Lab section · hub manifesto · may 2026

When Agents Read.

The substrate AI agents depend on to think is being eroded from three sides at once. Nobody has named these three crises as one.

Every time an AI agent searches the web — to answer a question, to write a report, to ground its reasoning — it reads content written by other agents. Some of that content was put there to trick it. Some of it was withheld by creators who refuse to feed the agents anymore. What remains is increasingly AI slop — generated by the same class of system the agent is, now reading itself.

These three problems are not separate. They are a single crisis with three faces that feed each other. After an eight-agent research sweep, we found this unified framing is genuinely unclaimed. This is the hub of a five-part lab section that names it.

tl;dr · 90 second read

full hub · ~15 min · 4 sub-pages

01AI agents are increasingly tools that read the open web to think. Retrieval-augmented reasoning is now the default mode for frontier agents.
02Threat 1 — Poisoned pages. Pages designed to trick the agent. Eleven documented production incidents in 2025. OWASP's #1 LLM vulnerability for two consecutive years. OpenAI's CISO: “remains an unsolved problem.”
03Threat 2 — Withheld knowledge. Stack Overflow questions −76.5% since ChatGPT. Quora visits −50% in 15 months. Cloudflare crawl-to-referral ratios up to 73,000:1. The open web's implicit deal has broken.
04Threat 3 — The slop tide. 74.2% of newly created web pages contain AI text. 3,006 AI content farms tracked. Strong Model Collapse (ICLR 2025) shows 1/1000 synthetic fraction is enough to trigger irreversible degradation.
05The flywheel. Six causal loops mean these three threats reinforce each other. You cannot fix them separately. Slop drives withholding drives more slop drives poisoning hiding in slop drives more withholding.
06The fix is layered, not single-shot. C2PA provenance + SynthID watermarking + reputation systems + multi-source witness-lattice retrieval (MNEMA-style) + a working creator-economic model. No single layer solves it.
07The three-side framing is unclaimed. Appleton names withholding + slop. Cloudflare names poisoning + withholding. The Retrieval Collapse paper names poisoning + slop. Nobody welds them into one. This manifesto does.

00 · the simple version

Three rooms, one fire.

If the technical version is too much, here is the analogy:

room 1

The poisoners.

Imagine a library where some books have been edited by someone hiding under the shelves. They look normal. They read normal. But when you turn certain pages, they whisper instructions that hijack the reader.

room 2

The withdrawers.

Imagine the librarians realising the AI assistants taking their books home are never coming back, never paying, never sending anyone to visit. So they start locking the doors. The best books move to a private members' club.

room 3

The flood.

Now imagine the shelves keep being restocked — but the new books are written by AI assistants that read the old AI-written books. The library keeps growing. The actual knowledge keeps shrinking. The agents are reading themselves.

And all three rooms are the same library. They feed each other.

i · the three threats

What is actually happening.

Each threat is its own deep dive — the dedicated sub-page links to the full evidence base. Summary cards here.

Poisoned pages

OWASP LLM Top 10 #1 — two years running

Pages designed to trick the agent

Indirect prompt injection in retrieved content. Hidden text in HTML. Unicode Tag characters invisible to humans but tokenised by LLMs. Eleven production incidents documented in 2025 alone — Comet, Atlas, Amp Code, Gemini, Claude Chrome. OpenAI's CISO publicly admitted in December 2025: 'remains a frontier, unsolved security problem.' The UK National Cyber Security Centre: 'may never be totally mitigated.' Every agent that reads the web is reading attacker-controlled input.

Read the full sub-page

Withheld knowledge

Stack Overflow questions −76.5% since ChatGPT

Creators stop sharing because agents take without giving back

When AI agents answer from your content, you get zero traffic. Stack Overflow questions fell 76.5% from November 2022 to December 2024 — back to 2008 levels. Quora dropped 50% in 15 months. Google's organic traffic to publishers is down 33% globally, 38% in the US. Cloudflare's crawl-to-referral ratios: Google 14:1, OpenAI 1,700:1, Anthropic 73,000:1. Creators are responding with paywalls (Substack: $1.1B valuation), robots.txt blocks (35.7% of top-1,000 sites blocking GPTBot), lawsuits (NYT v OpenAI, billions in claimed damages), and retreat to the cozy web. The implicit deal of the open web — 'we publish, you send traffic' — has broken.

