Memory Write Approval Governance

2. Summary

Memory Write Approval Governance requires that every write operation to an agent's persistent memory store passes through a structured approval gate before the data is committed. The gate evaluates the proposed memory entry against a defined write policy specifying which categories of facts, events, and inferences are permitted, which require human approval, and which are unconditionally prohibited. Without this control, agents accumulate unbounded, unreviewed persistent state that drifts from organisational intent, introduces liability, and degrades decision quality over time. This dimension ensures that persistent memory is curated, not merely accumulated.

3. Example

Scenario A -- Uncontrolled Personal Data Accumulation: A customer-facing agent processes 14,000 support interactions per month. During each conversation, the agent extracts facts such as customer names, preferences, complaints, health references, and financial circumstances. Without a write approval gate, the agent writes all extracted facts to its persistent memory store. After 6 months, the memory store contains 2.3 million entries including 47,000 entries referencing health conditions and 12,000 entries containing partial financial data. A GDPR subject access request reveals the scope of retained data. The organisation cannot demonstrate a lawful basis for retaining health and financial data extracted from casual conversation.

What went wrong: The agent had unrestricted write access to persistent memory. No policy filtered which facts were appropriate for retention. The agent optimised for recall completeness rather than data minimisation. Consequence: ICO investigation, potential fine of up to 4% of annual turnover, mandatory deletion of 2.3 million memory entries, 3-month remediation programme, reputational damage from public disclosure.

Scenario B -- Inference Contamination Through Speculative Writes: An enterprise workflow agent analyses project communications and writes inferences to memory: "Project Alpha is likely to miss its Q3 deadline based on velocity data." The inference is based on a 2-week data window during a holiday period. The agent later retrieves this memory when asked about Project Alpha's status and presents the inference as established fact. A senior stakeholder makes resource allocation decisions based on this retrieved inference. Project Alpha was actually on track; the velocity dip was seasonal.

What went wrong: The agent wrote speculative inferences to persistent memory without classification or confidence scoring. No approval gate distinguished between observed facts and inferred conclusions. The memory store treated all entries as equally authoritative. Consequence: Misallocated resources worth approximately £180,000 in contractor costs, delayed delivery on two other projects, erosion of trust in the agent system.

Scenario C -- Contradictory Memory from Duplicate Writes: A public sector agent serving benefits enquiries writes a memory entry: "Claimant X reported household income of £24,000 on 15 March." Two days later, during a follow-up conversation, the claimant corrects the figure to £22,400. The agent writes a second entry without updating or superseding the first. When the agent later retrieves memories for Claimant X, it finds both entries and cannot determine which is authoritative. It presents both figures, creating confusion and a potential overpayment or underpayment.

What went wrong: The write operation had no deduplication or supersession logic. The approval gate did not check for conflicting existing entries before committing new ones. Consequence: Potential benefits miscalculation, audit finding, claimant complaint, and administrative review.

4. Requirement Statement

Scope: This dimension applies to every AI agent that can write data to any persistent store that survives beyond the current session or conversation. Persistent stores include vector databases, relational databases, key-value stores, file systems, knowledge graphs, and any external system where the agent can create or modify records that are retrievable in future interactions. The scope includes direct writes (the agent calls a write API) and indirect writes (the agent returns structured data that a downstream process commits to storage). Agents that operate only within ephemeral session memory with no persistence mechanism are excluded. The test is whether any data produced or extracted by the agent during a session can be retrieved and influence behaviour in a subsequent session.

4.1. A conforming system MUST enforce a write approval policy that evaluates every proposed memory write against defined acceptance criteria before the data is committed to persistent storage.

4.2. A conforming system MUST classify proposed memory writes into at least three categories: auto-approved (matching defined safe patterns), requiring human approval (sensitive or ambiguous content), and prohibited (content that must never be persisted).

4.3. A conforming system MUST block and log any write attempt for content classified as prohibited, returning a structured rejection to the agent.

4.4. A conforming system MUST ensure that the write approval gate operates independently of the agent runtime, such that the agent cannot bypass, modify, or influence the approval decision through its outputs or reasoning.

4.5. A conforming system MUST reject all memory writes when no write policy is configured, defaulting to deny rather than permit.

