AI agents get their own dedicated search engine

When a group of companies that usually compete fiercely starts collaborating, it raises eyebrows. This time, Google, Microsoft, GoDaddy, Hugging Face, NVIDIA, Salesforce, ServiceNow, Databricks, Snowflake, GitHub, and Cisco have joined forces to announce Agentic Resource Discovery (ARD). This open specification is designed for publishing, discovering, and verifying AI capabilities across the web. Both Google and Microsoft have published blog posts detailing this partnership.

The last major collaboration of this scale was Project Glasswing, which brought together 12 rival giants to use Anthropic’s highly restricted Mythos AI model to find and fix cybersecurity vulnerabilities. However, as we’ve reported, Mythos and its smaller counterpart, Fable, have faced interference from the US government recently.

Notably absent from the ARD announcement are OpenAI and Anthropic. This absence is significant, given their prominence in the AI space.

Why does this matter? Let’s unpack the implications.

The Discovery Gap Holding Agentic AI Back

In 2024, Anthropic introduced the Model Context Protocol (MCP), which standardized how AI systems and servers share data. ZDNET’s Steven Vaughan-Nichols described MCP as “the key to unlocking AI’s full potential in the enterprise, the cloud, and beyond.” MCP solved part of the puzzle by enabling any properly configured server to communicate with AI agents, provided governance and authentication are in place.

But MCP only addressed part of the problem. Think of it this way: MCP makes apps possible, but without an app store, finding and using those apps is difficult. ARD, in an oversimplified sense, aims to become that app store for AI agents.

AI agents increasingly rely on tools, skills, and other agents scattered across teams, networks, organizations, and platforms. Yet finding these resources is often a challenge. Each AI agent or client can only use resources explicitly connected to it. Ramanathan Guha, technical fellow at Microsoft, explains it succinctly: “AI is only as capable as its wiring allows. AI can only use what it’s been explicitly wired to use. Everything else may as well not even exist.”

In short, AI agents need their own search engine to locate usable resources.

A Search Engine for the Agentic Web

Before ARD, the situation resembles the early web before search engines. Remember Yahoo’s human-indexed directory trees? If your site wasn’t listed, nobody could find you. Google’s blog post frames ARD similarly: “Just as the open web democratized information, ARD democratizes AI resource discovery.”

But ARD isn’t a traditional search engine where humans type queries and see results. It’s a framework for discovery services. Agents can query ARD nodes for information, but the goal isn’t a single giant database of links. Instead, ARD enables general-purpose discovery services, while enterprises can create their own and control access.

Rao Surapaneni, VP and GM of business applications at Google Cloud, emphasizes the problem: “The true potential of agentic AI has been limited by silos.” He adds, “By removing centralized gatekeepers, we’re empowering any agent to discover, trust, and utilize resources across platforms, unlocking a new era of interoperability.”

How Catalogs and Registries Work

ARD has two main architectural components: catalogs and registries. Think of catalogs as web pages. Registries, as Google’s blog post notes, “act as search engines for the agentic web.”

To set up a catalog, an organization hosts an `ai-catalog.json` file at a published path on its own domain. Registries crawl these catalogs, index their contents, and return matching capabilities with metadata to verify the publisher before connecting.

Security is a major concern. If agents can randomly use tools they find on the web, disaster could follow. To address this, domain ownership serves as the cryptographic foundation for identity and trust. A catalog hosted on a trusted domain like Microsoft.com or ZDNET.com indicates it has been vetted by that domain’s owners. However, as I’ll discuss, this model may introduce new security risks.

The hierarchy mirrors DNS. Microsoft’s Guha explains, “This gives ARD an architectural property closer to DNS than to ordinary web search.”

Security Considerations

Attackers now have a new incentive to target domains, deployment pipelines, and catalog files. ARD is designed to sit before invocation, helping an AI client decide which capability to use before connecting through the resource’s own protocol. Guha describes ARD as the layer that helps the client choose the capability and then gets out of the way.

ARD isn’t just a random file on a random domain. The spec includes registries, discovery services, publisher metadata, and, in production settings, cryptographic trust metadata. Google also points to enterprise controls like Agent Identity, trust manifests, egress policies, and pinned tools.

Still, the open-web model remains domain-anchored. If the domain, DNS, server, repository, or deployment path is compromised, the catalog becomes a tempting, high-leverage target. ARD improves discovery and verification, but it doesn’t eliminate the need for ordinary security controls, authorization, governance, allowlists, code review, signing, monitoring, and policy enforcement. I’m not claiming to know security better than Google, Microsoft, and Cisco, but that added high-value target should concern anyone adopting ARD.

Reference Implementations

Vendors are already integrating ARD into their projects. Here are three examples:

• GitHub launched Agent Finder, built on ARD, which lets Copilot discover and call MCP servers, skills, tools, and agents at runtime from a public or private registry.

An Open Spec and an Open Invitation

The ARD specification is available now, licensed under Apache 2.0 and built on the AI Catalog data model from a Linux Foundation working group. Google’s blog states, “The agent ecosystem works best when it is decentralized and open.”

You can explore the full spec at AgenticResourceDiscovery.org and find a GitHub registry for the spec.

Is ARD the plumbing that AI agents need, or does it create a bigger attack surface than it solves? Share your thoughts in the comments below.

For more updates, follow my day-to-day projects on social media, subscribe to my weekly newsletter, and connect with me on Twitter/X, Facebook, Instagram, Bluesky, and YouTube.