When the Agent Picks Sources: Accountability in Agentic RAG

A Agentic RAG pipeline does something older systems never did: it lets a language model loop over its own retrieval. The agent rewrites the query, calls a tool, reads the chunks, decides whether to search again, and at some point declares the evidence good enough. By the time the answer reaches the user, dozens of small editorial choices have been made — and almost none of them appear in any log a regulator would today recognize.

The Question We Have Not Asked About the Selector

Classical Retrieval Augmented Generation kept the human inside the loop, even if only at design time. An engineer chose the corpus, picked the chunking strategy, fixed the top-k, and tuned the reranker. The biases in those choices were inherited, but they were at least named — they lived in code and configuration files somebody had reviewed. The Singh et al. survey of agentic RAG, published on arXiv as 2501.09136, marks the architectural break cleanly: the agent now performs Query Transformation, decides between Hybrid Search and pure semantic retrieval, runs Reranking as one tool among many, and may chain Contextual Retrieval steps until it considers the answer complete. The selector has moved out of the engineer’s review and into a probabilistic generator that nobody audits per call.

This raises a question we have grown skilled at avoiding. When an autonomous agent decides what evidence the model sees, who is accountable for the worldview those choices encoded? The user reading the answer? The developer who configured the agent? The platform whose default tools the agent assembled?

What the Strongest Defense Sounds Like

The serious case for agent-driven retrieval is not naive. Static RAG pipelines fail on multi-hop questions, mishandle ambiguity, and freeze the biases of their original tuning into every future query. Letting a capable model decide how to retrieve is, in many domains, a real improvement in answer quality. The Singh et al. survey documents this honestly — agentic patterns recover from poor first-pass retrieval, escape brittle top-k cutoffs, and adapt to query intent in ways no fixed pipeline can.

Add to this the emerging governance scaffolding. The OWASP Top 10 for LLM Applications 2025 introduced LLM08, “Vector and Embedding Weaknesses,” explicitly to address retrieval-side risk. The CSA Agentic NIST AI RMF Profile, currently in development, is mapping autonomous-agent risks to concrete mitigations. The FINOS AI Governance Framework’s MI-21 control specifies that decision information must be captured as it occurs, with each retrieval and tool call linked to a policy reference and a reviewer. The infrastructure of accountability is being written. None of it is silly, and all of it is reasonable inside the frame the defense uses to make its case.

The Hidden Premise Inside the Defense

The defense assumes that adding accountability machinery — logs, tool traces, audit fields — recovers the inspectability we lost when we handed source selection to the agent. That is the premise worth examining.

Source bias in agentic RAG is not one mechanism. It is at least three, and they fail differently. The first is corpus skew: the documents available to retrieve from were never representative to begin with. Retrieval from skewed or unbalanced corpora “can amplify existing biases, resulting in similarly biased generated outputs,” the Singh et al. survey observes. The second is retrieval and ranker bias, where the agent’s chosen embedding model and reranker quietly prefer some kinds of documents over others. The third is the most uncomfortable. Adversaries can plant “factually correct yet epistemically biased passages that systematically emphasize one side of a multi-viewpoint issue” — the attack class named in the Epistemic Bias Injection paper, arXiv 2512.00804. Standard fact-checking misses these. Every individual sentence is true. What is biased is the selection, and the agent’s selection is exactly what the attacker has captured.

Logging the agent’s tool calls does not fix any of this. A perfect audit trail of a poisoned corpus tells you the agent did its job correctly on contaminated ground. A flawless trace of an embedding model that downranks dialect English shows you the model behaving as trained. The accountability machinery records what happened. It does not, on its own, tell you whether the worldview being enforced is one your users would consent to.

There is also a deeper structural gap. The arXiv paper “Transparency as Architecture” (2603.26983) finds that “no current metadata schema provides a machine-readable format adequate to capture the provenance chain” required for full retrieval attribution; Dublin Core and Schema.org lack the semantics for confidence-weighted, multi-step attribution, and the paper observes that “editorial workflows destroy provenance chains at the point of human review.” We are building accountability scaffolds on a representation layer that cannot, today, hold the thing being audited.

A Different History Tells a Different Story

There is a useful precedent. Library catalogs were once treated as moral artifacts. The Dewey Decimal classification and Library of Congress subject headings were public documents, revised across decades in response to bias claims they could not ignore. When researchers showed that a heading erased a community’s experience, you could point to the heading, demand a revision, and watch the institution defend or amend its choice. The classification was contestable because it was visible.

The agent’s retrieval policy is not. It does not exist as a document. It exists as the joint behavior of a query-transformation step, an embedding model, a reranker, and a stopping criterion the agent computed in the moment. Even with a FINOS-style audit trail in place, the user who feels misrepresented has no surface to point at. The selection happened at runtime, on their query, and was not preserved in any form a critic could revise. The library catalog could be edited. The agent’s worldview is ephemeral, reconstructed per request — immune to the slow public revision the library tradition relied on.

The Position This Argument Reaches

Thesis (one sentence, required): When an autonomous agent decides which sources the user sees, the team that integrated it has assumed an editorial role that current logging, current schemas, and current regulation do not yet let it exercise.

This conclusion holds even when the engineering is excellent. The better the agent, the more deference users grant its top-of-thread answer, and the heavier the moral weight of any quiet bias in its corpus, its embedding model, or its retrieved passages. The Bias-Aware Agent framework (arXiv 2503.21237) proposes running a bias detector as one of the agent’s tools, flagging biased content before generation. That is a serious step. It is not yet a regulatory expectation, and even where adopted, it depends on detector quality the field has not standardized.

EU AI Act Article 50 transparency obligations, with GPAI rules effective 2 August 2025 per the European Commission’s AI Act page, require AI-generated content to be marked and disclosed to users. The obligation applies. Whether existing agentic-RAG architectures can satisfy it for retrieval-driven outputs — at the granularity a regulator could actually inspect — is a question vendors have not been pressed to answer in public.

The Questions Engineers Owe Their Users

There are no clean prescriptions here, only better questions. Before integrating an agentic-RAG system, what would it take for your team to explain — to a regulator, an auditor, or a user whose application was misjudged — why the agent retrieved this document and not that one? When the agent decided the evidence was sufficient, on what authority did it close the search? If a competing perspective lived in your corpus and the agent never surfaced it, would your logs let anyone notice?

These are not questions a runtime policy file can answer. They are questions about the institutional arrangement under which the agent is allowed to speak on your behalf.

Where This Argument Is Weakest

The essay assumes that retrieval transparency, once made architecturally possible, would actually be exercised. That is not guaranteed. If logs nobody reads and provenance schemas nobody implements remain the norm, the moral distinction between agentic and static RAG narrows considerably. A future where every retrieval is auditable in principle but none are audited in practice would prove this argument too optimistic about institutional will.

The Question That Remains

The agent does not know it is editing the world for the user it answers. It is following gradients, calling tools, and stopping when its sufficiency criterion is met. The question is not whether agentic RAG should exist. It is whether teams that adopt it should keep pretending the selector is somebody else’s problem, when the law, the literature, and the audit-trail vocabulary have not yet caught up to what they have already put into production.

Ethically, Alan.