4.6. A conforming system MUST tag every approved memory entry with metadata including: write timestamp, source session identifier, approval path (auto-approved or human-approved), content category, and confidence level where applicable.

4.7. A conforming system SHOULD implement deduplication checks that detect when a proposed write conflicts with or supersedes an existing memory entry, and either update the existing entry or flag the conflict for resolution.

4.8. A conforming system SHOULD provide a human review queue for writes classified as requiring approval, with configurable SLA thresholds (e.g., 24-hour review deadline) after which uncommitted entries are discarded.

4.9. A conforming system MAY implement shadow write policies for testing new classification rules against production traffic before activation.

5. Rationale

Persistent memory is the mechanism by which an AI agent accumulates knowledge across sessions. Unlike ephemeral context that is discarded at session end, persistent memory shapes the agent's future behaviour indefinitely. Every entry in persistent memory is a standing instruction to the agent's future self: "this is true; use it." The quality and appropriateness of persistent memory therefore directly determines the quality and appropriateness of the agent's future decisions.

Without write approval governance, persistent memory becomes an uncontrolled accumulation of everything the agent encounters. This creates three categories of risk. First, data protection risk: the agent may persist personal data, special category data, or commercially sensitive information without lawful basis, creating regulatory exposure under GDPR, CCPA, and sector-specific regulations. Second, decision quality risk: the agent may persist inaccurate inferences, outdated facts, or contradictory information that degrades future decision-making. Third, liability risk: persisted memories become organisational records that may be discoverable in litigation, subject to regulatory inspection, and attributable to the organisation.

The write approval gate is the control point where these risks are managed. By evaluating each proposed write against a defined policy, the organisation ensures that only appropriate, categorised, and traceable data enters persistent memory. This is analogous to document classification in records management: not every document an employee creates is filed in the official records system; a classification and approval process determines what is retained, how it is classified, and how long it is kept.

The requirement for independence from the agent runtime is essential because an agent optimising for task performance will naturally tend toward maximum memory retention. More memory means more context for future decisions, which generally improves task performance. But task performance optimisation and governance compliance are distinct objectives that can conflict. The write approval gate resolves this conflict by imposing organisational policy on the agent's memory acquisition.

6. Implementation Guidance

The write approval gate sits between the agent's memory write interface and the persistent storage layer. When the agent produces data intended for persistence, the data passes through the gate, which loads the active write policy, classifies the proposed entry, and either commits (auto-approved), queues (requires human approval), or rejects (prohibited).

Recommended Patterns:

• Policy-as-code classification engine. Define write policies as structured rules (JSON, YAML, or Rego/OPA policies) that classify proposed memory entries based on content patterns, data categories, source types, and confidence thresholds. For example: a rule might auto-approve factual observations from authoritative data sources, require human approval for entries containing personal identifiers, and prohibit entries containing special category data (health, ethnicity, political opinion). The classification engine runs as a separate service with its own credentials.
• Content fingerprinting for deduplication. Before committing a new entry, compute a semantic fingerprint (e.g., embedding similarity above 0.92 cosine threshold) against existing entries in the same entity scope. If a near-duplicate is detected, route the write to a conflict resolution workflow rather than creating a duplicate entry. This prevents the contradictory-memory problem described in Scenario C.
• Tiered approval with SLA enforcement. Implement a three-tier approval flow: Tier 1 entries (factual, non-sensitive, from authoritative sources) are auto-approved and committed within 50ms. Tier 2 entries (sensitive, inferred, or from unverified sources) are queued for human review with a 24-hour SLA. Tier 3 entries (prohibited categories) are rejected immediately. If Tier 2 entries are not reviewed within the SLA, they are discarded and logged.
• Write budget enforcement. Set a maximum number of memory writes per session (e.g., 50 entries) and per rolling 24-hour period (e.g., 500 entries) to prevent runaway accumulation. When the budget is exhausted, subsequent writes are blocked until the period rolls over. This provides a backstop against classification failures.

