AN Alpesh Nakrani
BlogBooksPraiseAbout Work with me →
Book overview
Appendix A / Technical Deep Dives

Appendix A: Back Matter

Glossary, implementation checklist, and source register for the book.

Alpesh Nakrani
Alpesh Nakrani
Memory Systems for Agents · 8 min read

Key Takeaways

  • Appendix A: Back Matter is a chapter about agent memory systems, not a generic AI adoption note.
  • The operating rule is to treat every memory as a sourced, scoped, revisable claim instead of an ambient fact.
  • The failure mode to watch is polished output without evidence, owner, cost line, or rollback path.
  • The useful next step is an artifact a future teammate can replay without folklore.

Agent memory is useful only when every stored claim has source, scope, decay, and deletion rules.

Glossary

Agent loop. The interleaved reason-act cycle in which an agent decides a step, calls a tool, observes a result, updates state, and repeats. Memory is read and written inside this loop, not only at its bookends, the property that distinguishes agent memory from chatbot memory (Chapter 3).

Audit memory. An immutable, append-only record of every memory operation (write, recall, correction, revocation, deletion), kept for accountability rather than recall. It must outlive the memories it describes (Chapters 2, 14).

Blast radius. The full set of actions a memory drove and derived memories it seeded. Measured during an incident to scope a correction (Chapters 4, 14).

Calibration. The property that a stated confidence matches observed correctness, a 0.8-confidence memory is right ~80% of the time. Uncalibrated confidence makes every threshold a superstition (Chapter 13).

Candidate fact. A provisional, untrusted claim proposed by extraction, before it has passed the write gate. The extractor proposes; the gate disposes (Chapter 4).

Consolidation. The pipeline that compresses raw episodes into summaries (faithful) and reflections (generative), running at task end and on a slower cadence (Chapter 6).

Decay axis. The dimension along which a memory type loses validity: volume (episodic), re-confirmation (semantic), behavioral contradiction (preference), failure (procedural), status (task), TTL (environmental) (Chapters 2, 10).

Durable memory. A candidate that passed the gate, evidenced, owned, lifecycle-assigned, and is written, recalled, and acted upon (Chapter 4).

Effective confidence. A memory's stored confidence decayed by time since last confirmation; used in recall so stale memories lose influence gracefully (Chapter 10).

Episodic memory. The append-only log of events the agent observed or performed, the evidence layer every derived memory points back to (Chapter 2).

Environmental memory. A cached model of external world state known through tools; decays fast and silently, so it is treated as a hint requiring re-verification (Chapters 2, 8).

Forgetting curve. The principle (after Ebbinghaus, as used in MemoryBank) that memory strength decays over time and refreshes on access (Chapter 10).

Indirect prompt injection. An attack in which malicious instructions arrive via content the agent retrieves (documents, tickets, web pages) rather than user input. Memory poisoning is indirect injection made persistent (Chapter 12).

MEMORY framework. The six-question design aid for any candidate write: Meaningful, Evidenced, Mutable, Owned, Restricted, Yielding (front matter and throughout).

Negative memory. A durable record of what not to do, recalled on trigger conditions rather than similarity, treated as a constraint that does not yield to live intent (Chapter 5).

Procedural memory. Reusable, executable methods (skills, routines, tool sequences), knowing how, not that. Unique in being testable, composable, and high-blast-radius (Chapter 7).

Provenance. The link from a derived memory back to the episode(s) and evidence that justify it. A memory without provenance is a rumor (Chapters 2, 4).

Recall (vs. retrieval). Retrieval finds matching memories; recall selects, scopes, ranks, budgets, and frames the few that should shape the action. Recall is the hard part (Chapter 5).

Reflection. A generative generalization derived from episodes, a claim the agent invented, not the user stated. Gated at a higher bar than user-stated facts (Chapter 6).

Revocation. Soft deletion (revoked_at set) that excludes a memory from recall while preserving it for audit (Chapter 10).

