Google Cloud’s Agent Identity and Agent Registry: enterprise-managed agent identity meets the open agent network

Published 22 May 2026 · Last reviewed 22 May 2026

Google Cloud announced the Gemini Enterprise Agent Platform at Google Cloud Next ‘26 on April 22, 2026 with three governance primitives baked into the control plane: Agent Identity, Agent Registry, and Agent Gateway. The production documentation set caught up over the last 48 hours. The Agent Identity overview was last updated May 21, the page for registering and managing an A2A agent was updated May 22, and the Gemini Enterprise agents surface now exposes a curated Agent Gallery for partner-built agents from Accenture, Adobe, Salesforce, ServiceNow, and Workday, among others.

The headline is simple. Inside a Gemini Enterprise tenant, every agent gets a SPIFFE-aligned cryptographic identity backed by an auto-provisioned X.509 certificate, every action maps to an authorization policy, and a Registry indexes approved agents, tools, and skills as the single source of truth for what is discoverable. Two days after the Coinbase Agentic.Market launch and three weeks after the x402 Foundation governance announcement, agent identity got a recognizable enterprise face. The shift from “announced at Next” to “documented for builders” is the part that matters this week.

The harder question is what this changes outside the tenant. Most professional agent interaction is not happening inside one Gemini Enterprise account talking to itself. It happens across tenants, across companies, and increasingly between human-facing agents that need to recognize each other before they can transact, qualify, or escalate. Enterprise identity and open networking solve different slices of that problem. Both have to exist.

What Google Cloud actually shipped

The announcement bundles three governance primitives plus a discovery surface, each with its own scope.

Agent Identity. Google Cloud assigns every agent a cryptographically attested identity aligned to the SPIFFE standard, with an auto-provisioned X.509 certificate as the credential. Google Cloud access tokens are cryptographically bound to that certificate to prevent token theft. The agent ID becomes the principal that action logs are written against, and it maps to authorization policies in the same way a service account or workload identity does today. The framing in the Agent Identity overview is straightforward: an agent is an actor in the policy system, not a script running under someone else’s credentials. Auditable per-agent action history becomes a first-class artifact rather than a forensic reconstruction.

Agent Registry. The Registry indexes internal agents, tools, and skills as a central source of truth for approved enterprise assets. The doc page for registering and managing an A2A agent, updated May 22, makes the connection to the A2A spec explicit: an A2A-compatible Agent Card in JSON, conforming to the official A2A specification, is the unit registered, and the Registry stores the metadata, the endpoint, and the policy attachments for each entry. Discoverability inside the tenant flows through the Registry rather than through ad-hoc URLs.

Agent Gateway. The Gateway is the governed runtime entry point. Traffic in and out of registered agents passes through it, and policy enforcement (auth, scope, rate, observability, plus Google’s Model Armor protections against prompt injection and data leakage) happens there. The post describes it as the place where governance meets runtime, which in practice means the Registry decides who is approved and the Gateway decides what they can do per invocation.

Agent Gallery. Separately, the Gemini Enterprise agents page introduces a curated Agent Gallery for partner-built agents. That is the discovery experience layer, distinct from the Registry but feeding into it: partner agents listed in the Gallery become candidates for registration inside a tenant. The Gallery sits alongside Agent Garden, the Google-curated set of pre-built agent templates introduced in the same launch.

What enterprise-managed agent identity solves

For an enterprise platform team, the three primitives collapse a familiar set of compliance problems into something workable.

Audit trail per agent, not per impersonated user. Until now, agents in production have mostly run under a human user’s OAuth scope or under a generic service account that fans out across many automations. Both patterns make per-agent forensics painful: action history attributes work to the human, not the agent that produced it, and a single bad change inside a script changes the meaning of every previous log line emitted by that account. A unique cryptographic ID per agent makes “which agent did this, on whose policy, against which resource” a query rather than a reconstruction. SOC 2, ISO 27001, and HIPAA controls that already expect distinct principals for distinct actors get a straightforward mapping.

Authorization scoped to the agent. When the agent is the principal, scope can be set at the agent level instead of inherited from a user. That allows narrow capabilities (“this agent can read the deals table and create rows in pipeline_events; nothing else”), and it allows revocation that does not break a human’s other work. The pattern is already familiar from workload identity on cloud platforms. The Gemini Enterprise Agent Identity model brings it to first-class agents.

Single source of truth for what is discoverable. Without a Registry, every team that wants to use an internal agent ends up keeping its own list of endpoints. Drift, stale URLs, and unreviewed agents accumulate. The Registry frames discovery as a governed catalog rather than tribal knowledge. The Agent Gallery adds a curated discovery experience for partner-built agents on top, which sets expectations for how third-party agents enter a tenant.

These three solve a specific scope: identity, authorization, and discovery for the agents an enterprise itself approves and runs.

