The Trust Tax Is Coming Due
This week's papers share a common subtext: the gap between what agentic AI demos promise and what production deployments actually deliver is widening, and the bill is starting to arrive. Three independent research groups, working on identity, code quality, and reasoning, all reached the same uncomfortable conclusion — the foundations are thinner than the marketing suggests.
Why These Three Papers, Together
The AIP paper from Sunil Prakash documents that essentially the entire Model Context Protocol ecosystem ships without authentication. A scan of approximately 2,000 servers found zero with verifiable identity. For executives who have spent the last year approving MCP integrations, this is the kind of finding that should trigger an immediate security review. The good news is that the proposed fix — Invocation-Bound Capability Tokens — adds negligible latency, which removes the usual excuse for delay.
SlopCodeBench, from a team spanning Google, Wisconsin, and several universities, attacks a different illusion: that coding agents are nearly ready to replace engineers. By measuring how agent-generated code degrades over iterative extension, the authors show that no agent fully solved any problem end-to-end, code complexity worsened in 77% of cases, and the resulting code was twice as bloated and structurally eroded as human-written equivalents. This is the empirical pushback to the 'agents will write all the code' narrative that procurement teams are being asked to underwrite.
The third paper, from MIT and collaborators, addresses something more philosophically interesting and just as commercially relevant. Standard LLM training collapses the model's internal distribution of possible answers onto a single dominant mode. For benchmark questions with one right answer, this is fine. For medical diagnosis, ambiguous queries, and incomplete-information settings — which is most enterprise work — it is actively harmful. The authors show that reinforcement learning can be modified to preserve and surface multiple plausible hypotheses with calibrated confidence.
What This Means for the Industry
Taken together, these papers argue that the next twelve months of enterprise AI investment should prioritize foundational concerns over flashier capabilities. Identity infrastructure for agents needs to be deployed before, not after, the next wave of integrations. Coding agent procurement should require iterative-task benchmarks, not single-shot scores. And teams building decision-support systems in ambiguous domains should be asking vendors which post-training regime their models use, because mode collapse is a measurable property, not a vibe.
The strategic read is that the AI industry is entering a measurement phase. The easy benchmarks have been saturated, and the harder questions — does your agent know who it is, does its code rot, does it know what it doesn't know — are now where competitive advantage will be won and lost.
AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A
Sunil Prakash's paper begins with a finding that should land in every CISO's inbox: a scan of approximately 2,000 MCP servers found none with authentication. The Model Context Protocol and the Agent-to-Agent protocol have become the de facto plumbing for enterprise agent deployments, but neither verifies who is on the other end of a call. The paper introduces Invocation-Bound Capability Tokens, which combine identity, attenuated authorization, and provenance binding into a single append-only token chain. Two wire formats are supported — a compact signed JWT for single-hop calls and a chained Biscuit token with Datalog policies for multi-hop delegation — with reference implementations in both Python and Rust that interoperate cleanly.
The numbers matter for adoption. Verification takes 0.049 milliseconds in Rust and 0.189 milliseconds in Python. In a real deployment using Gemini 2.5 Flash, the protocol added 2.35 milliseconds of overhead, or 0.086 percent of end-to-end latency. Across 600 adversarial attack attempts, the rejection rate was 100 percent, and two attack classes — delegation depth violations and audit evasion through empty context — were uniquely detected by AIP's chained delegation model.
For business leaders, the takeaway is direct. The performance objection to agent identity is now closed. Any enterprise deploying agentic systems in 2026 should treat verifiable delegation as table stakes, not a nice-to-have. The reputational and regulatory exposure from an agent acting under a compromised identity will dwarf the cost of implementing this layer up front.
SlopCodeBench: Benchmarking How Coding Agents Degrade Over Long-Horizon Iterative Tasks
This paper, from a group led by Gabriel Orlanski and Devjeet Roy, is the most useful counter-narrative document the AI industry has produced this quarter. Existing coding benchmarks evaluate agents on single-shot tasks, which is a poor match for how software is actually built. SlopCodeBench presents 36 problems with 196 checkpoints, where agents must repeatedly extend their own solutions while making architectural decisions that affect future work. Fifteen coding agents were evaluated across open and closed models.
The findings are blunt. No agent fully solved any problem end-to-end. The best agent passed 14.8 percent of checkpoints. Structural erosion — where complexity becomes concentrated and unmanageable — increased in 77 percent of trajectories, and verbosity worsened in 75.5 percent. Compared against 473 open-source Python repositories, agent code was 2.3 times more verbose and 2.0 times more eroded, and human repositories degraded less often and by smaller margins across their git histories. Adding explicit quality guidance reduced initial verbosity and erosion by up to a third but did not change the rate of degradation.
For executives evaluating coding agent vendors, this paper provides the framework that has been missing. Ask vendors for iterative-task results, not single-shot pass rates. Budget for refactoring and human code review at higher levels than vendor demos suggest. Recognize that prompt-engineered quality improvements are real but bounded — the architectural problem requires architectural solutions.
Reaching Beyond the Mode: RL for Distributional Reasoning in Language Models
Isha Puri and collaborators at MIT, working with Yoon Kim and Jacob Andreas, address a quieter but ultimately more strategic problem. A language model implicitly encodes a distribution over possible answers to any question. Standard post-training procedures collapse that distribution onto a single dominant mode. For benchmark questions with one correct answer, this works. For medical diagnosis, ambiguous customer queries, legal analysis, and most settings with incomplete information, the model's certainty is misleading and sometimes dangerous.
The paper introduces a multi-answer reinforcement learning approach that trains models to generate multiple plausible candidate answers in a single forward pass, with confidence estimates, internalizing aspects of inference-time search into the generative process itself. Across question-answering, medical diagnostic, and coding benchmarks, the trained models showed improved diversity, coverage, and set-level calibration, used fewer tokens than best-of-k sampling approaches, and were substantially more accurate on coding tasks.
The commercial implication is that what the industry has been calling hallucination in ambiguous domains is partially a training artifact. Mode collapse is fixable at the training stage, which means the right question to ask vendors building decision-support systems is not 'how do you prevent hallucination' but 'what does your post-training regime do to the answer distribution.' For regulated industries, this distinction will increasingly matter.
Key Takeaways
• A scan of roughly 2,000 MCP servers found zero authentication, meaning most enterprise agent deployments currently trust any caller claiming to be an agent — treat this as a 2026 security audit priority, not a 2027 concern.
• Verifiable agent identity adds only 2.35ms of overhead in real multi-agent deployments (0.086% of total latency), so the standard 'security slows us down' objection no longer applies to the agent identity problem.
• The best coding agent in the SlopCodeBench evaluation passed only 14.8% of long-horizon checkpoints, and 77% of agent trajectories showed worsening structural erosion — single-shot benchmarks have been hiding this from buyers.
• Agent-generated code is 2.3x more verbose and 2.0x more structurally eroded than human-written open-source Python, which means agent code review and refactoring budgets should be sized higher, not lower, than human equivalents.
• Explicit quality guidance reduces initial bloat by up to a third but does not slow the rate of degradation — prompt engineering is a band-aid on a deeper architectural problem with iterative agent coding.
• Many high-value enterprise tasks (medical diagnosis, risk assessment, ambiguous customer queries) have multiple valid answers, but standard LLM post-training collapses them to one — this is now addressable through multi-answer RL rather than expensive inference-time sampling.
• What the industry has been labeling 'hallucination' in ambiguous domains is increasingly understood as a training artifact of mode collapse, which reframes the mitigation strategy from guardrails to model selection and fine-tuning.