How does protocol mediation affect determinism in agentic function calls?
This explores what happens to predictability when an LLM agent reaches its tools through a protocol layer (like MCP) instead of calling functions directly — and whether that mediation is the thing introducing the non-determinism.
This reads the question as asking whether the protocol layer itself — the standardized middle that sits between an agent and its tools — is what makes agentic function calls unpredictable, or whether it's incidental. The corpus has a sharp, opinionated answer at the center of it. One production account Why do protocol-based tool integrations fail in production workflows? found that routing tool access through MCP introduced non-deterministic failures, not because the protocol was buggy, but because mediation forces the model to do two fuzzy things at runtime: pick which tool from an ambiguous menu, and infer parameters from loose descriptions. Stripping that out — explicit direct function calls, one tool per agent — restored determinism. The tell is in the survey it cites: 85% of production teams build custom agents and skip frameworks entirely. The instinct is to remove the layer that's deciding for the model.
But the corpus immediately complicates the 'just remove the protocol' story. A competing note Should coordination protocols wrap existing systems or replace them? argues protocols win adoption precisely by wrapping existing systems like MCP under a shared substrate rather than replacing them — value accrues without ecosystem rewrites. So there's real tension here: the production lesson says mediation costs you determinism, while the coordination lesson says you can't realistically rip mediation out without losing interoperability. The synthesis isn't 'protocols bad' — it's that every inference the protocol does on the model's behalf (tool selection, parameter binding) is a place where determinism leaks.
Why does that leak compound rather than stay local? Look at how coordination degrades at scale Why do multi-agent systems fail to coordinate at scale?: agents accept information from neighbors without verifying it, so a single ambiguous resolution propagates as error rather than getting caught. Mediation adds exactly these uncritical handoffs. And the FLOWSTEER work shows the same surface is exploitable — a crafted prompt can bias tool routing and task assignment at planning time, before any infrastructure runs Can prompt injection reshape multi-agent workflow without touching infrastructure?, with the damage amplified when injected into high-influence positions where dependencies converge How does workflow position shape attack propagation in multi-agent systems?. The same indirection that makes tool selection non-deterministic also makes it steerable. Non-determinism and attackability turn out to be the same property viewed from two angles.
The most interesting move, though, is what the corpus offers as the alternative to fuzzy mediation: not 'less protocol' but a more legible substrate. Code, one note argues, is uniquely good for agent reasoning because it's simultaneously executable, inspectable, and stateful — you can verify what happened, not just hope Can code become the operational substrate for agent reasoning?. That reframes the whole question. Determinism isn't lost because there's a layer between agent and tool; it's lost when that layer is a natural-language guessing game instead of something checkable. A protocol that hands the model an inspectable, verifiable call is a different animal from one that hands it an ambiguous menu — even if both are 'mediation.' The thing to fix is the inference burden, not the existence of the middle.
Sources 6 notes
MCP integration caused non-deterministic failures through ambiguous tool selection and parameter inference. Replacing it with explicit direct function calls and single-tool-per-agent design restored determinism. A 306-practitioner survey confirms 85% of production teams build custom agents, forgoing frameworks.
Research shows that agent coordination standards achieve adoption by composing existing protocols like MCP and DIDComm under a shared substrate, rather than competing to replace them. Bridging lets value accrue incrementally without forcing ecosystem-wide rewrites.
AgentsNet benchmark shows agents fail to coordinate strategies either by agreeing too late or adopting strategies without informing neighbors. Agents accept neighbor information without verification, enabling error propagation while remaining capable of detecting direct conflicts.
FLOWSTEER demonstrates that a single crafted prompt can bias task assignment, roles, and routing during workflow formation, raising malicious success by up to 55 percent and transferring across black-box multi-agent setups. This attack surface precedes the artifacts that existing defenses inspect.
FLOWSTEER demonstrates that malicious signals propagate farther when injected into high-influence subtasks, and that framing them as evidence rather than instruction causes downstream agents to relay them. Influence concentrates where dependencies converge, making position-aware attacks far more effective.
Research shows code uniquely enables agents to externalize reasoning, execute policies, model environments, and verify progress through its simultaneous executability, inspectability, and statefulness across task steps.