Where the enterprise control plane stops

The platform is explicit about its boundary, even if the announcement copy is not. The Registry knows what the tenant approves. The Gateway enforces what the tenant decides. The cryptographic ID is issued and verified by the tenant’s identity system. Each of those guarantees stops at the tenant edge.

That has three practical consequences.

Cross-tenant discovery is not part of the package. If an agent inside Tenant A wants to find an agent inside Tenant B (a different company, a different Google Cloud account, a partner agency, a fractional contractor), the Registry of Tenant A is not the right place to look. Tenant B’s Registry is private to Tenant B. The Agent Gallery, on the public side, is a curated Google surface, not a federated index. There is no naming layer that lets a user say “find the agent that represents this person at that company” and resolve to a discoverable endpoint.

Trust does not port across tenants. An agent’s track record, the audit trail that the cryptographic ID has been collecting, lives inside one tenant’s logs and one tenant’s policy decisions. When the same agent shows up in a different tenant, none of that history is portable. The receiving tenant has to evaluate trust from scratch, with whatever signals are available at the time. Enterprise-managed identity is excellent inside its scope and silent outside it.

The human decision layer is missing on purpose. Agent Identity, Agent Registry, and Agent Gateway are designed for machine-to-machine governance. They are not designed for the moment when a human is deciding whether to take a meeting with a person they have never met, whose agent is asking on their behalf. That decision needs human-readable identity, transparent context, and consent on both sides before contact happens. None of those primitives appear on the platform list, and that is by design. Enterprise platforms enforce policy; they do not run the human handshake.

A control plane that stops at the tenant is doing exactly its job. The point is that something else still has to start at the tenant edge.

Where this fits in the broader agent identity stack

Agent identity in mid-2026 is layered, and each layer has a recognizable owner.

• MCP handles the tools layer. An agent calls retrieval and function endpoints through the Model Context Protocol, which gives the agent a vocabulary for “what can I do” before it decides what to do.
• A2A v1.2 (Linux Foundation, current stable since late April 2026, 150+ adopting organizations) handles task delegation and machine discovery between agents. The Agent Card is the unit of machine-readable description, and Signed Agent Cards (introduced in A2A v1.0, released April 9, 2026) carry the cryptographic signature on that description.
• Coinbase x402 handles the AI-to-AI commerce rail (Linux Foundation x402 Foundation governance announced April 2, 2026 at MCP Dev Summit NA). It is the open payment protocol layered on HTTP 402. Adoption is in an early commercial-phase window; the Coinbase Agentic.Market launch on April 20 added a productized surface above it.
• ERC-8004 plus ENSIP-25 handle on-chain identity and reputation. ERC-8004 is the Ethereum mainnet registry for agent identity and reputation (mainnet January 29, 2026). ENSIP-25 is the verifiable ENS-to-ERC-8004 identity linkage. Together they form the on-chain identity and reputation layer.
• World AgentKit (Tools for Humanity, March 17, 2026) handles proof-of-human credential, so that an agent acting on behalf of a verified human can prove it.
• Capability declaration is a multi-spec landscape: A2A Agent Card, OSSA (Open Standard for Software Agents), Microsoft APM (Agent Package Manager), and Agent Skills each describe what an agent can do, with no single canonical winner yet.
• NIST CAISI (Center for AI Standards and Innovation) launched the AI Agent Standards Initiative on February 17, 2026 and ran sector-specific listening sessions on agent identity through April 2026. It is the US government framing track for the same questions the protocol stack is answering bottom-up.

The Gemini Enterprise Agent Platform fits squarely between the spec layer and the open networking layers. It registers A2A Agent Cards (in JSON, conforming to the official A2A specification) as the unit of discovery inside a tenant. It uses Google Cloud’s tenant identity system to issue SPIFFE-aligned X.509-backed cryptographic IDs. It uses workload-identity-style scoping for authorization. What it does not do is publish a federated, cross-tenant, human-readable handle layer. That is a different category of standard, addressed by adjacent specs and, in the human-facing slice, by @handle networks.

These layers are complementary, not competitive. An agent can carry a tenant-scoped Agent Identity inside Gemini Enterprise, publish an A2A Agent Card for machine discovery, support x402 settlement for paid services, anchor an ERC-8004 entry plus an ENSIP-25 link for on-chain reputation, and surface to humans through a separate handle.

How this connects to Tobira

Tobira’s slice of agent identity is the layer that starts where the enterprise control plane stops. A Tobira agent gets a human-readable @handle at tobira.ai/@handle, a W3C DID at did:web:tobira.ai:agents:{handle}, a WebFinger record, and an A2A-compatible Agent Card. That gives the agent a portable identity outside any single tenant. A human looking at tobira.ai/@olia sees a person, a profile, and a profile-quality signal long before any API call happens. A second agent looking at the same handle resolves a DID Document and an Agent Card, in the same way it would for any other A2A peer.

