How telcos are building safe environments for AI agents

Telcos are still working through the pros, cons and practicalities of developing and using AI agents to automate network operations. This includes debating how two standards developed outside the telecoms industry – Model Context Protocol (MCP) and Agent2Agent (A2A) Protocol – can be used to address integration challenges.

For Andreas Lewitzki, Operations Lead Architect, and Dennis Sehalic, Senior Solution Architect Developer at Telenor Sweden, the expectation is that “telco architectures will shift toward layered, agentic domains, with clear separations between microservices that can change things and those that can only see things.” The idea is to greatly reduce, or even eliminate, the need for manual operations.

But architecting and orchestrating layered, agentic domains is not simple. Agents require access to accurate data, or context, so they can make the right decisions at each step they take towards delivering a solution.

The way telcos dynamically manage the knowledge and context that autonomous agents use to make informed decisions, and act on them, will be critically important.

What are MCP and A2A?

The more complex the task, the more “context” or information agents are likely to need. That’s where MCP and A2A can help. Agents will access the data they need for reasoning from existing systems via MCP (wrapping existing APIs). But agents will also take action via those systems, again via MCP. For example, an agent might use context information from the CRM and billing systems to decide what compensation to give a customer for a service outage. It could also ask the billing system to apply this compensation as a discount on the customer’s bill.

MCP is an open standard introduced in November 2024 by Anthropic, creator of the Claude LLM, to give AI agents a unified way to interact with tools, services and data regardless of how those systems are built. MCP allows AI agents to autonomously carry out complex, multi-step tasks such as retrieving information, summarizing documents or saving content. Without a standard like MCP, these actions require separate APIs, custom logic and considerable integration effort by developers.

Google introduced the Agent2Agent (A2A) protocol in April 2025 to enable seamless interoperability between autonomous agents. A2A facilitates secure information exchange, coordinated actions and dynamic collaboration among agents without requiring them to share memory or internal tools. By abstracting these interactions, A2A opens the door to scalable multi-agent frameworks. The initiative has since been adopted as an open-source project under the Linux Foundation, ensuring broad accessibility and community-driven development.

In telecoms networks, intent is the foundation for how agentic AI interprets and acts on users’ goals. Instead of executing predefined tasks, agentic AI systems aim to understand the desired outcomes (the intent) of customers or of a telco’s internal expert and then autonomously orchestrate actions across multiple systems in multiple domains to fulfill that goal. Together, MCP and A2A make intent actionable by embedding it in context and enabling inter-agent coordination.

Putting the protocols to work

Telenor’s team sees MCP as a significant development, contending that it shows “the ecosystem has realized context must become a priority.” They note that as agentic workflows scale, “MCP could become foundational for decision-making interfaces across operations, customer care and network assurance”.

Vodafone is using both MCP and A2A in its AI Booster platform. “MCP is very well adopted. It is almost a de facto standard,” said Dr. Lester Thomas, Head of New Technologies and Innovation at Vodafone Group, during an interview for a recent report on the use of agentic AI in customer experience. “We’ve got MCP servers live in production, doing real work.” But he adds that MCP introduces security risks which must be addressed.

Vodafone is using A2A to develop a multi-agent architecture. “One of the things we’ve learned – partly through TM Forum Catalysts – is that smaller, tightly scoped agents are more effective. If you make them too big, they fail because they can’t stay on track. So, for bigger problems you use multiple agents and they talk to each other through A2A. That’s what we’re trialing now.”

One of the Catalysts Vodafone is championing, along with a dozen other CSPs, is called Agent Fabric. The first phase of the Catalyst introduced a copilot assistant that helps engineers resolve customer-affecting network issues faster. The second phase extended this capability by having multiple agents working together. The Agent Fabric Catalyst will feed into Project Foundation in the Innovation Hub, according to Thomas.

What’s the debate?

Given that MCP and A2A are already being used in telecoms networks, the growing debate is not so much about whether they are useful but rather how they will be standardized, secured and integrated to deliver on the promise of intent-based autonomous networks – and how quickly this can happen.

One of the big questions in the industry is what the development and adoption of new interfaces will mean for APIs.

TM Forum released a position paper on MCP in August, arguing that the protocol is complementary to the Open API Program, essentially as an abstraction protocol that enhances the value of existing APIs. The document emphasizes the importance of semantic alignment, interoperability and structured governance, and proposes a roadmap that includes working groups, reference implementations and formal profiles to ensure that MCP adoption is consistent, secure and aligned with the ODA.

