EVIDENCE TRAIL
Multi-source verification — independent fact-check before commit
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. Two attribution errors in the MDX are noted inline: the cited NIST action (MEASURE 2.7) does not cover cross-source corroboration — the correct action is MS-2.5-003; and ATLAS AML.M0006 is named "Use Ensemble Methods" in the catalogue, not "Independent External Validation".
Last cross-checked against upstream sources: · 8 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Agentic AI — Threats & Mitigations v1.1
§T5 Cascading Hallucination Attacks — Threat Description
"Cascading Hallucination Attacks exploit AI agents' inability to distinguish fact from fiction, allowing false information to propagate, embed, and amplify across interconnected systems, leading to incremental corruption, context exploitation, and systemic misinformation spread."
Supports: Verbatim definition of the threat class this control directly addresses. The propagation mechanic ("amplify across interconnected systems") is what independent fact-checking interrupts — a second structurally-independent source breaks the echo path before commit.
Does not prove: The T5 summary table row does not name multi-source verification as its mitigation; mitigations are elaborated in Playbook 2 (Memory Poisoning and AI Knowledge Corruption). The control is therefore an inference from the threat anatomy, not a literal lift from the T5 row.
OWASP Agentic AI — Threats & Mitigations v1.1
Playbook 2: Preventing Memory Poisoning & AI Knowledge Corruption — Step 1: Secure AI Memory Access & Validation (Proactive)
"Require multi-agent and external validation before committing memory changes that persist across sessions. (Pre-commit validation to prevent self-reinforcing or unverified knowledge from persisting.) Require probabilistic truth-checking to verify new AI knowledge against trusted sources before committing to long-term storage. (Pre-commit fact-checking to reduce misinformation persistence.)"
Supports: Explicit upstream call for multi-source/external validation and truth-checking before commit — the exact operational pattern this control instantiates. Playbook 2 is explicitly tagged "Mitigates: Memory Poisoning, Cascading Hallucination Attacks".
Does not prove: Playbook 2 frames the control as a memory-commit gate (long-term storage), not a per-assertion claim-verification pass. Helmwart generalises the pattern to cover inline agent output before any downstream commit or action.
OWASP Agentic AI — Threats & Mitigations v1.1
§T5 Cascading Hallucination Attacks — extended description (LLM09:2025 framing paragraph)
"In single-agent environments, hallucinations can compound through self-reinforcement mechanisms such as reflection, self-critique, or memory recall, causing the agent to reinforce and rely on false information across multiple interactions. In multi-agent systems, misinformation can propagate and amplify across agents through inter-agent communication loops, leading to cascading errors and systemic failures."
Supports: Explains why a single unverified fact can cascade — reflection and inter-agent loops amplify it. Multi-source verification directly attacks this by ensuring no single unverified claim enters those loops.
Does not prove: Describes the attack pathway, not a prescribed control. Does not name retrieval-augmented verification or entailment scoring as the interruption mechanism.
OWASP LLM Top 10 v2025 — LLM09:2025 Misinformation
LLM09:2025 — Prevention and Mitigation Strategies §3 "Cross-Verification and Human Oversight"
"Encourage users to cross-check LLM outputs with trusted external sources to ensure the accuracy of the information. Implement human oversight and fact-checking processes, especially for critical or sensitive information."
Supports: Names cross-checking against trusted external sources and fact-checking as the primary mitigation for LLM misinformation — the foundational pattern multi-source verification automates at the system level.
Does not prove: Frames verification as a user responsibility ("encourage users"), not a system-enforced gate. Does not specify retrieval-augmented or entailment-based approaches. Helmwart hardens this into an automated pipeline control.
OWASP LLM Top 10 v2025 — LLM09:2025 Misinformation
LLM09:2025 — Prevention and Mitigation Strategies §8 "Training and Education"
"Provide comprehensive training for users on the limitations of LLMs, the importance of independent verification of generated content, and the need for critical thinking."
Supports: Explicit upstream use of the phrase "independent verification of generated content" — the closest verbatim source for the control's core concept in the LLM Top 10 corpus.
Does not prove: Scoped to user training, not to automated pipeline design. Does not address multi-agent propagation or cross-source corpus independence.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
MEASURE 2.5 — "AI system to be deployed is demonstrated to be valid and reliable" — Action MS-2.5-003 (mapped risk: Confabulation)
"Review and verify sources and citations in GAI system outputs during pre-deployment risk measurement and ongoing monitoring activities."
Supports: Direct NIST action calling for verification of sources and citations in GAI outputs — precisely what this control operationalises. Mapped to the Confabulation risk category, which is NIST's formal term for hallucination.
Does not prove: MS-2.5-003 is a TEVV (Test, Evaluation, Validation, and Verification) measurement action — it describes what evaluators should do at deployment time, not a runtime pipeline guard. Helmwart re-applies the same verification logic inline at inference time. Note: the MDX page cites MEASURE-2.7 for this claim; MEASURE 2.7 covers security and resilience evaluation (MS-2.7-001 to MS-2.7-004) and does not mention cross-source corroboration. The correct action is MS-2.5-003.
MITRE ATLAS — AML.T0067 LLM Trusted Output Components Manipulation
AML.T0067 — technique description. Sub-technique AML.T0067.000 (Citations): "Adversaries may manipulate the citations provided in an AI system's response, in order to make it appear trustworthy. Variants include citing a providing the wrong citation, making up a new citation, or providing the right citation but for adversary-provided data."
"Adversaries may utilize prompts to a large language model (LLM) which manipulate various components of its response in order to make it appear trustworthy to the user."
Supports: Names the attack this control directly defends against: adversarially fabricated or manipulated citations. Multi-source verification — requiring each claim to be independently corroborated, not just cited — catches the AML.T0067.000 sub-technique by checking the citation's actual content against an independent source.
Does not prove: AML.T0067 is an adversarial technique entry, not a mitigation. It does not prescribe verification as a countermeasure; the inference is structural (detect fabricated citations by independently verifying them).
MITRE ATLAS — AML.M0006 Use Ensemble Methods
AML.M0006 — mitigation description
"Use an ensemble of models for inference to increase robustness to adversarial inputs. Some attacks may effectively evade one model or model family but be ineffective against others."
Supports: The ensemble principle — query multiple independent models to increase robustness — is the structural analogue of multi-source corpus verification. Running claims against multiple independent retrievers is an ensemble pattern applied to fact retrieval rather than to inference.
Does not prove: AML.M0006 addresses adversarial evasion via model diversity, not hallucination or citation fabrication. The MDX page labels this mitigation "Independent External Validation" — that name does not match the ATLAS catalogue. The correct name is "Use Ensemble Methods". The structural analogy is sound; the labelling in the MDX is incorrect.