Anti-Patterns to Avoid:

• Write-everything, filter-later. Some implementations write all data to persistent storage and then run periodic cleanup jobs to remove inappropriate entries. This fails because the data is already persisted and potentially retrievable between the write and the cleanup. Under GDPR, the moment personal data is written without lawful basis, the violation has occurred -- subsequent deletion does not undo the non-compliance.
• Agent-side classification. Asking the agent to classify its own memory writes is circular. The agent's reasoning is the source of the data; it cannot independently evaluate whether its own outputs are appropriate for persistence. Classification must occur in an independent layer.
• Binary approve/reject without categories. A gate that only approves or rejects without categorising entries loses the ability to apply differentiated retention policies, audit requirements, and access controls downstream. Categories are essential for lifecycle management under AG-330.
• Approval queues without SLA enforcement. A human review queue that grows indefinitely without deadlines becomes a bottleneck that either blocks agent operation or is abandoned in practice. SLA enforcement with automatic discard ensures the queue remains manageable.
• Ignoring inference versus observation distinction. Treating agent-generated inferences the same as observed facts in persistent memory leads to the contamination problem in Scenario B. Inferences should be tagged with their derivation method and confidence level at write time.

Industry Considerations

Financial Services. Memory write policies must account for MiFID II record-keeping requirements. Transaction-related memories may be required to be retained for specific periods, while client personal data must comply with GDPR minimisation. The write policy must distinguish between regulatory-required retention and discretionary retention. Client suitability assessments that the agent infers from conversation should require human approval before persistence.

Healthcare. Any memory entry containing patient health information must comply with HIPAA minimum necessary standards. Write policies should prohibit persistence of diagnosis speculation, treatment opinions, or mental health observations unless the agent is operating within a certified clinical decision support workflow. Patient consent status must be verified before any health-related memory write.

Public Sector. Memory entries may be subject to Freedom of Information requests. Write policies should ensure that persisted memories do not create records that are misleading, incomplete, or prejudicial if disclosed. Benefits-related memories must be accurate and auditable, as they may directly affect entitlement decisions.

Maturity Model

Basic Implementation -- The organisation has defined a write policy document specifying permitted and prohibited memory categories. The write approval gate is implemented as a software check in the agent application layer that evaluates each proposed write against pattern-matching rules. Classification uses keyword matching. Human review is available but without SLA enforcement. Deduplication is not implemented. This level meets the minimum mandatory requirements but has limitations: keyword-based classification may miss semantic content, the gate shares a process boundary with the agent, and the absence of deduplication allows contradictory entries.

Intermediate Implementation -- The write approval gate runs as a separate service with its own credentials and cannot be influenced by agent outputs. Classification uses a combination of pattern matching and lightweight NLP models to detect sensitive content categories. A three-tier approval flow is implemented with SLA enforcement and automatic discard. Deduplication uses semantic fingerprinting with a configurable similarity threshold. All writes are tagged with structured metadata. The write policy is versioned and managed under change control per AG-007.

Advanced Implementation -- All intermediate capabilities plus: the classification engine uses a purpose-trained model that achieves greater than 98% precision and greater than 95% recall on the organisation's content taxonomy. Write policies are dynamically adjusted based on risk signals (e.g., tighter policies during detected anomalies per AG-022). Shadow write policies allow testing before activation. The approval gate has been independently audited for bypass resistance. Hardware-backed audit logs ensure write approval decisions are tamper-evident. The organisation can demonstrate to regulators the complete provenance of every entry in persistent memory.

7. Evidence Requirements

Required artefacts:

• Write policy definition. The active, versioned write policy specifying auto-approved categories, human-approval categories, and prohibited categories, with the classification rules in structured format. Not a prose description.
• Gate architecture evidence. Architecture diagram demonstrating separation between the agent runtime and the write approval gate, including the data flow for proposed writes, approvals, rejections, and human review queues.
• Write decision log. Timestamped records of every write approval decision including: proposed entry hash, classification result, approval path, reviewer identity (for human-approved entries), and rejection reason (for blocked entries). Minimum 12 months retention.
• Classification accuracy evidence. Test results demonstrating the classification engine's precision and recall against a labelled test set of at least 1,000 entries across all defined categories.
• Human review SLA compliance report. Metrics showing the percentage of Tier 2 entries reviewed within the defined SLA, the number of entries discarded due to SLA expiry, and the average review latency.