Scope (owner_scope). The hard boundary determining who may read and who controls a memory, user, tenant, workspace, system. Applied before ranking; a breach if violated (Chapters 5, 9, 11).

Skill drift. A previously-working skill that silently begins doing the wrong thing because its environment changed; detected by failure rate, not time (Chapter 7).

Supersession. Replacing a memory with a corrected version while preserving the chain, so corrections are reversible and history is kept (Chapters 4, 10).

Trust class. A tag on evidence (trusted vs. untrusted_external) that governs whether it may originate a durable memory. Untrusted content corroborates but never originates (Chapter 12).

Working memory. Transient task state, alive only during a task, never persisted as durable memory. The scratchpad, not the record (Chapter 3).

Write gate. The component that decides whether a candidate becomes a durable memory. Its default is do not persist; the most important component in the system (Chapter 4).

Zombie task. A task that should be terminal but was never marked done or abandoned, so it lingers and is recalled as active (Chapter 8).

Implementation Checklist

A sequenced checklist for building or auditing an agent memory system. Each item names the chapter where it is developed.

Foundations

  • Memory is a separate, governed subsystem, not the conversation history or a single vector blob (Ch. 1-2).
  • Memory types are physically separated by store/table with distinct write rules, read rules, and decay (Ch. 2).
  • Every durable memory has non-null owner_scope, source_episode_ids (provenance), consent_basis, and a lifecycle (expires_at/superseded_by/revoked_at) (Ch. 2, 4).
  • Episodic store is append-only and serves as the evidence layer; an audit table is immutable and outlives deletions (Ch. 2).

The loop

  • Working memory (transient) is separated from durable memory; hypotheses never persist as facts (Ch. 3).
  • Durable extraction is batched to task boundaries, not run per step (write-amplification control) (Ch. 3).
  • No path exists from a raw tool result directly to a durable write (Ch. 3, 12).
  • Task state is checkpointed durably so it survives interruption (Ch. 3, 8).

Writes

  • A candidate/durable distinction exists; the extractor proposes, the gate disposes (Ch. 4).
  • The write gate enforces all six MEMORY checks; default verdict is reject (Ch. 4).
  • Preferences require confirmation (or strong corroboration) before persisting; non-literal evidence is flagged (Ch. 4).
  • Sensitive categories never auto-persist; they route to consent or are blocked (Ch. 4, 11).
  • Conflicts supersede rather than silently overwrite (Ch. 4, 10).
  • Repetition from a single source counts as one observation (Ch. 12).

Reads

  • Scope is a hard WHERE boundary applied before ranking; revoked/superseded/expired memories never recall (Ch. 5).
  • Recall budget is small; highest-priority memories placed at context edges (Ch. 5).
  • The live instruction beats the stored default (yields_to_live_intent) (Ch. 5).
  • Negative memory fires on trigger conditions, not similarity (Ch. 5).

Generative memory

  • Summaries assert nothing their sources do not; reflections are flagged as inference and gated at a higher bar (Ch. 6).
  • Derived memory is invalidated and re-derived bottom-up when sources change (Ch. 6).
  • authored_by distinguishes user-stated from agent-inferred memory (Ch. 6).
  • Skills pass tests and are parameterized before trust; proposed → stable promotion required (Ch. 7).
  • Skill dependency graph tracked; drift detected by failure rate; retirement runbook exists (Ch. 7).

Multi-agent and forgetting

  • Scope lattice enforced; no private→shared laundering; write authority for workspace facts (Ch. 9).
  • Shared memories carry writer identity and trust weight; conflicts verify the world for verifiable facts (Ch. 9).
  • Each memory type decays on its own axis; decay lowers recall influence, not just triggers deletion (Ch. 10).

