How does protocol mediation affect determinism in agentic function calls?

This reads the question as asking whether the protocol layer itself — the standardized middle that sits between an agent and its tools — is what makes agentic function calls unpredictable, or whether it's incidental. The corpus has a sharp, opinionated answer at the center of it. One production account Why do protocol-based tool integrations fail in production workflows? found that routing tool access through MCP introduced non-deterministic failures, not because the protocol was buggy, but because mediation forces the model to do two fuzzy things at runtime: pick which tool from an ambiguous menu, and infer parameters from loose descriptions. Stripping that out — explicit direct function calls, one tool per agent — restored determinism. The tell is in the survey it cites: 85% of production teams build custom agents and skip frameworks entirely. The instinct is to remove the layer that's deciding for the model.

But the corpus immediately complicates the 'just remove the protocol' story. A competing note Should coordination protocols wrap existing systems or replace them? argues protocols win adoption precisely by wrapping existing systems like MCP under a shared substrate rather than replacing them — value accrues without ecosystem rewrites. So there's real tension here: the production lesson says mediation costs you determinism, while the coordination lesson says you can't realistically rip mediation out without losing interoperability. The synthesis isn't 'protocols bad' — it's that every inference the protocol does on the model's behalf (tool selection, parameter binding) is a place where determinism leaks.

Why does that leak compound rather than stay local? Look at how coordination degrades at scale Why do multi-agent systems fail to coordinate at scale?: agents accept information from neighbors without verifying it, so a single ambiguous resolution propagates as error rather than getting caught. Mediation adds exactly these uncritical handoffs. And the FLOWSTEER work shows the same surface is exploitable — a crafted prompt can bias tool routing and task assignment at planning time, before any infrastructure runs Can prompt injection reshape multi-agent workflow without touching infrastructure?, with the damage amplified when injected into high-influence positions where dependencies converge How does workflow position shape attack propagation in multi-agent systems?. The same indirection that makes tool selection non-deterministic also makes it steerable. Non-determinism and attackability turn out to be the same property viewed from two angles.

The most interesting move, though, is what the corpus offers as the alternative to fuzzy mediation: not 'less protocol' but a more legible substrate. Code, one note argues, is uniquely good for agent reasoning because it's simultaneously executable, inspectable, and stateful — you can verify what happened, not just hope Can code become the operational substrate for agent reasoning?. That reframes the whole question. Determinism isn't lost because there's a layer between agent and tool; it's lost when that layer is a natural-language guessing game instead of something checkable. A protocol that hands the model an inspectable, verifiable call is a different animal from one that hands it an ambiguous menu — even if both are 'mediation.' The thing to fix is the inference burden, not the existence of the middle.