft Entra is understandable, but there’s an important distinction to make: ANS is a discovery service, not a communication protocol,” Narajala said. “MCP, A2A and ACP define how agents talk to each other once connected, like HTTP for web. ANS defines how agents find and verify each other before communication, like DNS for web. Microsoft Entra provides identity services, but primarily within Microsoft’s ecosystem.”

He argued that there is much that is still missing from all of those options, and that ANS addresses those holes. 

“These existing protocols focus on agent-to-agent communication, but don’t solve the fundamental discovery problem: how does an agent securely find another agent with specific capabilities?” Narajala said. “ANS integrates Public Key Infrastructure (PKI) directly into the discovery process. This security-first approach addresses a critical gap in the existing ecosystem. Unlike simpler directory services, ANS supports capability-based resolution [meaning that it finds] agents based on what they can do, not just who they are.”

Delivers the ‘missing piece’

Another author of the OWASP report, Ken Huang, CEO of DistributedApps.ai, and author of several AI and cybersecurity books, said the lack of agent identification is “a huge bottleneck for actual enterprise deployment,” and that ANS “delivers the missing piece.”

Given the projected speed of agentic AI agent deployment, Huang estimates that those agents will represent 50 percent of all enterprise traffic by 2030 and roughly 80 percent by 2035.

Analysts were also unusually encouraging about the move.

Forrester VP/principal analyst Craig Le Clair said that he was “excited about this,” because of the intense need for observability with Agentic AI agents.

“How else do you understand what agents are out there? You can’t get to an agentic system without having multiple agents to collaborate. They need to have metadata that is observable,” Le Clair said. 

He added that broad adoption is still a question mark, but he wants to see some non-vendor-based standards bodies get involved, suggesting the World Wide Web Consortium (W3C), “due to [its] expertise in web protocols, and possibly IEEE, with their active initiatives in AI ethics and trustworthy AI.”

Jason Andersen, a VP and principal analyst for Moor Insights & Strategy, was even more effusive.

“I think it’s fantastic. I have been studying agents for a while, and what is conspicuously missing is manageability and governance,” Andersen said. “People and companies are going to build billions of these agents. There needs to be an easy way to find them. If somebody wants to pay you, you want to make it easy and secure for that payment to happen. There has to be a way to connect securely to the water company.”

Recipe for uncertainty

However, Gartner Senior Director and Analyst Tom Coshow said there is still much to be worked out in the agent space. 

“These protocols are still in their early stages, with ongoing research and development aimed at creating effective frameworks for AI agents to share information and coordinate tasks. Currently, no single entity owns these protocols, which fosters a landscape ripe for innovation and diverse contributions from various sectors, including academia, industry, and open source communities,” Coshow said. “The establishment of a universal standard remains uncertain, with various protocols being developed to meet different needs.”

Combine all of that and it is a perfect recipe for uncertainty, he said. 

“Given the complexity anticipated with the future development of an Internet of AI agents, the process of establishing a universal standard remains unclear. However, since AI agents utilize artificial intelligence to understand context, a single standard may not be necessary,” Coshow said. “Security concerns are paramount in the development of AI agent-to-agent protocols, particularly as the discussion around facilitating payments between agents is currently underway.”

Depends on implementation

One industry executive, WaveCX CEO Jon Tvrdik, said he’s not sure how well ANS will ultimately do, as it depends on implementation particulars. But he agrees that the need for such an approach is critical.

“We’re fast approaching the point where the need for a standard to identify AI agents becomes painfully obvious. Right now, it’s a mess. Companies are spinning up agents left and right, with no trusted way to know what they are, what they do, or who built them,” Tvrdik said. “The Wild West might feel exciting, but we all know how most of those stories end. And it’s not secure.”

As for ANS, he said. “it makes sense in theory. Treat agents like domains. Give them names, credentials, and a way to verify who’s talking to what. That helps with security, sure, but also with keeping things organized. Without it, we’re heading into chaos.”

But Tvrdik stressed that the deployment mechanisms will ultimately determine if ANS works.

“The real challenge will be rollout. Most enterprise systems are already stretched thin. If ANS adds complexity or forces teams to rework what they’ve got, adoption will stall,” Tvrdik said. “If it’s clean and open, ANS could become a foundational layer. If it’s bloated or unclear, it won’t get used.”