Governance and security

  • Consent encoded as per-category policy; credentials and location never durably stored (Ch. 11).
  • User-facing control panel: view, edit, export, forget (Ch. 11).
  • Deletion is an auditable workflow reaching derived memory, indexes, and caches, with verification (Ch. 11).
  • Retention sweeps run, honoring legal holds (Ch. 11).
  • Tenant isolation tested adversarially with highly-relevant cross-tenant data (Ch. 11).
  • Untrusted content corroborates but never originates; authority claims route to human review (Ch. 12).
  • Poisoning fixture suite gates deploys; audit anomaly queries run (Ch. 12).

Evaluation and operations

  • Improvement-over-episodes is measured (the metric that justifies memory) (Ch. 13).
  • Harm metrics tracked: false-, stale-, harmful-recall, creepy-memory rate (Ch. 13).
  • Correction-propagation and deletion-completeness have regression tests (Ch. 13).
  • Confidence is calibrated and periodically refit (Ch. 13).
  • Memory policy changes are shadow-tested before promotion (Ch. 13).
  • Every write/recall emits telemetry; dashboards alert on gate drift and live-intent overrides (Ch. 14).
  • Schema migrations treated as behavior changes; trust never auto-upgraded (Ch. 14).
  • The incident runbook is written and rehearsed (Ch. 14).
  • A domain playbook tunes the architecture to your use case (Ch. 15).

Research and Source Register by Chapter

Sources are cited inline where they support a claim. This register confirms research coverage is distributed and chapter-specific.

Introduction. Voyager; Generative Agents; Reflexion.

Chapter 1: The 7 a. m. Memory. MemGPT; MemoryBank; Generative Agents; Reflexion; OWASP LLM Top 10; Lost in the Middle.

Chapter 2: A Claim with a Source. Generative Agents; Voyager; MemGPT; MemoryBank; Reflexion.

Chapter 3, The Agent's Read/Write Loop. MemGPT; ReAct; Reflexion; Toolformer; Generative Agents.

Chapter 4: The Write Gate. MemoryBank; Generative Agents; NIST AI RMF; OWASP LLM Top 10; Reflexion.

Chapter 5: Recall Is Not Retrieval. Generative Agents; MemGPT; Lost in the Middle; RAGAS; MemoryBank.

Chapter 6, Reflection, Consolidation, and the Summaries That Lie. Generative Agents; Reflexion; MemGPT; MemoryBank; Lost in the Middle.

Chapter 7: Procedural Memory and Skill Libraries. Voyager; Reflexion; Generative Agents; Toolformer; MemGPT.

Chapter 8, Long-Horizon Task Memory. MemGPT; Reflexion; ReAct; Generative Agents; Voyager.

Chapter 9, Shared and Private Memory in Multi-Agent Systems. Generative Agents; MemGPT; Voyager; OWASP LLM Top 10; NIST AI RMF.

Chapter 10, Forgetting, Decay, and Conflict Resolution. MemoryBank; Generative Agents; MemGPT; Reflexion.

Chapter 11, Privacy, Consent, Deletion, and Governance. NIST AI RMF; OWASP LLM Top 10; GDPR Art. 17; GDPR Art. 5; Vertex AI Agent Engine Memory Bank.

Chapter 12: Memory Poisoning and Security. Indirect Prompt Injection (Greshake et al.); OWASP Prompt Injection Prevention Cheat Sheet; OWASP LLM Top 10; Microsoft on indirect prompt injection; NIST AI RMF.

Chapter 13, Does the Agent Actually Improve? Reflexion; Voyager; RAGAS; Generative Agents; MemoryBank.

Chapter 14: Operating Memory in Production. MemGPT; NIST AI RMF; Vertex AI Agent Engine Memory Bank; OWASP LLM Top 10; Generative Agents.

Chapter 15: Use Case Playbooks. MemGPT; Voyager; Reflexion; OWASP LLM Top 10; NIST AI RMF.

Internal map

For the larger argument, keep this chapter connected to memory systems for agents, Memory Systems for Agents, Agents That Actually Work, and agentic workflows.

Share