An AI agent is helping a family in Toronto plan a ski trip to Banff. They need a pet-friendly hotel with no weight limit, close to trails, available next weekend. The agent pulls data from three sources. Source one, a travel blog from eight months ago, says the Ridgeline Inn is pet-friendly with rooms starting at $189. Source two, a scraped Google listing, says the Ridgeline Inn is pet-friendly with a 4.4-star rating and no further detail. Source three, a structured data feed updated yesterday by the hotel itself, says the Ridgeline Inn allows dogs of any size with no fee, has three king suites available next Friday through Sunday at $219, and is trail-adjacent with direct access to the Fenland Trail.
Three sources. Three different pictures. The travel blog is detailed but stale — the rate might have changed, the pet policy might have been updated, and "pet-friendly" could mean anything. The Google listing is current but shallow — it confirms the hotel exists and people generally like it, but provides nothing an agent can match on. The structured feed is specific, timestamped, and directly from the source.
The agent has to decide what to believe. And the way it makes that decision — the implicit hierarchy of trust it applies to competing data sources — is becoming one of the most consequential dynamics in AI-mediated commerce.
The four layers of the trust stack
When an AI agent evaluates data from multiple sources, it's applying something we call the trust stack — a hierarchy of signals that determine how much weight to give each piece of information. The trust stack has four layers, each of which independently contributes to whether the agent treats the data as reliable.
Layer one: Provenance. Who said this? The most fundamental trust signal is the source of the data. Information that comes directly from the business itself — "we allow dogs of any size, no fee" — carries more weight than the same claim made by a third party. A travel blogger saying the hotel is pet-friendly is hearsay. The hotel's own structured data feed saying it is a primary source. A scraper extracting text from the hotel's website is somewhere in between — it's derived from the business's own content but passed through an extraction layer that may have introduced errors or missed nuance.
Provenance matters because it determines accountability. When the data comes from the business, the business is implicitly standing behind it. When the data comes from a scraper, nobody is standing behind it — if the scraper misread "pet-friendly with restrictions" as "pet-friendly," there's no accountability chain. The agent that trusts primary sources over derived ones will be right more often.
Layer two: Freshness. When was this last confirmed? A hotel's pet policy from yesterday is almost certainly still valid. The same policy from a travel blog published nine months ago might be. The same policy extracted from a cached web page of unknown vintage is a guess. Freshness isn't just about the date of the source — it's about the date of last confirmation. A scraper might visit a page today, but the page content could be from 2024. The timestamp that matters is when the information was last verified as true, not when it was last crawled.
The trust stack treats freshness as a decay function. Data confirmed today is fully trusted. Data confirmed last week is mostly trusted. Data confirmed last month is treated with declining confidence. Data of unknown age — which describes most scraped web data — gets the lowest freshness score because the agent literally cannot determine when the information was last true.
Layer three: Specificity. How detailed is this? "Pet-friendly" is a boolean that tells an agent almost nothing. "Dogs of any size, no fee, no weight limit, treats at check-in, fenced outdoor area, trail-adjacent with direct access to Fenland Trail" is a rich set of attributes that an agent can match against specific user needs. Specificity is a trust signal because specific data is harder to fake and more useful to verify. A business that provides detailed, specific claims about its capabilities is more likely to be accurate than one that offers a vague checkbox.
Specificity also serves as a proxy for engagement. A business that takes the time to describe its pet policy in detail is a business that cares about getting the right customers. A listing that says "pet-friendly: yes" was probably auto-generated from a database field. The detailed description signals both accuracy and intent.
Layer four: Consistency. Does this agree with other sources? When multiple independent sources say the same thing, confidence increases. When sources contradict each other, the agent needs to arbitrate — and the other three layers of the trust stack determine which source wins the conflict.
A hotel's own data feed says no weight limit. Two travel blogs say "pet-friendly." A Yelp review from last year mentions a 50-pound limit. What does the agent believe? The trust stack resolves this: the hotel's feed wins on provenance (primary source), freshness (updated yesterday), and specificity ("no weight limit" vs. "pet-friendly"). The Yelp review loses on all three — it's secondhand, it's old, and it might be describing a policy that has since changed. The agent trusts the hotel's feed and notes the inconsistency for potential follow-up.
A concrete example: three sources disagree
Let's walk through a real scenario that agents face daily. A user in Vancouver asks: "Find me an Italian restaurant in Calgary's Kensington neighborhood with a private dining room for twelve, available Saturday."
The agent queries three data sources about Trattoria Sorrento on Kensington Road.
Source A: Scraped website. The restaurant's website mentions a "private dining experience" in the About section. No details on room capacity, availability, or pricing. The page was last updated in March 2025. Trust stack score: low provenance (derived, not structured), low freshness (ten months old), low specificity (no actionable details), unknown consistency.
Source B: Review aggregator. Three Yelp reviews mention a private room. One says it seats "about ten." Another says they had a party of fifteen. A third says the room was "cozy for our group of eight." Pricing estimates range from $60 to $90 per person. Trust stack score: low provenance (secondhand from reviewers), variable freshness (reviews from different dates), moderate specificity (some details, but conflicting), low consistency (the three reviews disagree on capacity).
