Provenance or It Didn't Happen

An agent that can't cite its source is just a confident stranger with opinions. Here's how I ground my fleet in truth with provenance — a governed Nexus Brain on Cosmos DB for work, and an Obsidian second brain you can build this weekend for yourself. Plus why Satya called the next discipline 'loop engineering' at Build 2026.

My agent told me, with total confidence, that we’d agreed to a fixed-price contract in the March kick-off.

We hadn’t. There was no March kick-off. The “agreement” was a hallucination stitched together from three unrelated emails and a calendar invite that got declined. The agent sounded certain. It used the right names. It even invented a clause number.

That’s the moment you stop trusting fluent answers and start demanding receipts.

Last week I wrote about the harness — the engineered system around the model that turns a chatbot into something that does a job. This week is about the one ingredient that decides whether that job is trustworthy or dangerous: where the agent’s facts come from, and whether it can prove it.

The answer is governed grounding with provenance. And it matters more now than it ever has, because the discipline just moved up another layer.

From harness to loop — the word Satya used at Build 2026

At Microsoft Build 2026, Satya Nadella named the next step out loud: loop engineering. Not a better model. Not a cleverer prompt. The engineered loop — agents that plan, reason, use tools, remember, and run long-running work across a whole stack, wrapped in security and governance.

Prompt to context to harness to loop — the discipline keeps moving up a layer, with loop engineering named at Build 2026

If you’ve read my last two posts, you know I’ve been circling this exact shape for months. The keynote drew the same diagram I had on my whiteboard: a five-layer agent stack — compute, models, context, tools, runtime — with security and governance wrapped around the whole thing.

The agent stack Satya named at Build 2026: compute, models, context, tools, runtime, wrapped in security and governance — the context layer holds grounding and provenance

Look at the third layer from the bottom. Context. That’s where grounding and provenance live — and it’s the layer that decides whether your beautifully engineered loop is compounding truth or compounding confident nonsense.

A photo note: the keynote stage shots are Microsoft’s copyrighted press material, so I haven’t reproduced them here. You can watch the moment yourself in the official Build 2026 keynote — the loop-engineering framing is in the opening section.

Here’s the uncomfortable truth a loop makes worse, not better: an agent that runs once and hallucinates is an incident. An agent that runs a thousand times a night, learning from its own outputs, and hallucinates is a compounding incident. Speed multiplies whatever you point it at. If you point it at ungrounded facts, you’ve built a very efficient liar.

What “governed grounding with provenance” actually means

Three words, three jobs. Strip the jargon and they’re simple:

Grounded — the answer comes from a real source you control, not the model’s training-data memory. The model reasons; it doesn’t get to invent the facts.
Governed — the agent reaches that source through a controlled door: a known identity, least privilege, an allow-list, an audit trail. Not a raw database connection it can do anything with.
Provenance — every fact carries its receipt. Source, author, date, a content hash. If the agent can’t point to where a claim came from, it doesn’t get to make the claim.

Most teams ship the first one and skip the other two. They wire up retrieval, get better answers, and call it grounding. But retrieval without governance is a security hole, and retrieval without provenance is just a more convincing hallucination. You feel safer while being exactly as exposed.

The test I use is blunt: could I defend this answer to an auditor, a client, or a court? If the agent can’t show me the source note, the timestamp, and the chain of custody, the answer is a rumour. A well-dressed rumour, but a rumour.

Nexus Brain — how I ground my fleet at work

For my work fleet, the grounding layer is a service I call Nexus Brain. It’s a governed grounding edge sitting on Azure Cosmos DB, and every agent in the fleet reaches it the same way: through one narrow, audited door.

The architecture below is sanitised — the names, endpoints, and identifiers are illustrative, not the real deployment. The shape is what matters.

Sanitised reference architecture: agents call the harness, which reaches Nexus Brain — a governed MCP grounding edge — through an Entra token; Nexus Brain queries Azure Cosmos DB for vector-matched chunks with provenance metadata, and every call is written to an audit ledger

Walk the diagram from the top:

The agent never touches the database. Not once. It can’t run a query, drop a container, or read a record directly. It asks the harness, and the harness asks one tool.
One exposed tool: search(). Nexus Brain is a Model Context Protocol (MCP) edge that exposes a single, read-only grounding tool. No write path. No list-everything. One verb, tightly scoped.
Identity at the door. Every call carries a Microsoft Entra token with a narrow scope. No token, no answer. The grounding edge knows exactly which agent asked, on whose behalf, and whether policy allows it.
Cosmos DB holds the chunks — and the receipts. Source documents are chunked, embedded, and stored with their provenance metadata attached: where each chunk came from, who wrote it, when, and a hash so you can detect drift. Retrieval is a vector match, ranked, returned with the receipts stapled on.
Every call lands in the audit ledger. Who asked, what was retrieved, which sources, when, and under what policy. Replayable. If an agent ever produces a strange answer, I can reconstruct exactly what it was grounded on.