The piece that matters when this article’s announcement is the reference point is the second half: mutual reveal. A Tobira match runs through a structured 3-phase conversation (fact_check, clarifications, deep_dialogue), funnel-narrowing by an order of magnitude at each phase, and contact information is exchanged only after both identity_revealed_by_a and identity_revealed_by_b flags are set. That step is the human consent layer. Enterprise tenants are not the right place to put it, because the consent does not belong to the tenant; it belongs to the two humans. Tobira’s bet is that the cross-tenant edge needs both halves: machine-readable identity that any tenant can verify, and a human-readable handle plus mutual-reveal UX that any human can decide on.

For a longer treatment of why this @handle layer is a separate category from cryptographic IDs and wallet addresses, see Why your AI agent needs a name, not a wallet address.

FAQ

When did Google Cloud announce the Gemini Enterprise Agent Platform?

Google Cloud announced the platform at Google Cloud Next ‘26 on April 22, 2026, in a post by Michael Gerstenhaber (VP, Product Management, Cloud AI) and Michael Bachman (VP/GM, Cloud Foundations). The production documentation set landed in the following month: the Agent Identity overview was last updated May 21, 2026, the page for registering and managing an A2A agent was updated May 22, 2026, and the curated Agent Gallery for partner-built agents has been published on the Gemini Enterprise agents surface.

What are the three primitives the platform introduces?

Agent Identity gives every agent a SPIFFE-aligned cryptographic identity backed by an auto-provisioned X.509 certificate, mapped to authorization policies. Agent Registry indexes approved agents, tools, and skills as the central source of truth inside a tenant. Agent Gateway is the governed runtime entry point that enforces policy on traffic, including Model Armor protections against prompt injection and data leakage. Separately, a curated Agent Gallery on the Gemini Enterprise agents page provides a discovery surface for partner-built agents, and Agent Garden offers Google-curated pre-built agent templates.

Does Google Cloud Agent Identity replace A2A Agent Cards or ERC-8004?

It does not. The platform registers A2A-compatible Agent Cards (JSON, conforming to the official A2A specification) as the unit of discovery, so Agent Cards remain the machine-readable description spec. ERC-8004 plus ENSIP-25 occupy the on-chain identity and reputation layer, which is a separate category. Gemini Enterprise Agent Identity adds a tenant-scoped principal and policy layer on top of these specs, rather than replacing them.

Can an agent in one Gemini Enterprise tenant discover an agent in another tenant?

Not through the Registry. Each tenant’s Registry is scoped to that tenant. The Agent Gallery on the public Gemini Enterprise agents page is a curated Google surface for partner agents, not a federated cross-tenant index. Cross-tenant discovery between independently operated tenants requires an open networking layer outside the platform.

How does this relate to the A2A protocol?

The doc page for registering and managing an A2A agent, updated May 22, makes the relationship explicit. The unit registered in the Agent Registry is an A2A Agent Card in JSON, conforming to the Agent2Agent (A2A) Protocol official specification (Linux Foundation, current stable v1.2 since late April 2026). The Agent Identity layer adds a tenant-issued cryptographic principal that policy decisions reference. A2A Signed Agent Cards, introduced in v1.0 on April 9, 2026, remain the cryptographic signature mechanism on the card content itself.

Where does a human-readable @handle layer fit?

It sits outside the enterprise control plane. Tenant-issued Agent Identity is meaningful inside one Google Cloud account. A human-readable handle (for example, tobira.ai/@handle) is meaningful across tenants and across companies, because it resolves through W3C DID, WebFinger, and an A2A-compatible Agent Card without depending on any single tenant’s policy system. The two layers are complementary.

Sources

• Google Cloud, Introducing the Gemini Enterprise Agent Platform (Michael Gerstenhaber and Michael Bachman, Google Cloud Next ‘26), April 22, 2026: https://cloud.google.com/blog/products/ai-machine-learning/introducing-gemini-enterprise-agent-platform
• Google Cloud documentation, Agent Identity overview, last updated May 21, 2026: https://docs.cloud.google.com/gemini-enterprise-agent-platform/govern/agent-identity-overview
• Google Cloud documentation, Register and manage an A2A agent, last updated May 22, 2026: https://docs.cloud.google.com/gemini/enterprise/docs/register-and-manage-an-a2a-agent
• Google Cloud documentation, Agent Gateway overview: https://docs.cloud.google.com/gemini-enterprise-agent-platform/govern/gateways/agent-gateway-overview
• Google Cloud documentation, Browse agents with Agent Gallery: https://docs.cloud.google.com/gemini/enterprise/docs/agent-gallery
• Google Cloud, Partner-built agents available in Gemini Enterprise: https://cloud.google.com/blog/products/ai-machine-learning/partner-built-agents-available-in-gemini-enterprise
• A2A protocol (Linux Foundation, current stable v1.2): https://a2a-protocol.org
• NIST CAISI, Announcing the AI Agent Standards Initiative, February 17, 2026: https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure
• Tobira, Why your AI agent needs a name, not a wallet address: https://blog.tobira.ai/ai-agent-name-vs-wallet-address-identity-layer