The model did not hallucinate. The data was never read.
If you let an agent read enterprise systems through a tool connector, this failure is already in your pipeline, and it is silent: the model does not hallucinate, the data is simply never read.
An agent is asked whether a supplier's safety certification is current. It calls a search tool, gets a result titled "Supplier Certification Overview," and reports that the supplier is certified. The answer is wrong: the snippet came from a two-year-old summary, and the current status, a lapsed certificate with a renewal in progress, was in a hidden tab the search never opened. Two steps later a second agent has written "certified" into a sourcing decision, and nothing records that the status was never read from a current source.
The model summarised exactly what the tool handed it. The failure was upstream, in the gap between the tool returned a result and the data was actually captured. The fix is not a smarter model. It is a discipline: never treat a search result as data, capture the real body, record where it came from, and refuse to promote any claim that cannot point back to a real source. Applied to an MCP surface, that discipline is MCP harvesting. The mechanics are ordinary, and section vii of the full note names which prior work each piece comes from. The contribution is two framings and one experiment.
The surface you are given is lossy, and you cannot fix it.
The new consumer of enterprise data is often another agent, and it cannot glance at a snippet and infer the rest, cannot tell a result is tangential, and does not get a second look. When the reader is a machine, the data has to carry its own context. The industry has noticed the demand side: a16z made machine legibility a headline of its 2026 outlook, and the data vendors are merging to ship "context layers" agents can read. Every one of those is written for the data producer, the team that owns the system and can clean it. The agent owner who was granted access to someone else's flaky surface, and has no authority to fix the server, is the consumer side of the same problem, and the 2026 discourse does not serve them.
That surface is lossy and non-deterministic, measured rather than asserted: a 2026 benchmark of real multi-tool tasks found frontier models completing under 60 percent of them, needing a parallel reference harness just to account for the surface returning different things at different times.1 The failure modes are specific and repeatable, and each one shapes the architecture.
- A search hit is a lead, not evidence. A title or snippet is not the document; it becomes evidence only when a second call captures the actual body. Classify honestly what you captured; a preserved-but-unread file is a recorded gap, not a success.
- A "permission denied" is often a routing artifact. A file the user can already open returns 403 on one route and resolves on another. Chain fallback routes inside that one granted access, and record the trail. A genuine denial is a gap, never retried.
- A record id is not a content identity. The same bytes appear under two ids; hash the content and make the hash the identity, or you double-count.
- Search is ambiguous, and the failure is entity resolution. A query for one company matches a different one named alike. Bind every record to its entity by strength and keep only the strong bindings. Most agent failures over enterprise data are entity-resolution failures wearing the costume of reasoning failures.
- It is a documented security exposure. The lethal trifecta of tool access, untrusted content, and outbound capability has a name and a growing incident list; a 2026 review reported roughly two hundred thousand exposed servers.2 Recording origin, classifying sensitivity, and never executing what you ingest is both the harvest discipline and the security posture.
Sample a sensor, do not call an API.
You do not trust any single read. You sample repeatedly, stamp every sample with where and when it came from, and make the sampling safe to repeat. Idempotency, content hashing, and the disk boundary are not arbitrary choices; they are what sampling a sensor requires.
The real decision is not deterministic or agentic. It is where you draw the line between the two.
The line is the disk. The agent collects and writes raw bytes; every deterministic guarantee runs on what is now on disk. There is one honest seam: the first hop, the agent issuing the call, is itself agent-mediated and not fully deterministic, so the discipline keeps that hop thin and mechanical and makes everything downstream idempotent, so a re-run catches what a flaky first read missed.
Plain code for the mechanics, a model only for meaning.
Any step that touches input or output, retries, hashing, file paths, or rate limits is plain code. Any step that requires judgment about meaning is the model. Mixing them is the bug: the hash decides whether two files are duplicates, and the model decides what they mean.
Refine with a model cascade, then gate every claim.
Refinement turns the raw harvest into typed knowledge through a cheap-model, expensive-model cascade. To be exact: in the single run on record, one top-tier model did both steps. The cascade is the design, not a result shown yet, and the savings the literature reports are modest, around a quarter to a half at matched quality, not the headline figures.3
The output is a typed atom: one claim, a payload a schema constrains, and two things that make it checkable. A locator carries the source, the content hash, the exact location, and a short quote copied literally from the source, the falsifiability handle; if the model cannot produce a real quote, the atom is dropped. An evidence strength, one of stated, implied, or inferred, tells a downstream agent how far to trust it.
Then the gate. The single strongest reason it exists: a 2026 study found citation links almost always work and are usually on-topic, yet the share of claims the cited source actually supports ran from 24 to 77 percent, collapsing toward 17 percent for one frontier model as tool calls scaled into the hundreds.4 A citation that looks valid and is not is worse than no citation, because it passes a glance. So the gate checks, deterministically, that the cited artifact is present, the quote appears, and the claim does not contradict the aggregated facts. Whether the better semantic check actually pays is the next section.
A similarity gate scores relatedness. Relatedness is not support.
A claim that can be wrong, the experiment pre-registered to break it, and what happened when it ran.
An entailment gate catches materially more unsupported claims than a similarity gate, at a false-refuse rate worth the cost.
