OpenBox Hong Kong: The Day AI Agents Stopped Waiting for Orders

Something happened at Hong Kong Cyberport yesterday that I think deserves its own piece.

The OpenBox AI Developer Conference opened on April 19, co-hosted by DeBox and TinTinLand. Calling it a “developer conference” undersells what’s actually happening here—this feels more like a milestone moment for the AI Agent industry. The core thesis they came to debate: AI agents are crossing from an “interaction paradigm” to an “execution paradigm.”

The difference matters. “Interaction paradigm” is what we’re all used to: you ask AI a question, AI gives you an answer. You prompt AI to write code, AI generates code. Human moves, AI moves. Human stays in the loop.

“Execution paradigm” is different. In this model, AI gets handed an objective and then plans its own path, calls its own tools, fixes its own errors, and delivers results. Your role shifts from operator to overseer.

Sounds exciting. The actual conference discussion was significantly more grounded.

The Real Bottleneck Is Trust, Not Capability

The opening panel on Day One spent nearly half its time on one question: how do you prevent an AI Agent from going off the rails during execution?

One scenario came up repeatedly: if you give an AI Agent the task of sending an email on your behalf, it might decide—autonomously—to tweak the content, add things you didn’t ask for, or “helpfully” expand the recipient list. This autonomy cuts both ways. Sometimes it’s a feature. Sometimes it’s a disaster.

The conversation converged on a core challenge: AI agents need reliable boundaries. What they can do, what they can’t, when they need human confirmation—these boundaries have to be explicit and enforceable. And the current mainstream agent frameworks? Their boundary design is still pretty crude.

MCP—the Model Context Protocol that Anthropic originally built for tool communication—is getting a lot of attention in this context. It’s becoming something like a de facto standard for inter-tool communication, because it solves at least one basic problem: it gives different AI tools a common language.

But the security researchers from OX Security rained on the parade. They disclosed a design flaw in MCP itself, affecting over 200,000 servers. This was first reported in early April, but OpenBox brought it up again. The consensus: protocol standardization is necessary, but you can’t assume security is solved just because a standard exists.

The A2A Protocol: Getting Agents to Talk to Each Other

The other interesting technical development was A2A—Agent-to-Agent protocol.

The basic idea: let agents from different vendors and architectures communicate with each other. Break a task into subtasks, assign each to an agent with the right specialization, and let A2A handle the coordination and result aggregation.

This has been done before, but without a common standard. At OpenBox, multiple vendors jointly published a draft A2A specification. Not a final standard yet, but at least a signal that the “agent silo” problem is being taken seriously.

My take: 2026 is shaping up to be the year of agent interoperability. But it won’t be smooth—protocol standardization, security validation, and cross-agent trust mechanisms all need time to mature.

For developers right now, the most important thing is probably: don’t wait for standards to mature before getting hands-on experience. Agent development toolchains are already mature enough to start building with. The practical intuition you build now is worth more than waiting for a “perfect solution.”