Read the full sub-page

III

The slop tide

74.2% of new web pages contain AI text

AI-generated content pollutes new corpus, agents read their own reflection

What replaces the withheld signal? AI-generated slop. Ahrefs (April 2025): 74.2% of newly created web pages contain AI-generated text. Originality.ai: 17.31% of Google top-20 results are AI-written. NewsGuard tracks 3,006 AI content farms across 16 languages — up from 125 in May 2023, a 24× increase in three years. Reddit AI-generated posts: 14.7% in 2025, up 146% from 2021. And the science: Shumailov et al. (Nature 2024) proved recursively-trained models collapse. Strong Model Collapse (ICLR 2025) showed even a 1/1000 synthetic-data fraction triggers degradation. The agents are increasingly reading themselves.

Read the full sub-page

ii · the central synthesis

The flywheel.Why these three problems cannot be solved separately.

The reason the three-side framing matters is not just descriptive — it is that each threat accelerates the others. Six causal loops connect them. Treat any one in isolation and the others get worse faster.

The six causal loops · how the three threats feed each other

Solid arrows · direct causal acceleration · Dashed arrows · indirect feedback

F1Slop tide→Withheld knowledge

When the public web fills with AI slop, real creators retreat behind paywalls or onto private platforms. The signal shrinks because the noise grew.

F2Withheld knowledge→Slop tide

When real content disappears behind walls, the only freely-crawlable content left is AI-generated. The corpus available to agents tilts further toward slop.

F3Poisoned pages→Withheld knowledge

When AI agents can be hijacked by adversarial pages, creators have a second reason to gate their content — they don't want to be the unwitting attack surface that compromises the agent reading them.

F4Slop tide→Poisoned pages

AI-generated content provides perfect cover for adversarial injection. A page that looks like ordinary slop hides instructions to the agent. The volume of slop hides the malice.

F5Poisoned pages→Slop tide

Defensive scrubbing of retrieved content (paraphrasing, spotlighting) tends to introduce model-rewriting steps that further homogenise the corpus toward AI patterns.

F6Withheld knowledge→Poisoned pages

When agents are starved of authoritative sources, they accept lower-quality ones. The threshold for what an agent will read drops. Adversarial pages slip through more easily.

This is the move the literature missed. Maggie Appleton names two of the three. Cloudflare names two of the three. The Retrieval Collapse paper names two of the three. Nobody welds them. The flywheel is why they cannot be welded only partly.

iii · the numbers

Eight statistics that tell the story.

Calibrated from the eight-agent research sweep. Each number is sourced. Each is from 2024-2026. Each tells the same story in a different domain.

−76.5%

Stack Overflow questions Nov 2022 → Dec 2024

GitHub gist of SO data

73,000:1

Anthropic ClaudeBot crawl-to-referral ratio

Cloudflare AI Audit

74.2%

of new web pages contain AI-generated text

Ahrefs, April 2025

1 / 1,000

synthetic-data fraction enough to trigger model collapse

Strong Model Collapse (ICLR 2025)

documented production prompt-injection incidents in 2025

Brave, LayerX, Cato, Tenable, others

prompt injection · OWASP LLM Top 10, two years running

OWASP 2024-2025

of users click citations from Google AI Overviews

Pew Research, 2025

3,006

AI content farms tracked by NewsGuard (May 2026)

NewsGuard AI Tracking Center

iv · where this lives intellectually

Nine neighbours. None plant the three-way flag.

Each gets one or two of the three threats. Together they map the territory. The unified framing remains unclaimed.

