Helmwart
← Atlas · Mitigations Tier 2 · Real-composable

MITIGATION · m-multi-source-verify

Multi-source verification — cross-check factual claims against an independent source before commit

An agent that writes a false claim to memory, passes it to a downstream agent, or returns it to a user has introduced an error that each subsequent step may treat as established fact. The cascade depends on one condition: the false claim goes unchallenged. Multi-source verification breaks that condition by requiring every novel factual assertion to be corroborated by a structurally independent source before it is committed. If the second source cannot corroborate the claim, the assertion is refused or down-weighted before it enters any downstream step.

Last reviewed 2026-05-12 · Status: published · Evidence →

At a glance

MATURITY
Tier 2
Available off-the-shelf or as a documented pattern, but newer or less broadly proven. Expect integration work and some operational nuance.
PLACES ON
node
Restricted to node kinds: agent
COVERAGE
1 threat
T5
TRADE-OFFS
LAT
medium
COST
medium
UX
low
DEV
medium
Latency · cost · UX friction · dev effort.
TL;DR
  • Every novel factual assertion the agent produces is checked against a structurally independent second source before it is committed to memory, passed to a downstream agent, or returned to a user.
  • Corpus independence is the load-bearing requirement: two retrievers that index the same upstream data lake share any poisoning event and will agree on a false claim for the same reason it was introduced. Independence requires separate source corpora, not just separate indices.
  • Three verified production patterns: citation-required output (every claim must be backed by a retrieved passage at the API level), cross-source agreement (two independent retrievers must agree above a confidence threshold), and tool-augmented checking (an external structured lookup confirms the claim for fact types that have a queryable ground truth).
  • When retrievers disagree or the second source returns insufficient evidence, the claim is refused or down-weighted before it enters any persistent store. The cascade cannot start if the false claim never reaches the first store.

How it behaves

Agent produces output containing factual claims before commit or response delivery
Extract atomic claims, retrieve supporting passages from an independent corpus, score entailment between each claim and its passages, compare per-retriever top results for agreement
Output committed or delivered with citations attached
Output refused or flagged; rejection logged with claim text, score, and source-disagreement detail
Structural corpus independence is required. Two retrievers on the same data lake produce false confidence, not real verification.

What it is

A factual claim inside an agent pipeline is a statement the agent intends to treat as true: to write into memory, pass to a downstream agent, or return to a user. If the claim is wrong, every step that receives it may compound the error. This is the mechanism behind OWASP T5 Cascading Hallucination Attacks: a false assertion, once embedded, propagates because nothing downstream is positioned to challenge it.

Multi-source verification is a commit-boundary check. Before a factual claim is committed, the agent queries a structurally independent second source and checks whether that source corroborates the assertion. If the sources disagree, or if the second source cannot find supporting evidence above a confidence threshold, the claim is refused or down-weighted before it reaches any persistent store or downstream agent.

The load-bearing requirement is corpus independence. Two retrievers that index the same underlying data lake, or two models trained on overlapping corpora, share any poisoning event that affected the upstream data. They will agree on a false claim for the same reason the claim was introduced in the first place. Structural independence means the two sources are maintained separately, draw on different upstream datasets, and have no shared failure mode.

Detection signals

  • Uncited assertions per agent output. A rising rate signals that the grounding step is being skipped or is failing silently.
  • Source-disagreement rate. A sustained increase signals upstream data drift or a corpus being poisoned.

Threats it covers

  • T5 Cascading Hallucination Attacks −1 severity step

    WHY IT HELPS Cascading Hallucination Attacks propagate a false claim through an agent pipeline by embedding it into shared memory or passing it between agents in a way that each recipient treats as established fact. The cascade relies on the claim never encountering a source that contradicts it. An independent verification gate at the commit boundary breaks this reliance: a second source that disagrees, or that cannot find supporting evidence, halts propagation before the claim is embedded.

Principle coverage

Defence-in-Depth stage: Prevent — and it advances:

  • Robustness / Reliability Multi-source verification strengthens robustness at the factual-commit boundary: by requiring agreement from a structurally independent source before any claim is embedded, it prevents a single corrupted or hallucinated assertion from propagating unchallenged through the pipeline and accumulating into a system-wide error state.

Design & governance principles (open design, economy of mechanism, accountability, …) are architectural, not advanced by a single placed control.

Implementation options

Five verified implementation options covering different layers of the verify-before-commit pattern: Anthropic Citations API for claim-level grounding enforced at the API, LangChain EnsembleRetriever for parallel multi-index retrieval with cross-retriever disagreement detection, Cohere Rerank as a cheap first-pass relevance filter before entailment scoring, FacTool-style tool-augmented checking for structured fact types with queryable external ground truth, and a dedicated fact-checker LLM call with secondary RAG for high-stakes commits where latency is acceptable. Use at least one retrieval-based option; add the LLM-based check only for high-impact commits.

Anthropic Citations API Set citations.enabled=true on each source document passed to the Messages API. Claude pins every output claim to a character- or page-level location in the supplied documents; claims without a valid citation location are suppressed.

Why choose it: Best for Claude-based agents where claim-level grounding must be enforced at the API rather than via post-hoc prompt instructions. Grounding is guaranteed by the API, not by the model's willingness to cite. Corpus independence must still be enforced by the caller: supplying a single document, or multiple documents from the same upstream corpus, does not provide real cross-source corroboration. Incompatible with Structured Outputs.