Source C: Structured business feed. The restaurant provided this data directly last Tuesday: "Private dining room seats 8-14 with flexible configuration. Available Tuesday through Saturday. Prix fixe required for groups of 10+, starting at $75/person. Saturday availability for next 4 weeks: Jan 24 (open), Jan 31 (booked), Feb 7 (open), Feb 14 (booked — Valentine's). Full AV setup available for presentations." Trust stack score: high provenance (directly from the business), high freshness (confirmed this week), high specificity (capacity, pricing, availability, amenities), high consistency (internally consistent and compatible with the review details once you account for the flexible 8-14 configuration).
The agent's decision is clear. Source C wins on every layer of the trust stack. The agent tells the user: "Trattoria Sorrento on Kensington Road has a private dining room that seats up to fourteen with flexible configuration. It's available this Saturday. For your group of twelve, they require a prix fixe menu starting at $75 per person. The room has a full AV setup if you need it."
That's a recommendation the user can act on. Compare it to what the agent could say using only Sources A and B: "Trattoria Sorrento might have a private dining room. Reviews suggest it seats somewhere between eight and fifteen people. You should call to check availability and pricing." One of these leads to a booking. The other leads to a phone call.
Why scraped data fails the trust stack
Scraping is the dominant method for collecting business data today. Crawlers visit websites, extract text, and structure it into databases that AI agents query. The problem is that scraped data fails the trust stack on almost every layer.
Provenance is murky. The scraper extracted text from a web page, but who wrote that text? When? Was it the business owner, a marketing agency, an intern three years ago? The data has passed through multiple transformations — original content to website to crawler to extraction algorithm to database to agent — and each step introduces potential errors. By the time the agent receives the information, the provenance chain is long and unverifiable.
Freshness is unknown. The scraper knows when it visited the page. It doesn't know when the page was last updated. A crawl timestamp of today doesn't mean the data is from today — it means the scraper saw the page today. The content might be from 2023. Without metadata about when the information was last confirmed as true, freshness is a guess.
Specificity is limited to what's published. A scraper can only extract what exists on the page. If the restaurant's website says "private dining available" without details, the scraper gets that boolean and nothing more. The capacity, pricing, availability, and amenities that would make the data useful for matching were never published, so the scraper can't capture them.
Consistency is hard to verify. Scraped data from different sources often conflicts, and there's no reliable way to determine which version is correct. The scraper doesn't have a relationship with the business. It can't call and ask. It can only report what each source says and hope the conflicts resolve.
The result is that scraped data occupies the bottom of the trust stack. It's better than nothing — it confirms the business exists, provides a rough category and location, captures whatever public information is available. But for the kind of specific, current, reliable data that agents need to make confident recommendations, scraping is structurally insufficient.
Why synthesized data fails even harder
Worse than scraped data is synthesized data — information that an LLM generates by combining fragments from multiple sources into a coherent-sounding narrative. This is what happens when an agent says "Trattoria Sorrento has an intimate private dining room perfect for groups of 10-12, with a seasonal Italian menu starting around $80 per person." It sounds authoritative. It might even be approximately right. But the agent assembled this from fragments of reviews, website snippets, and model inference. No single source confirmed this exact picture.
Synthesized data fails the trust stack completely. Provenance: the LLM generated it from fragments. Freshness: unknown, because the source fragments have different and mostly unknown dates. Specificity: manufactured, because the model filled in gaps with plausible-sounding details. Consistency: artificially created by the model choosing which fragments to include and which to ignore.
The most dangerous property of synthesized data is that it sounds confident. An agent that says "I couldn't find reliable details about their private dining room" is honest and useful. An agent that synthesizes a detailed description from fragments is confident and potentially wrong. The first response loses the sale but maintains trust. The second response might get the sale but risks destroying trust if the reality doesn't match.
Building trust into the data layer
The data providers that will win the agent era are the ones that build trust metadata into every response. Not just the data itself — the provenance, freshness, and specificity signals that let agents evaluate how much to trust it.
At Pawlo, every data point carries its trust metadata: who provided it (the business, directly), when it was last confirmed (timestamp of the latest update), when it expires (explicit expiration for time-sensitive data like deals and availability), and how specific it is (structured fields versus free text). When an agent queries Pawlo's MCP, it doesn't just get data — it gets data it can evaluate against the trust stack.
This matters because agents are getting smarter about trust evaluation. Today, most agents treat all retrieved data roughly equally — whatever the retrieval system returns gets incorporated into the response. But as agents become more sophisticated, they'll weight sources by trust signals. The data layer that provides those signals — that tells the agent "you can trust this, here's why" — will be the one agents prefer.
The trust stack isn't a theoretical framework. It's a competitive advantage. The data providers that score highest on provenance, freshness, specificity, and consistency will be the ones agents rely on. The ones that provide data without trust metadata will be treated as the least reliable source in any conflict — which, in practice, means their data gets ignored whenever a better source is available.
Every business that wants to be recommended by AI agents should ask one question: when an agent evaluates my data against a competitor's, which one scores higher on the trust stack? If the answer isn't yours, the recommendation goes to someone else. Not because they're a better business — because their data is more trustworthy.