The Front Desk and the Warrant

In late May 2026, Google and a Linux Foundation working group announced Agentic Resource Discovery — ARD — an open specification for how AI agents find and verify tools, skills, and other agents across the web. The pitch is clean: publish a small JSON file at /.well-known/ai-catalog.json under your own domain, and registries will crawl it so that any agent, anywhere, can discover what you offer and connect to it at runtime. Microsoft framed the problem it solves in one sentence: AI can only use what it has been explicitly wired to use; everything else may as well not exist.

It is a good specification. It is also, read carefully, a map of who intends to own the agentic web — and a quiet admission of the one layer nobody in the room wanted to claim. That layer is the one I have been describing, under different names, for nineteen years. This essay is about the gap between what ARD authenticates and what it leaves unanswered, and why that gap is the whole game.

What ARD actually is

Strip away the announcement language and ARD is two primitives. A catalog is the file you publish under your domain. A registry is a service that crawls those files and exposes a search API, so an agent can ask, in plain language, for a capability and receive a ranked list of places to get it. Discovery happens; then ARD steps out of the way and hands the agent verifiable trust metadata so it can connect directly using the tool's native protocol — MCP for tool calls, A2A for agent-to-agent, or a plain API.

The trust model is the part worth slowing down on. ARD's root of trust is domain ownership. Because the catalog lives under your domain, control of that domain is treated as cryptographic proof of identity — did:web, with an optional enterprise layer of signed trust manifests and workload identities for production environments. The question ARD answers is therefore precise and narrow: who is allowed to claim this capability? Answer: whoever controls the domain it is published under.

That is authentication. It is not authorization. ARD has no native notion of who may invoke a capability, for how long, under what scope, and how that permission is revoked. It verifies the storefront's nameplate. It says nothing about who holds the keys, which doors those keys open, or when they stop working.

The layer cake, and who is claiming each layer

It helps to see the agentic web as a stack, because the standards fight playing out right now is a fight over which layer each camp gets to own.

At the bottom is invocation — how an agent actually calls a tool once it has found one. This layer belongs to MCP, the Model Context Protocol, which Anthropic introduced in late 2024 and donated to a Linux Foundation body in December 2025. By early 2026 it had become the de facto standard: on the order of ten thousand active servers, well over a hundred thousand registered tools, SDK downloads in the tens of millions per month. Invocation is, for now, a solved and neutral-governed problem.

Above it sits discovery — how an agent finds the tool in the first place. This is the layer ARD claims, and the sponsor list tells you who is doing the claiming: Google and Microsoft in the lead, with GitHub, Hugging Face, Cisco, Salesforce, ServiceNow, Snowflake, Databricks, Nvidia, and GoDaddy alongside. The specification is free and open. The products that implement it are not: Google's Agent Registry inside its Gemini Enterprise platform, GitHub's Agent Finder, Hugging Face's Discover tool. The pattern is the oldest one in platform economics — commoditize the complement. Make discovery a free commons so the agentic web does not splinter into a thousand incompatible registries, then sell the governed enterprise registry that large organizations will pay to trust, audit, and comply on top of.

Above discovery sits the entry point — the agent itself, the thing the user actually talks to. This is the contested ground, and it explains the most important fact about the ARD announcement: neither Anthropic nor OpenAI signed it. The reading that makes sense of their absence is strategic. The model labs want Claude and ChatGPT to be the place employees go to reach every tool and every enterprise system — the front door — rather than one interchangeable component inside Google's or Microsoft's platform. A discovery layer owned by the cloud incumbents threatens exactly that ambition. So the labs own invocation (MCP) and are fighting for the entry point, while the incumbents move to own discovery and the governance that rides on top of it. ARD is, among other things, a coalition of platform giants drawing a perimeter around the two labs.

And then there is the layer underneath all of it, the one with the dashed border, the one no announcement mentioned: authorization. Not "who published this," but "who may use it, scoped to what, for how long, revocably, auditably." ARD does not define it. MCP does not define it. The entry-point fight does not touch it. Google's answer, where it has one, is rent Agent Registry and configure its egress policies — a centralized, enterprise-licensed answer to a question that deserves a decentralized one.

That unclaimed layer is the Warrant.

The Warrant is the missing authorization layer

I have been circling this idea since 2007, when an undergraduate blog post of mine named a "Bayanihan Network." In 2010 I wrote, more or less verbatim, that data integrity and security would one day be the property of the data itself and not of the transport carrying it. I did not have the vocabulary then that I have now — capability-based delegation, behavioral attestation, Macaroons-style revocation, scoped and time-limited grants — but the conviction was already whole. The thing that secures an interaction should travel with the right to act, not be inferred from the address the request came from.

ARD is the clearest possible illustration of why that conviction matters, because ARD is what you get when you solve everything except that. It builds the phone book and the front desk. It verifies that the business on the nameplate is really that business. And then, at the exact moment an agent is about to act on your behalf inside someone else's system, it hands off to "the tool's native protocol" and a trust manifest that proves identity — and the question of what this particular agent is actually permitted to do, right now, and for how long falls into the gap.

The Warrant fills that gap by design. A warrant is a scoped, time-limited, auditable, revocable grant of authority that the agent carries and the resource verifies — independent of which domain the request originated from, independent of whether anyone "wired up" the connection in advance. Where ARD asks is this publisher who they say they are, the Warrant asks is this actor allowed to do this specific thing, and can I prove it, and can I take it back. The two are not competitors. ARD is the authentication layer; the Warrant is the authorization layer that belongs beneath it. ARD makes the transport-and-registry layer a product you rent. The Warrant makes integrity a property of the data, so you do not have to.

Why this is worth supporting and writing against

There is a temptation, when a heavyweight consortium ships a spec that validates a thesis you have held for years, to either dismiss it as a land grab or surrender to it as the new reality. Both are mistakes.

ARD is worth supporting on its merits. If you expose an MCP server or an agent-callable endpoint, publishing a catalog is a twenty-minute job that puts you in front of registries before they arrive — and the honest field tests show that almost nobody has actually deployed one yet, which means the early-mover advantage is real and currently unclaimed. The sponsor list buys the spec a genuine shot at becoming infrastructure. Supporting it costs little and risks less.

But ARD is also the proof — published, dated, and signed by eleven of the largest names in technology — that the discovery-and-trust layer of the agentic web is now contested ground worth fighting over. It establishes that the layer exists, that it matters, and that the incumbents' answer to scoped, revocable trust is "rent it from us." That is precisely the answer the Warrant was conceived to refuse. The most useful thing ARD does for the Bayanihan Machine is to draw, in the negative space of its own specification, the exact shape of the problem it declined to solve.

The front desk is being built. It will be useful. But the front desk only checks who you are on the way in. It was never going to decide what you are allowed to do once you are inside — and it was never going to hand that decision back to the data itself. That is the work that remains. It is the work I named nineteen years ago, and it is still, as of this writing, open ground.

---

Part of an ongoing series on decentralized AI trust architecture — the Bayanihan Machine and the Warrant. See also The Tower and the Warrant and As Iron Sharpens Iron.