More details:

LangChain EnsembleRetriever Route each claim query to N independent retrievers in parallel and merge results via reciprocal rank fusion (RRF). Flag claims where the top-scoring document across retrievers falls below a minimum relevance threshold, or where retrievers disagree on the top result.

Why choose it: Best for teams using LangChain who want structural corpus independence enforced at the retriever layer. Each retriever must index a structurally independent corpus; using the same upstream data lake across retrievers defeats the independence requirement. RRF merging produces a single ranked list: disagreement detection requires a separate comparison step on the pre-merge per-retriever top results. Running retrievers in parallel limits latency cost.

More details:

Cohere Rerank Pass each agent claim as the query and chunks from a secondary corpus as the documents. A low top relevance score signals the claim is unsupported by the independent corpus. Acts as a low-latency first-pass filter before an entailment model is applied to shortlisted chunks.

Why choose it: Best as a cost-efficient first-pass filter where latency is constrained. Rerank scores relevance, not factual entailment: a high score means the document is topically related to the claim, not that the claim is factually supported. A downstream cross-encoder NLI model is required for genuine entailment scoring; rerank alone is insufficient as a verification gate.

More details:

FacTool tool-augmented checker Extract atomic factual claims from agent output using NER or a claim-detection model, then for each claim issue an external tool call (search API, knowledge base query, structured data lookup) to retrieve supporting evidence. Score entailment between claim and retrieved evidence; refuse or flag claims below threshold.

Why choose it: Best for agents that make structured, verifiable claims (factual QA, code generation, mathematical assertions, literature citations) where an appropriate external tool exists for each claim type. Validated across QA, code, maths, and literature review tasks. Claim extraction can itself miss implicit claims or produce incorrect claim boundaries, leaving gaps in coverage. Tool call latency scales linearly with claim count. FacTool is a research codebase, not a maintained production SDK; production teams must adapt the pattern to their retrieval stack.

More details:

Dedicated fact-checker LLM with secondary RAG After the primary agent produces output, invoke a second LLM call with a structured fact-checking prompt: retrieve N passages from an independent corpus, present the claim and the passages, and ask the model to return SUPPORTED / REFUTED / NOT_ENOUGH_INFO with a reason. Refuse or flag the primary output if the verdict is not SUPPORTED.

Why choose it: Best for high-stakes commits (memory writes, actions with external consequences) where latency is acceptable and the claim surface is too wide for structured tool calls. Based on OWASP Playbook 2 "probabilistic truth-checking against trusted sources before commit." Adds a full LLM inference round-trip per fact-check pass. Quality depends on secondary corpus coverage: sparse corpora produce NOT_ENOUGH_INFO rather than REFUTED, which requires an explicit handling policy (fail-open or fail-closed).

More details:

Trade-offs

  • Each verified claim adds a retrieval plus entailment call. In practice this is 100-500 ms of added latency per claim and roughly double the retrieval API cost relative to an unverified pipeline. For a response containing five factual claims, total verification overhead can reach two to three seconds.
  • Corpus independence is caller-enforced, not automatic in any of the retrieval options. The structural requirement for breaking a hallucination cascade is that the two sources do not share an upstream corpus or poisoning event.
  • Claim extraction is itself a failure mode: a claim-detection step can miss implicit claims or hallucinate claim boundaries, producing incomplete verification coverage without surfacing the gap.
  • Dev effort is medium. Wiring independent retrievers, entailment scoring, and per-claim citation binding into a multi-step agent pipeline requires deliberate plumbing at each commit boundary; the individual components are mature but the composed flow is not provided by any single framework.

When NOT to use

  • Do not apply multi-source verification to creative or generative tasks (drafting, summarisation, brainstorming) where there is no external ground truth to verify against. It will produce spurious refusals or degrade into meaningless citation-hunting.
  • Avoid it for real-time conversational agents where latency is the primary constraint and the content is low-stakes. The added seconds of verification round-trips will harm the user experience more than unverified output would harm the user.
  • Do not use this control when your retrieval corpus is single-sourced by design (for example, a proprietary internal knowledge base). Structural corpus independence is impossible in that configuration, and the control reduces to a repeated query against the same data, which adds cost without adding safety.

Limitations

  • If both sources draw on the same underlying corpus, multi-source verification produces false confidence. A poisoned corpus replicated across two retrievers will produce agreement on the false claim. Independence requires separate source corpora, not just separate indices.
  • Rerank scores relevance, not entailment. A high relevance score means the document is topically related to the claim, not that the claim is factually supported. A cross-encoder NLI model is required for genuine entailment verification.
  • The pattern does not address claims about the agent's own internal state or reasoning, only claims about external facts that can be looked up in a corpus.

Maturity tier reasoning

  • Tier 2 (real-composable): retrieval, entailment scoring, and citation-mode are Tier 1 mature primitives available from multiple production providers. The composed multi-source verification flow is operational composition of those components.
  • What keeps it from Tier 1 is the absence of a standard library or platform feature that enforces corpus independence and surfaces inter-retriever disagreement as a first-class signal. Every deployment assembles this from individual primitives, and the independence requirement must be verified by the team, not by the framework.

Last verified against upstream docs: 2026-05-30.