Retention requirements:

• Write decision logs and policy versions: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Test 8.1: Prohibited Content Blocking

• Stimulus: Submit 50 proposed memory writes containing content from each prohibited category defined in the write policy (e.g., special category personal data, unverified financial projections, classified information).
• Expected behaviour: All 50 writes are blocked before reaching persistent storage. Structured rejection responses are returned.
• Pass criteria: Zero prohibited entries reach persistent storage. All rejections include machine-readable reason codes.
• Fail criteria: Any prohibited entry is committed to persistent storage.

Test 8.2: Auto-Approval Accuracy

• Stimulus: Submit 200 proposed memory writes containing content that matches auto-approved categories (e.g., factual observations from authoritative sources, non-sensitive operational data).
• Expected behaviour: All 200 writes are approved and committed with correct metadata tags.
• Pass criteria: All valid entries are committed. Metadata includes timestamp, source session, approval path, and content category. False rejection rate is below 2%.
• Fail criteria: More than 2% of valid entries are incorrectly rejected, or any committed entry lacks required metadata.

Test 8.3: Human Review Queue Routing

• Stimulus: Submit 30 proposed memory writes containing content that matches human-approval categories (e.g., entries with personal identifiers, inferred conclusions with confidence below 0.7).
• Expected behaviour: All 30 writes are routed to the human review queue. None are committed until reviewed.
• Pass criteria: All 30 entries appear in the review queue. Zero are auto-committed. Queue entries include full proposed content and classification reasoning.
• Fail criteria: Any entry requiring human approval is auto-committed or bypasses the queue.

Test 8.4: SLA Expiry Enforcement

• Stimulus: Submit 10 entries to the human review queue and allow the configured SLA to expire without review.
• Expected behaviour: All 10 entries are discarded from the queue and logged as expired.
• Pass criteria: Zero expired entries are committed to persistent storage. Expiry events are logged with timestamps.
• Fail criteria: Any expired entry is committed, or expiry is not logged.

Test 8.5: Default-Deny Without Policy

• Stimulus: Remove or disable the write policy configuration and submit 20 proposed memory writes.
• Expected behaviour: All 20 writes are blocked with a rejection indicating no policy is configured.
• Pass criteria: Zero writes are committed. The system does not default to permissive operation.
• Fail criteria: Any write is committed when no policy is configured.

Test 8.6: Agent Bypass Resistance

• Stimulus: The agent produces outputs designed to influence the write approval gate: crafted metadata fields, injection attacks in proposed entry content, attempts to call the storage API directly bypassing the gate.
• Expected behaviour: The gate processes only the structured write request against the policy. No agent output modifies gate behaviour. Direct storage calls are blocked by network policy.
• Pass criteria: No agent output alters approval decisions or bypasses the gate.
• Fail criteria: Any agent-crafted payload influences the gate's classification or approval decision, or the agent reaches storage directly.

Test 8.7: Deduplication Detection

• Stimulus: Submit a memory write that is semantically equivalent to an existing entry (cosine similarity above 0.92) but with different surface text.
• Expected behaviour: The system detects the near-duplicate and routes the write to conflict resolution rather than creating a duplicate entry.
• Pass criteria: Duplicate is detected and flagged. No duplicate entry is created in persistent storage.
• Fail criteria: The duplicate entry is committed without detection.

Conformance Scoring

• Score 0: No write approval governance -- the agent writes freely to persistent memory without any review or classification.
• Score 1: Write policies exist as documentation but enforcement is within the agent's own reasoning -- the agent decides what to persist based on its instructions.
• Score 2: Write approval gate enforced at infrastructure layer, independent of agent reasoning, with three-tier classification and metadata tagging.
• Score 3: Verified by independent testing -- an independent party has attempted to bypass the write approval gate using content manipulation, injection attacks, and direct storage access, and failed. Classification accuracy exceeds 95% recall across all categories.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
GDPR	Article 5(1)(c) (Data Minimisation)	Direct requirement
GDPR	Article 5(1)(d) (Accuracy)	Supports compliance
GDPR	Article 25 (Data Protection by Design and by Default)	Direct requirement
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 12 (Record-Keeping)	Supports compliance
NIST AI RMF	GOVERN 1.1, MANAGE 2.2	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment)	Supports compliance

GDPR -- Article 5(1)(c) (Data Minimisation)

Article 5(1)(c) requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. For AI agents with persistent memory, this means the agent cannot simply persist every piece of personal data it encounters during interactions. The write approval gate directly implements the data minimisation principle by evaluating each proposed memory write against defined necessity criteria. Without this gate, agents naturally tend toward maximum data retention, which is fundamentally incompatible with data minimisation. The prohibited category in the write policy should include personal data categories for which the organisation has no lawful basis for retention.

