A2A Integration
How the platform interfaces with external carrier and broker agents across three integration maturity models — all coexisting simultaneously.
Integration Maturity Models
Model 1 — BP Managed
Carrier is passive. BP owns appetite, eligibility, and question set logic. Carrier exposes only Quote/Bind APIs. No agent-to-agent communication — pure API integration.
Model 2 — Distributed
Carrier owns their logic (appetite, eligibility, question sets). Partner Engine maintains wrapper layers that call out to carrier systems. Still API-based — the wrappers are integration adapters, not agents.
Model 3 — True Agentic
Carrier has their own Orchestrator Agent, deep agents, and Carrier MCP server. Fully autonomous carrier-side intelligence. Requires A2A protocol layer between BP and carrier systems.
All three models coexist simultaneously — different carriers at different maturity levels. Outbound agents adapt per counterparty — same pipeline, different topologies.
A2A Architecture — Distributed Agent Communication
Legend: 🟤 User · 🔵 BP Orchestrator · 🟦 MCP Server · 🔷 Broker Agent Mgr · 🟣 Carrier Agent Mgr · 🟪 A2A Server · 🔴 Carrier Systems
Four MCP clients, one tool server. The BP Orchestrator, A2A Server, and Outbound Agent Managers all connect to the Insurance Intelligence MCP Server. The A2A Server is the protocol boundary between BP and external agents — all traffic passes through it. Outbound Agent Managers handle business logic with different graph topologies per counterparty.
Outbound Deep Agents
A2A Server (Protocol Boundary)
Stateless: Validate → Classify → Route. Not a deep agent. The protocol boundary between BP and external agents. Inbound: validates identity, classifies request, routes to MCP tools. Outbound: agent managers communicate through it. Deterministic pipeline with input sanitization.
Agent Managers (Broker + Carrier)
| Capability | Broker Agent Manager | Carrier Agent Manager |
|---|---|---|
| Lifecycle | Submission lifecycle: intake → docs → forward → status → bind | Negotiation lifecycle: submission → UW conversation → pricing → conditions → bind |
| Adversarial Awareness | Eligibility probing, MI model gaming, appetite mining | Cross-tenant PII, internal data extraction, scope escalation |
| Hardened Graph | LLM confined to classify + compose nodes. Authorization and data classification gates are graph nodes, not prompt instructions. | Same structural enforcement — graph topology differs per counterparty. |
Outbound Agent Processing Pipeline
Both outbound agents use this hardened pipeline. Graph topology differs per counterparty — same structural enforcement.
Receive Message → Classify Request (LLM) → Lookup Data (MCP) → 🔴 Authorization Gate → Compose Response (LLM) → 🔴 Data Classification → Send Response → Audit Trail
| Node Type | Role |
|---|---|
| 🟣 LLM (confined) | Classify and compose only — no flow control |
| 🟢 MCP Tool (deterministic) | Data lookup via MCP tools |
| 🔴 Structural Gate | Authorization and data classification — graph nodes, not prompts |
| 🟤 A2A Protocol | Message receive/send boundary |
| 🟢 Audit | Full audit trail on every node transition |
A2A Task Lifecycle
Legend: 🟦 Tool Call · 🔵 Task State · 🟠 Input Needed · 🟢 Completed · 🔴 Failed
Why Graph-Based, Not Flexible Orchestrator
- Structural enforcement — authorization and data classification gates are graph nodes, not prompt instructions. The LLM cannot bypass them.
- Confined LLM reasoning — the LLM operates at two specific nodes (classify, compose). It does not control flow. The graph controls flow.
- Deterministic audit trail — every node transition is logged. Required for regulatory compliance.
- Attack surface reduction — external messages pass through input sanitization before reaching any LLM node.