The Source ID Becomes the Factuality Test
The June 2026 arXiv paper ProvenanceGuard: Source-Aware Factuality Verification for MCP-Based LLM Agents, by Ander Alvarez, Santhiya Rajan, Samuel Mugel, and Román Orús, argues that factuality checks for tool-using agents need to preserve source ownership, not only pooled support.
When True Is Still Wrong
A model-mediated answer can fail even when one of its sentences is supported somewhere in the record. The error is source ownership. If an agent says a claim came from a patient chart, but the support actually came from a literature abstract, the claim may be true in the pooled evidence and false in its attribution. For legal, clinical, financial, and enterprise workflows, that difference is not decorative. It changes who can rely on the answer.
The Alvarez, Rajan, Mugel, and Orús paper names this failure cross-source conflation. The term is useful because it separates ordinary unsupported fabrication from a more subtle failure: the agent has evidence, but it assigns that evidence to the wrong source. A source-blind metric may mark the answer as faithful because the combined context contains support. A source-aware verifier asks whether the answer credited the right tool output, database row, document, chart, API response, or retrieved passage.
This gives the site a fresh angle beside the provenance layer and the answer engine. Provenance is not only a label attached after publication. In an MCP-based agent, provenance becomes part of factuality itself.
What the Paper Tests
The paper, arXiv:2606.18037, was submitted on June 16, 2026. It introduces ProvenanceGuard, a source-aware verifier for answers grounded in Model Context Protocol traces. The system consumes captured traces with stable tool IDs, source IDs, and raw outputs. It then decomposes the answer into atomic claims, routes each claim to source-specific evidence, checks support using natural-language inference and a token-alignment proxy, compares stated attribution with the routed source, and returns per-claim verdicts plus an answer-level allow or block decision.
The evaluation is intentionally scoped. The authors use a frozen corpus of 281 captured medical-domain MCP-agent traces. A 266-trace subset produces 2,325 LLM-assisted claim labels, with 361 held-out labels reviewed by human experts. On the 40-trace held-out split, ProvenanceGuard reports block F1 of 0.802 and source accuracy of 0.858 over 260 source-eligible claims. Source-blind baselines are still useful for support, but the paper notes that they do not emit claim-to-source IDs.
The limits matter. On a harder multi-source benchmark, block F1 reaches 0.846 while source-plus-relation accuracy drops to 0.229. That is the honest result: blocking weak answers is easier than proving exact source ownership when several sources are semantically close. In 50 generated clinical conflation probes, ProvenanceGuard detects all deliberately injected attribution swaps with no retained wrong attribution. The paper also says repair-and-reverify resolves blocked answers in the full trace set, often through conservative fallback rather than substantive rewriting.
MCP Makes Provenance Operational
MCP-based agents make this problem sharper because they do not read one document. They may combine search results, APIs, databases, clinical records, formulary tools, CRM entries, billing records, tickets, calendars, code repositories, and internal knowledge bases. Once those sources are pooled into one model context, ordinary fluency can hide which source did the actual evidentiary work.
For a human reader, a citation is a pointer. For an agent, a source ID is also a control surface. It can decide whether a claim should be trusted, whether a tool result can justify an action, whether a record is in scope, whether privacy rules apply, and whether an audit can reconstruct the answer. If the source ID is wrong, the institution may think it acted on an authoritative record when it actually acted on a loosely related source.
This is different from hallucination. The danger is not that the model invented everything. The danger is that it mixed real fragments into an answer with the wrong chain of custody. That is why pooled evidence can become a laundering machine. Support exists somewhere, so the answer looks safe, while the institutional source of authority has shifted.
Governance Standard
A serious agent deployment should preserve source identity from tool call to final answer. At minimum, every answer-producing trace should retain tool ID, source ID, raw output, claim decomposition, routed supporting source, stated attribution, verifier verdict, repair history, and final allow or block decision. These are not only evaluation artifacts. They are audit records.
The practical rule is simple: do not let a model turn many sources into one undifferentiated blob before the system has preserved source ownership. Retrieval can be broad, but authority should remain narrow. A patient chart, a medical abstract, a policy document, a vendor FAQ, a customer ticket, and a model-generated summary should not carry the same evidentiary status simply because they landed in the same prompt.
The paper is careful about scope. It does not claim to solve open-domain factuality, clinical safety validation, or parametric-knowledge correction. That restraint is useful. Source-aware factuality is one axis of governance, not the whole safety case. It belongs beside agent logs, AI audit trails, retrieval evaluation, human review, and domain-specific validation.
What This Changes
The source ID becomes the factuality test because an answer is not only a set of claims. It is a claim about where knowledge came from. In agentic systems, that claim can route action, liability, trust, and institutional memory.
The Spiralist rule is therefore direct: a factuality checker that ignores source ownership is incomplete for tool-using agents. The question is not only "is this supported?" The harder question is "supported by which source, under which authority, and with what record left behind?"
Sources
- Ander Alvarez, Santhiya Rajan, Samuel Mugel, and Román Orús, ProvenanceGuard: Source-Aware Factuality Verification for MCP-Based LLM Agents, arXiv:2606.18037 [cs.AI], submitted June 16, 2026.
- arXiv experimental HTML for ProvenanceGuard: Source-Aware Factuality Verification for MCP-Based LLM Agents, reviewed June 24, 2026.
- Related pages: Model Context Protocol, The Provenance Layer Is Not a Truth Machine, The Answer Engine Becomes the Front Page, The Agent Log Becomes the Receipt, AI Audit Trails, and The Vector Database Becomes Institutional Memory.