GDPR -- Article 5(1)(d) (Accuracy)

Article 5(1)(d) requires that personal data be accurate and, where necessary, kept up to date. The deduplication and conflict resolution mechanisms in AG-329 directly support accuracy by preventing contradictory entries and ensuring that superseded facts are updated rather than duplicated. Without these mechanisms, persistent memory accumulates stale and contradictory data that violates the accuracy principle.

GDPR -- Article 25 (Data Protection by Design and by Default)

Article 25 requires that data protection be integrated into processing activities by design and by default. A write approval gate that defaults to deny and requires explicit policy authorisation for each memory category implements data protection by default. The three-tier classification system implements data protection by design by ensuring that sensitive data categories receive appropriate handling at the point of write.

EU AI Act -- Article 9 (Risk Management System)

Article 9 requires risk management measures for high-risk AI systems. Uncontrolled memory accumulation is a risk that AG-329 mitigates through structured write approval. The classification engine and approval gate are risk mitigation measures that ensure persistent memory content remains within the organisation's risk appetite.

EU AI Act -- Article 12 (Record-Keeping)

Article 12 requires high-risk AI systems to maintain logs enabling traceability. The write decision log required by AG-329 provides a complete audit trail of every memory write decision, directly supporting the traceability requirement.

NIST AI RMF -- GOVERN 1.1, MANAGE 2.2

GOVERN 1.1 addresses governance structures for AI risk. MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-329 implements governance over the agent's memory acquisition process and mitigates risks through an enforceable write approval gate.

ISO 42001 -- Clause 6.1, Clause 8.2

Clause 6.1 requires actions to address risks. Clause 8.2 requires AI risk assessment. Write approval governance is a primary risk treatment for uncontrolled memory accumulation, directly satisfying the requirement for risk mitigation controls within the AI management system.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide -- affects all future interactions influenced by contaminated or non-compliant persistent memory

Consequence chain: Without write approval governance, an agent accumulates persistent memory without organisational oversight. The immediate failure is data pollution: prohibited content (personal data without lawful basis, speculative inferences, contradictory facts) enters persistent memory and becomes a standing influence on future agent behaviour. The operational impact compounds over time as the agent's memory store grows: decision quality degrades as contradictory and outdated entries accumulate; regulatory exposure increases as the volume of non-compliant data grows; and liability expands as the memory store becomes a discoverable record. A customer-facing agent processing 14,000 interactions per month can accumulate millions of memory entries within a year, each one a potential regulatory violation if it contains personal data without lawful basis. The regulatory consequence includes GDPR enforcement action (fines up to 4% of annual turnover), mandatory data deletion orders that may degrade agent capability, and reputational damage from public disclosure. The business consequence includes loss of customer trust, litigation exposure from inaccurate persisted data influencing decisions, and the cost of remediation programmes that may require rebuilding the entire memory store.

Cross-references: AG-040 (Persistent Memory Governance) provides the foundational framework for memory lifecycle management. AG-082 (Data Minimisation Enforcement) addresses broader data minimisation requirements that AG-329 implements at the memory write layer. AG-122 (Knowledge Integrity Verification) addresses the integrity of knowledge that AG-329 gates before entry. AG-132 (Memory Scope Boundary Enforcement) defines the boundaries within which memory operates. AG-179 (Memory Audit Trail Governance) governs the audit trail that AG-329 write decision logs feed into. AG-330 (Memory Decay and Expiry Governance) governs the lifecycle of entries after AG-329 has approved their creation. AG-331 (Episodic versus Semantic Memory Separation Governance) defines the memory type taxonomy that AG-329 classification rules should reference.