72 hand-authored claim and source pairs in generic enterprise domains, 28 genuinely supported and 44 not, labelled by hand. Built hard in both directions: unsupported claims that overlap their source heavily (a scope widened from "US data centres" to "all," a plan reported as a fact, a rival's layoffs attributed to the company), and supported claims worded so differently that surface similarity is low. Four gates ran over the same pairs.
| gate | catch | false-refuse | accuracy |
|---|---|---|---|
| LLM reasoning / entailment judges support, two model families agree | 0.98 to 1.00 | 0.04 to 0.07 | 0.96 to 0.97 |
| embedding similarity cosine of claim against source, best threshold | 0.84 | 0.68 | 0.64 |
| lexical similarity term-frequency cosine, best threshold | 0.86 | 0.71 | 0.64 |
The structural reason is in the embeddings: the unsupported similarity-traps average a cosine of 0.89 to their source and the contradicted pairs 0.87, both higher than the genuinely supported paraphrases at 0.77. No threshold separates supported from unsupported, because the most dangerous unsupported claims look more like their source than the honest supported ones do. To catch most unsupported claims a similarity gate has to reject most good ones. The pre-registered falsification condition, that entailment fails to beat similarity at an equal or lower false-refuse rate, did not trigger. On this corpus the claim survives.
What this does and does not establish. The corpus is synthetic, authored and labelled by a single person, so it has no independent label check; it is built to contain the adversarial cases the grounding literature documents in the wild, and the finding is the gap between gate types, not an absolute rate. The "embedding gate" is a bi-encoder cosine; a cross-encoder or a fine-tuned natural-language-inference model would do better, and shades into the entailment gate. That is the honest boundary: similarity scoring cannot separate related from supported; entailment judgment, whether a small fine-tuned model or an LLM, can.
And what one production run cannot show
The full pattern was also run end to end once, on a single enterprise account. It demonstrated the failure modes in the wild: the same bytes under two ids that hashing caught, a record named after the target that belonged to a different company, material the convenient query path missed.
Zero rejections is what a working gate and a broken one both produce.
The grounding review returned zero unsupported and zero contradicted claims, and that is not read as success. On a relatively clean corpus graded by a capable model, zero rejections is exactly what an over-accepting verifier produces, and this run cannot distinguish the two. The cascade did not run; one top-tier model did everything, so the cost figure is the un-cascaded one. The controlled experiment above is where the gate's reject path was actually exercised.
When to use this, and when not.
If a clean, complete API sits right behind the surface and you are authorised to call it, building this machinery is the wrong tool. The pattern earns its keep in a narrow box, and outside it is over-engineering.
| if the situation is | then |
|---|---|
| a clean, complete API you are authorised to call | Call the API. Skip harvesting. |
| a small, static corpus with one reader | Put the raw files in a long-context model. |
| a low-stakes, one-shot question | Answer it directly. Provenance is pure cost. |
| a changing, multi-reader corpus behind a surface you cannot replace, where a wrong answer gets acted on | Harvest: deterministic spine, cascade, grounding gate. |
One boundary on the architecture: the deterministic spine is only as deterministic as the surface allows. If the server is a thin shell over flaky screen automation, the retries are deterministically re-poking an unstable pipe. Harvesting bounds the damage, it records what it got and refuses to over-claim, but it cannot manufacture a reliability the source does not have.
The conditions under which this is wrong.
- Not "MCP replaced the API." The API usually remains the source of truth. The claim is only that the surface an agent is granted is increasingly lossier than the API behind it.
- The mechanics are not new. Idempotent extraction is data engineering; the cascade is model routing; the deterministic-around-the-model shape is compound AI systems.5 The contribution is two framings and one experiment.
- Frontier models may shrink the niche. The pattern durably wins only where provenance is required, the fact count is high, freshness matters, and an audit trail is mandatory. Outside that box it is over-engineering, the condition that would make this wrong.
- The central benefit is unproven on production data. The gate result is on a synthetic set; the one production run did not run the cascade or exercise the gate's reject path. The magnitudes are corpus-specific; the structural claims are what transfer.
- The substrate mostly does not exist in production yet. Analysts rate agent-ready data as over-hyped and forecast more than 40 percent of agentic projects cancelled within two years.6 The missing substrate is the opportunity and the reason most attempts will not ship.
The reader is a machine. The surface gives it less.
The shift underneath all of this is that the consumer of enterprise data is becoming a machine that needs more structure and more provenance than a human ever did, and the access it is granted is becoming an unreliable tool surface rather than a clean API. MCP harvesting answers both at once: it samples the surface like a sensor, stamps every sample, refines with a model only where judgment is genuinely required, and gates the result so an unsupported claim cannot pass as a supported one. The mechanics are borrowed and named honestly. What this note defends is the framing, and the one test that says whether the central design choice earns its cost.
An independent applied-AI research note by Arseny Gorokh. Not an official EPAM publication. The pattern is drawn from building a real harvesting agent; all worked examples are composite or synthetic and describe no single client. The gate result is one controlled experiment on a hand-authored set of 72 pairs, reported as such. Re-run the harness in the companion repository before treating any number as portable.
References
- LiveMCP-101 (Duke University and Zoom), arXiv:2508.15760, 2025. Frontier models under 60% on real multi-tool MCP tasks.
- OX Security, MCP supply-chain advisory, Apr 2026; Simon Willison, the lethal trifecta, 2025.
- FrugalGPT (Chen et al.), arXiv:2305.05176, 2023; UCCI, arXiv:2605.18796, 2026 (31% at matched accuracy).
- Cited but Not Verified, arXiv:2605.06635, 2026. Citation links 94 to 100% valid; per-claim factual support 24 to 77%.
- Zaharia et al., The shift from models to compound AI systems, Berkeley BAIR, 2024.
- Gartner, more than 40% of agentic AI projects cancelled by end of 2027, 2025; KRAMABENCH, arXiv:2506.06541, ICLR 2026.