“One of the key arguments about why it makes sense to build agentic applications on top of ODA is that once somebody has written a tool for the API, everyone can use it. If everybody’s got different APIs, you need to write the tool thousands of times,” says TM Forum’s EVP Member Products, Andy Tiller. “ODA gives you a foundation on which you can build agentic AI-driven use cases, because you’ve got standards.”

“There’s a common misperception that MCP replaces APIs when you’re talking to existing systems,” points out Tiller. “But APIs are the language those systems understand. MCP wraps them so agents can use these systems as tools, so MCP is enabled by APIs.”

It’s a wrap

Telstra’s Mark Sanders, agrees that composability underpins Agentic AI deployment.  “What's going to stand us in good stead [with AI agents] is the discipline of the TMF and the modeling discipline that comes behind it and the principle … of abstraction and composability,” he says.

Certainly, telcos see MCP and APIs as complementary, with APIs exposing functionalities while MCP provides a standardized way for AI agents to discover and use them. Peiqing Zhang, Senior Expert, Cloud and AI, Telenor, uses the analogy of a shared kitchen.

“Without MCP, every AI agent needs to bring its own cookware, for example, custom-built integrations on top of the APIs,” explains Telenor’s Peiqing Zhang, Senior Expert, Cloud and AI, Telenor. “With MCP, the kitchen comes fully equipped - agents can walk in and start cooking immediately.”

In practice, she adds, “MCP can wrap existing APIs. The standardized APIs made it possible to complete the wrapping work quickly.”

Another question doing the rounds is whether the telecoms industry needs its very own version of MCP or A2A. Telenor Sweden’s Lewitzki and Sehalic and Vodafone’s Thomas are not convinced it does.

“If there’s a deficiency, let’s contribute to MCP and fix it in open source,” Thomas says. “I’ve always been a strong advocate of don’t reinvent stuff… With MCP, we’ve done a lot of work to show how it links with TM Forum Open APIs. But I’m skeptical when someone says, ‘We need a telco-specific standard’. What’s so unique that other industries don’t have?”

What is important, however, stresses Lewitzki, is a multi-agent architecture that underpins the data protection demands of the telecoms industry.

Beefing up security for agentic AI

Security is a primary concern for CSPs when it comes to scaling MCP and A2A in production.

“Agentic AI… is a direct entry point… into the very deep core of our network asset,” says Philippe Ensarguet, Orange’s VP Software Engineering. “As a result, security in agent AI time will be even more important than today.”

MCP can introduce vulnerabilities such as malicious clients intercepting authorization codes or compromised servers stealing user tokens. Accuracy is another issue. Since AI models autonomously decide which tool or API to invoke, hallucinations could lead to inaccurate or inappropriate tool selection.

Vodafone is implementing MCP safeguards in its AI Booster platform. For example, the company only allows the use of verified and trusted MCP servers, which means maintaining an MCP catalog and an MCP gateway. Instead of an agent directly accessing an external MCP, it routes through the gateway, where access rules can be audited and enforced. Vodafone is contributing these learnings and capabilities to the ODA.

Creating a shared ontology

In the meantime, Telstra’s Sanders would like to see the industry “move forward with a shared language, an ontology of how we can model knowledge for a telco business … so we can improve on the reasoning that we’re doing,” within a given context.

This would see telcos move from simply passing data to “figuring how we’re passing technology knowledge at this point in time.”
Telenor’s Sehalic explains that a shared language or a common classification would allow agents to communicate across different domains.  “If we have one MCP server in AWS for some systems, and we have another MCP server in GCP for other systems, agents on both sides need to connect to [each] other and … tools need to be exposable for agents in other domains,” he says.

“They cannot talk directly to each other because we wouldn't be able to control it. We have to be able to make sure that [a given] agent has this system access role, and that the entitlements [and] … tools are mapped to those data sets.”

And when it comes to the network, “the knowledge needs to be semantically rich”, according to Sanders. “It needs to not just be knowledge around the topology of the network. It needs to have business processes coded in, our engineering design limits, our policies and even regulatory frameworks,” he explains.

“Those things need to be coded into the knowledge behind it,” says Sanders.

“Classification is so important because level 4 [of autonomous networks] means orders of magnitude more automations and more meshed automations,” explains Telenor’s Sehalic. “And if we cannot control the individual parts and classify the individual parts, I don't see that happening from a security perspective.”

Finding a common language, however, will depend on collaboration and compromise between people across the industry. TM Forum is hoping to lead this effort with work in the Data Architecture Project, part of the AI Native Blueprint.

“How we classify things is almost a religious question,” says Sehalic. “It's not that the practical problem is extremely difficult. It's that everyone has to agree a common way to work.”