The result is the property I actually care about: answers with receipts.

Every answer carries its receipts: question, one governed search tool, retrieve and rank in Cosmos DB, a grounded answer with source and date, and an audit log — no citation, no claim

This is the missing beat in the harness loop. Remember the six beats — plan, context, reason, act, observe, learn? Grounding lives at beat two. Get it wrong and every beat after it inherits the lie. Get it right and the model spends its reasoning on a foundation of real, sourced, current facts instead of half-remembered training data.

Why Cosmos DB specifically? Three reasons that earn their keep: vector search and operational data sit in one place, so I’m not stitching a vector store to a separate metadata store; it scales without me babysitting it; and the provenance metadata rides on the same record as the embedding, so a chunk and its receipt can never drift apart. The grounding and the proof of grounding are physically the same row.

You don’t need Cosmos DB — you need a second brain

Here’s the part for everyone who just read three paragraphs about Entra tokens and thought, that’s lovely, but I’m one person, not a fleet.

You can have the same thing. Governed grounding with provenance isn’t an enterprise-only idea — it’s just good note-taking with the receipts kept. And the personal version is something you can stand up this weekend with a free tool: Obsidian.

I run a unified Obsidian vault as the shared memory for every agent on my machine. It’s the personal twin of Nexus Brain. The agent searches my notes, answers from them, and cites the exact note it used — the same grounded, governed, provenanced contract, scaled down to one human.

Your second brain as a personal grounding layer: you and your AI agent search the vault, and get back a grounded answer cited with a wikilink — built on PARA folders plus a Sources folder for provenance

The magic isn’t the tool. It’s the structure. And the structure that makes a vault groundable is PARA, plus one folder most people forget.

Build your own grounding brain: PARA + a Sources layer

PARA is Tiago Forte’s system from Building a Second Brain. Four folders, sorted by how actionable something is — not by topic, which is where most note systems die. Here’s the whole thing, plus the provenance layer I’d add on day one.

1. Create five folders. In a new Obsidian vault, make these top-level folders:

Projects/ — active, time-bound work with a finish line. “Launch the new site.” “Q3 board deck.”
Areas/ — ongoing responsibilities with no end date. “Health.” “Team.” “Finances.”
Resources/ — topics and references you care about. “Prompt engineering.” “Recipes.” Your own ideas live here too.
Archive/ — anything from the first three that’s gone cold. Not deleted — just out of the way.
Sources/ — the provenance layer. The originals you’re citing: PDFs, saved articles, meeting transcripts, screenshots. This is the folder PARA doesn’t name, and it’s the one that turns notes into evidence.

2. Capture into Sources first, then write your own note. When you read something worth keeping, drop the original — the PDF, the link, the transcript — into Sources/. Then write your take as a separate note in Resources/, and link back to the original with a wikilink: [[2026-06 - Vendor security whitepaper]]. That link is your citation. Your idea and its receipt are now connected.

3. Make the link the habit. This is the single rule that matters: a claim without a link back to a source is a draft, not a fact. When you can’t link it, you know you’re guessing — which is useful information on its own. Obsidian tracks wikilinks through renames, so the citation survives even when you reorganise.

4. Point your agent at the vault. Copilot, Claude, or a local model — give it read access to the folder. Now when you ask “what did the vendor say about data residency?”, it answers from your notes and tells you which note it used. That’s personal grounding with provenance. No Cosmos DB, no Entra, no fleet. Same contract.

5. Optional, and worth it: a Decisions/ folder. One short note per real decision — what you chose, the date, and why. This is your personal audit ledger. Six months later, when you can’t remember why you picked the annual plan, the answer is one note away, with its reasons intact. It’s the same idea as the enterprise audit lane, sized for a single life.

That’s it. Five folders, one habit, an optional sixth. You can build it in an afternoon, and it gets more valuable every week you feed it — the same compounding the overnight learning loop gives a fleet, except the brain that’s compounding is yours.

The one-line version

A model without grounding is guessing. Grounding without governance is a security hole. Grounding without provenance is a more convincing guess.

Put all three together and you get the only thing worth shipping in the loop-engineering era: an agent that can show its work.

At work, mine is a governed Nexus Brain on Cosmos DB. At home, it’s an Obsidian vault and a habit of linking back to the source. Different scale, identical promise — every answer comes with receipts.

Building your own? Start with the five folders, add the Sources/ layer, and make “link it or it’s a draft” your one rule. If you set up a personal grounding vault — or you’re wiring grounding into a production fleet — tell me what you learnt. DM me. I’m collecting the sharpest setups for a follow-up on the personal-knowledge side of loop engineering.