BIP Austin digital publishing platform

collapse
Close menu
×
Home / Daily News Analysis / AI agents are getting their own search engine

AI agents are getting their own search engine

Jun 26, 2026  Twila Rosenbaum 8 views
AI agents are getting their own search engine

AI agents are getting their own search engine

AI agents may soon search for and use their own tools at runtime, thanks to a new open standard backed by Microsoft and Google.

Key facts

  • Google, Microsoft, GoDaddy, Hugging Face, NVIDIA, Salesforce, ServiceNow, Databricks, Snowflake, GitHub, and Cisco are backing Agentic Resource Discovery (ARD).
  • ARD is an open specification for publishing, discovering, and verifying AI capabilities across the web.
  • It helps AI agents find tools, skills, and other agents without prior explicit connections.
  • The standard uses catalogs and registries, analogous to web pages and search engines.
  • Domain ownership serves as the cryptographic foundation for identity and trust.
  • ARD may create new security risks as domains, DNS, and deployment pipelines become high-value targets.
  • Reference implementations include GitHub's Agent Finder, Hugging Face's Discover Tool, and Google's Agent Registry.

The discovery gap holding agentic AI back

Back in 2024, Anthropic introduced MCP (Model Context Protocol), which standardized how AI systems and servers share data. MCP solved part of the puzzle: it allows any properly configured server to communicate intelligently with AI agents, assuming governance and authentication are in place. However, MCP alone does not solve discoverability. To use an analogy, MCP makes apps possible, but until there's an app store, it's hard to find and use those apps. ARD, wildly oversimplified, is intended to be that app store.

AI agents are increasingly relying on tools, skills, and other agents spread across teams, networks, organizations, and platforms. But finding those resources is often difficult. Each AI agent or client is only able to use resources that have been explicitly connected to it. This limits agents. Ramanathan Guha, technical fellow at Microsoft, explains that 'AI is only as capable as its wiring allows.' In other words, 'AI can only use what it's been explicitly wired to use. Everything else may as well not even exist.'

In other words, AI agents need their own search engine to find resources they can use.

A search engine for the agentic web

When it comes to our current pre-ARD situation, Microsoft likens it to what the web was like before search engines. Do you remember the early Yahoo, where human indexers created directory trees of websites by topic? It wasn't exactly complete. If your site wasn't on it, nobody could find you. Google's blog post says, 'Just as the open web democratized information, ARD democratizes AI resource discovery.'

But we're not really talking about a search engine like Google was (before it so heavily incorporated AI) or DuckDuckGo still is. It's not an interface where humans type in something and search engine results are presented. ARD is search, yes, in that agents can query ARD nodes for what they know. But the goal for ARD isn't to be one giant database of links. Instead, it's a framework for discovery services. There will be some general-purpose discovery services, but enterprises can create their own and control access, too.

Rao Surapaneni, VP and GM of business applications at Google Cloud, says, 'The true potential of agentic AI has been limited by silos.' Expanding on that idea, he says, 'By removing centralized gatekeepers, we're empowering any agent to discover, trust, and utilize resources across platforms, unlocking a new era of interoperability.'

How catalogs and registries work

There are two main architectural components in ARD: catalogs and registries. Continuing our search engine analogy, think of catalogs as analogous to web pages. As the Google blog post says, 'Registries act as search engines for the agentic web.'

To establish a catalog, an organization hosts an ai-catalog.json file at a published path on its own domain. Registries crawl catalogs, index their contents, and return matching capabilities with metadata to verify the publisher before connecting. Domain ownership serves as the cryptographic foundation for identity and trust. Essentially, the fact that a catalog is hosted on a verified domain (e.g., Microsoft.com, ZDNET.com) establishes that the catalog has been vetted by the owners of that domain. The hierarchy is modeled on DNS. Microsoft's Guha says, 'This gives ARD an architectural property closer to DNS than to ordinary web search.'

Security considerations

Of course, this also gives attackers a new reason to target domains, deployment pipelines, and catalog files. ARD is designed to sit before invocation, helping an AI client decide which capability to use before the client connects through the resource's own protocol. Microsoft's Ramanathan Guha describes ARD as the layer that helps the client choose the capability and then gets out of the way.

To be fair, ARD is not just a random file on a random domain. The spec includes registries, discovery services, publisher metadata, and, in production settings, cryptographic trust metadata. Google also points to enterprise controls such as Agent Identity, trust manifests, egress policies, and pinned tools. But the concern remains: The open-web model is still domain-anchored. If the domain, DNS, server, repository, or deployment path is compromised, the catalog becomes a tempting, high-leverage target. ARD may improve discovery and verification, but it does not eliminate the need for ordinary security controls, authorization, governance, allowlists, code review, signing, monitoring, and policy enforcement.

Look, I'm not going to say I know security better than Google, Microsoft, and Cisco. But that added high-value target should be a source of concern for anyone adopting the use of ARD.

Reference implementations

Vendors are wiring ARD into their projects. The blog posts list the following three implementations as examples of ARD in use.

GitHub launched Agent Finder, built on ARD, which lets Copilot discover and call MCP servers, skills, tools, and agents at runtime from a public or private registry. Hugging Face has a Discover Tool, another ARD reference implementation, which offers semantic search to 'thousands of Skills and MCP Servers to connect to your agent.' Can you see why this stuff worries me just a little bit? Google supports ARD through Agent Registry in its Gemini Enterprise Agent Platform, with native support slated for the 'coming months.'

An open spec and an open invitation

The specification for ARD is available now, licensed under Apache 2.0 and built on the AI Catalog data model from a Linux Foundation working group. The Google blog says, 'The agent ecosystem works best when it is decentralized and open.' You can read more about the ARD spec at AgenticResourceDiscovery.org. There's also a GitHub registry for the spec available.

Is ARD the kind of plumbing AI agents need, or does it create a bigger attack surface than it solves? Let us know in the comments below.


Source:ZDNET News


Share:

Related posts
Your experience on this site will be improved by allowing cookies Cookie Policy

These cookies are essential for the website to function properly.

These cookies help us understand how visitors interact with the website.

These cookies are used to deliver personalized advertisements.