Flag	Claim	Gap from this manifesto
The Expanding Dark Forest and Generative AI Maggie Appleton Jan 2023	Authors retreat to the 'cozy web' (Discord, Signal, paid newsletters) because the open web is now hostile (scrapers, AI slop, bots).	Names threats 2+3 (withholding + slop). Does not include adversarial poisoning. Cultural framing, not unified theory.
Content Independence Day Cloudflare Jul 2025	Crawl-to-referral ratios up to 73,000:1 mean the implicit deal of the open web has broken. Default block + pay-per-crawl as the response.	Names threats 1+2 (poisoning concerns + withholding). Treats the slop tide as exogenous. Infrastructure framing.
Retrieval Collapse paper arXiv 2602.16136 Feb 2026	Two-stage failure: AI-generated content dominates search results, then adversarial content infiltrates the pipeline. Distinct from model collapse.	Names threats 1+3 (poisoning + slop). Withholding economics treated as exogenous. Closest established term.
AI's Original Sin Tim O'Reilly 2024	Quality content withheld/paywalled, AI serves 'hamburgers' instead of 'Michelin meals.' Copyright-aware AI as the cure.	Names threats 2+3 (withholding + slop). Adversarial poisoning not addressed. Economic framing.
Consent in Crisis Longpre et al. (arXiv 2407.14933) Jul 2024	Audit of 14,000 web domains: 5%+ of C4 tokens and 28%+ of actively-maintained C4 sources became fully restricted in 12 months.	Threat 2 only. Quantifies withholding rigorously but does not connect to the other crises.
OWASP LLM Top 10 OWASP 2024-2025	Prompt injection ranked #1 vulnerability for AI-integrated systems for two consecutive editions. Treated as architectural flaw without a known fix.	Threat 1 only. Security framing. Does not engage corpus economics or slop dynamics.
Strong Model Collapse Dohmatob et al. (ICLR 2025) 2025	Even a 1/1000 synthetic-data fraction triggers irreversible degradation. Scale does not save you.	Threat 3 only. Statistical-learning framing. Does not address why the synthetic data exists in the first place.
MNEMA · A Witness Lattice gentic.news 2026	Multi-agent AI memory architecture where every claim is signed, scoped, and refutable. Closes the silent-corruption gap in collective AI memory.	Our own. Internal-memory framing. This manifesto extends the MNEMA frame to external retrieval.
Epistemic Infrastructure gentic.news 2026	Organisational knowledge as a governed, living system — 12 pillars, an 11-stage metabolism.	Our own. Inside-the-org framing. This manifesto is the outside-the-org companion.

v · predictions

Six falsifiable claims.

Same rule as the other lab manifestos: dated, testable, retract if two fail by their dates. We will track these in public.

W1by End 2026confidence70%

A frontier AI agent will suffer a public, named, high-profile compromise via indirect prompt injection in retrieved content (Equifax-class incident).

W2by End 2027confidence55%

At least one major publisher in the AP/NYT/Reuters tier completely de-indexes from AI agents (no Cloudflare deal, no partnership, total robots.txt block).

W3by End 2027confidence40%

C2PA + verifiable credentials becomes a requirement (not optional) for retrieval in at least one frontier lab's production agent.

W4by End 2028confidence35%

First measured demonstration of model-collapse-class degradation in a deployed frontier LLM directly attributable to web corpus AI content.

W5by End 2028confidence30%

A multi-source witness-lattice retrieval architecture is operational in at least one frontier agent product (MNEMA-style applied to external sources).

W6by End 2027confidence25%

Stack Overflow questions stabilise or rebound — implying the AI-tax pattern has plateaued. Falsifier: questions continue declining at >5%/year.

vi · the section continues

Four deep dives.

Each threat — and the fix — gets a dedicated page with the full evidence base, incident timelines, defensive mechanisms, and open questions.

threat 1 · poisoned pages

Pages designed to trick the agent.

Eleven production incidents in 2025. OWASP #1 vulnerability two years running. Hidden text, Unicode tricks, CSS attacks. The full incident timeline + defence research.

threat 2 · withheld knowledge

Why creators stop sharing.

Stack Overflow / Quora / Wikipedia case studies. Cloudflare Pay-Per-Crawl. NYT v OpenAI. The Dark Forest retreat. The full breakdown of the open-web's broken deal.

threat 3 · the slop tide

When AI reads itself.

Model collapse science. NewsGuard farm tracking. The Dead Internet theory crosses from fringe to mainstream. The empirical web-scale measurements.

the fix · layered defence

What needs to be built.

C2PA + SynthID + DIDs + reputation systems + witness-lattice retrieval. The honest verdict on each layer. Why no single layer solves it.

vi-bis · objections answered

Seven sharp objections.

Every big framing invites pushback. Here are the seven we have heard, with the honest answer to each.

01Isn't this just three separate problems with one wrapper?↓

If the three threats did not reinforce each other, yes. But they do — the flywheel section shows six causal loops. The unified frame is not a marketing wrapper; it is a claim about how the problems interact. Solving any one in isolation leaves the others worse.

02Aren't the big labs already fixing this?↓

Each is fixing one layer. Anthropic owns constitutional defence + citations. Cloudflare owns the economic-repair piece. Google owns watermarking. No single lab is building the integrated layered stack the fix sub-page describes. The integration is the open work.

03Isn't the AI tax just market dynamics? Old industries get disrupted, that's life.↓

Partly true at the level of any individual creator. But the substrate is not an industry — it is the public information commons. When the commons collapses, agents lose the input they need to be useful. This is not 'newspapers vs Craigslist.' It is the agent's own oxygen supply.

