Agent Memory Systems

Memory is not one thing. A user preference such as preferred tone is different from a project fact such as deployment target. A temporary task note is different from a durable business rule. A sensitive record such as billing status is different from a harmless UI preference. Lumping these together leads to over-retrieval, privacy risk, and wrong behavior.

Define memory types before implementation. Common categories include user preferences, organization preferences, project facts, task state, conversation summaries, tool results, examples, policies, and sensitive records. Each category should have its own write rules, retrieval rules, retention period, and deletion path. The agent should not decide all of this dynamically from a single prompt.

Memory scope determines who can use a memory. Personal memory should not automatically become team memory. Team memory should not leak into another customer account. Project memory should not apply to a different repository just because the names sound similar. Scope mistakes are some of the most damaging memory failures because they create privacy leaks and confusing behavior.

Permissions should govern both reads and writes. A user may allow an agent to remember personal preferences but not billing facts. An admin may approve organization-wide policy memory. A tool may write task state but not durable user identity. A memory system should make these rules explicit instead of letting every model call append new facts.

Every durable memory should answer where it came from. Was it stated by the user, inferred by the agent, extracted from a document, returned by a tool, or written by an admin? Was it confirmed? When was it last seen? What evidence supports it? Provenance lets the agent and the operator decide how much to trust the memory.

Prompt injection makes provenance essential. If a web page tells an agent to remember a new security policy, that should not be treated the same as an admin setting. Tool outputs and retrieved documents are data, not necessarily authority. Memory writes from untrusted content should be blocked, downgraded to temporary task state, or require user confirmation.

Memory retrieval should be selective. Injecting every memory into every prompt increases cost and increases the chance that stale or irrelevant facts influence the agent. Retrieval should consider task, scope, recency, confidence, and sensitivity. The agent should know when a memory is a suggestion, a preference, a verified project fact, or an admin policy.

Context budgets connect memory design to cost management. Long memory blocks increase input tokens and may push the agent toward more expensive models. Use the Agent Cost Management guide at /guides/agent-cost-management/ and the AI Cost Calculator at /tools/ai-cost-calculator/ to estimate the cost impact of memory-heavy workflows. Sometimes the cheapest memory is a better retrieval rule, not a bigger context window.

Memory poisoning occurs when incorrect, malicious, or untrusted information is saved and later influences the agent. It can happen through direct user input, imported documents, web pages, tool outputs, or model inference. The risk is high because the attack persists beyond the original conversation. A one-time prompt injection can become a long-term behavior change if it writes memory.

Defenses include write approval, source labeling, policy checks, expiration, conflict detection, and monitoring. For example, a memory that changes payment instructions, security policy, deployment target, or user identity should require explicit confirmation. A memory derived from a public page should not modify private workflow rules. The Agent Security Guide at /guides/agent-security-guide/ covers broader injection defenses.

Users and administrators need control over durable memory. They should be able to inspect what the agent remembers, correct inaccurate facts, delete memory, disable memory for a workflow, and understand how memory affects behavior. Hidden memory creates trust problems even when it is accurate because users cannot tell why the agent behaves a certain way.

Deletion should be real within the product's stated retention rules. If memory is copied into logs, analytics, evaluation datasets, or support tools, the policy should say so. For privacy-sensitive products, memory controls are not optional. They are part of the safety and compliance posture. Even for simple static tools, avoid implying that personal memory is stored if the site has no database or backend.

Memory systems need tests. The evaluation framework at /guides/agent-evaluation-framework/ should include cases where memory helps, memory conflicts with the current instruction, memory is stale, memory comes from untrusted content, and memory should not be retrieved. A memory-capable agent is not reliable until it can ignore the wrong memory as well as use the right one.

Production monitoring should track memory reads, writes, updates, deletes, conflicts, and user corrections. A high correction rate may mean the agent writes too aggressively. A high retrieval rate may mean context is too broad. A suspicious source pattern may indicate memory poisoning. Tie these signals to the dashboard described in /guides/agent-monitoring/.