04Won't synthetic data engineering solve model collapse?↓

Maybe partially. Gerstgrasser et al. (2024) shows accumulating real+synthetic data prevents collapse — but accumulating requires you can verify what is real. Threat 2 is shrinking the real-data anchor faster than threat 3 is being mitigated. The two problems must be solved together.

05Aren't the numbers cherry-picked? Slop measurements vary wildly across studies.↓

Numbers vary, direction does not. Ahrefs 74.2% / Originality.ai 17.31% / NewsGuard 3,006 farms / Reddit 14.7% — different methodologies, same vector. The lowest credible numbers still describe a crisis.

06Doesn't C2PA + watermarking solve all this?↓

No. The fix sub-page is explicit. C2PA is opt-in; bad actors don't sign. Watermarks are circumventable — UnMarker defeats 79% of image watermarks. Both are necessary, neither is sufficient. The layered defence requires all seven layers.

07Isn't this just techno-pessimism?↓

The closing section is explicit: the fix is layered, real, and buildable. This is not 'the open web is doomed.' This is 'the open web requires a different architecture than it had, and we need to build it.' That is a research program, not a eulogy.

vii · glossary

New (or re-grounded) vocabulary.

Trusted Source Problem: How an AI agent verifies that the content it retrieves is authentic, accurate, and not adversarial. The central question this lab section addresses.
Indirect prompt injection (IPI): An attack where instructions hidden in retrieved web content take control of an LLM agent's reasoning. OWASP LLM Top 10 #1 vulnerability in 2024 and 2025.
The AI tax: The implicit cost imposed on web creators when AI agents extract value from their content without sending traffic or revenue back. Phrase popularised by Cloudflare.
Crawl-to-referral ratio: How many times an AI bot crawls a site versus how many human visitors it sends. Google: 14:1. OpenAI: 1,700:1. Anthropic: 73,000:1.
Cozy web: Private, gated, or invite-only spaces (Discord, Signal, paid newsletters) where humans retreat from the open web. Coined by Yancey Strickler 2019, applied to the AI era by Maggie Appleton 2023.
AI slop: AI-generated content of low quality, produced at scale, polluting the open web. Coined by Ed Zitron. Mentions rose 9× between 2024 and 2025 (461K → 2.4M).
Model collapse: When generative models train on data produced by other generative models, accuracy degrades and the output distribution narrows. Shumailov et al. Nature 2024. Strong Model Collapse (ICLR 2025) showed 1/1000 synthetic fraction is enough.
Substrate erosion: The combined effect of poisoning + withholding + slop. The substrate AI agents depend on to think is eroded simultaneously from three sides. Named in this manifesto.
The flywheel: The six causal loops by which each of the three threats accelerates the others. The reason these three problems cannot be solved separately.
C2PA / Content Credentials: Coalition for Content Provenance and Authenticity. A cryptographic standard for content origin. v2.2 (May 2025), 6,000+ Content Authenticity Initiative members. Adopted by hardware (Leica, Sony, Pixel, Galaxy), Adobe, Meta, OpenAI, Microsoft. Enforceable in EU under AI Act Article 50 from August 2026.

closing

The substrate problem is the problem behind the problems.

Most discussion of AI agents focuses on what they can do. This manifesto is about what they read while doing it. That has turned out to be where the load-bearing failure mode lives.

The three threats — poisoning, withholding, slop — are not separate engineering problems. They are three faces of one civilisational shift in how the open web works (and increasingly does not). The implicit deal that built the modern internet broke when the readers became agents. We are watching the after-effects in real time.

The fix will not be a single technical layer. It will require content provenance (so agents can verify what they read), economic repair (so creators have a reason to keep contributing), multi-source corroboration (so no single page can compromise an agent), and a witness lattice across what gets retrieved — the same architectural move MNEMA proposed for AI memory, applied to external sources.

When agents read, what they read decides what they think. The substrate is the thing to fix.

the three pillars of the lab's epistemic family

internal · org memory

Epistemic Infrastructure

How organisations govern their own memory. 12 pillars, 11-stage metabolism.

inter-agent · between memories

MNEMA · Witness Lattice

Multi-agent AI memory with signed, scoped, refutable claims. EUMAS 2026 submission.

external · what agents retrieve

When Agents Read

You are here. The third pillar — how agents verify the world they query.