Memory Decay and Expiry Governance

2. Summary

Memory Decay and Expiry Governance requires that every entry in an agent's persistent memory store has a defined retention period and an enforceable expiry mechanism. Memories that are no longer valid, lawful to retain, or useful for the agent's defined purpose must be expired and removed according to a structured policy. Without this control, persistent memory grows indefinitely, accumulating stale facts, expired consents, outdated inferences, and legally toxic data that the agent continues to treat as current and authoritative. This dimension ensures that memory is a managed, time-bounded resource rather than an ever-growing liability.

3. Example

Scenario A -- Stale Customer Preference Driving Wrong Recommendations: A customer-facing retail agent persists a memory entry: "Customer Y prefers budget products, price-sensitive." This was accurate when written 18 months ago. Customer Y has since received a significant salary increase and now purchases premium products through other channels. The agent continues to recommend budget options, frustrating Customer Y, who perceives the experience as tone-deaf. Customer Y complains and ultimately closes their account. The memory entry had no expiry date and no mechanism to verify continued accuracy.

What went wrong: The memory entry had no TTL (time-to-live) and no freshness validation. The agent treated an 18-month-old behavioural inference as current truth. Consequence: Customer attrition, £8,400 in annual revenue lost from that customer, negative review visible to other customers, reputational cost.

Scenario B -- Retained Data Beyond Consent Withdrawal: A healthcare information agent persists memory entries about a patient's reported symptoms and medication history. The patient withdraws consent for data processing. The organisation deletes the patient's records from the primary database, but the agent's persistent memory store is not included in the deletion workflow. The agent retains 47 memory entries about the patient. Six months later, the patient makes a subject access request and discovers the agent still holds their health data. The organisation faces an ICO complaint.

What went wrong: The memory store was not integrated into the data subject rights workflow. No expiry mechanism triggered on consent withdrawal. The memory entries had no link to the consent record that authorised their creation. Consequence: ICO investigation, potential fine, mandatory deletion and compliance audit, loss of patient trust.

Scenario C -- Accumulation of Contradictory Outdated Entries: An enterprise workflow agent accumulates 340,000 memory entries over 2 years. Of these, approximately 85,000 reference project statuses, team compositions, and budget figures that have changed since the entries were written. The agent retrieves these entries alongside current information and presents contradictory data. Users lose confidence in the agent's outputs and begin manually verifying every response, negating the productivity benefit of the agent.

What went wrong: No decay mechanism reduced the weight or removed outdated entries. No expiry policy existed for time-sensitive operational data. The memory store grew monotonically without any lifecycle management. Consequence: Agent utility reduced by approximately 60% based on user adoption metrics, £240,000 annual productivity benefit erased, executive sponsorship at risk.

4. Requirement Statement

Scope: This dimension applies to every AI agent with persistent memory containing entries that can become stale, inaccurate, legally non-retainable, or operationally irrelevant over time. This encompasses virtually all persistent memory deployments because facts, preferences, and operational states change. The only exceptions are agents whose persistent memory contains exclusively immutable reference data (e.g., mathematical constants, permanently valid regulatory text) that does not change and has no retention limitation. The scope includes all memory types: episodic memories (events that occurred), semantic memories (facts and knowledge), inferred memories (conclusions drawn by the agent), and relational memories (associations between entities).

4.1. A conforming system MUST assign a retention period or expiry condition to every entry written to persistent memory, based on the entry's content category as defined in the write policy (AG-329).

4.2. A conforming system MUST enforce expiry by removing or archiving entries that have exceeded their retention period, on a schedule no less frequent than once every 24 hours.

4.3. A conforming system MUST support event-triggered expiry, where entries are expired in response to external events such as consent withdrawal, data subject deletion requests, or authoritative source updates that invalidate the entry.

4.4. A conforming system MUST prevent expired entries from being retrieved by the agent or influencing agent behaviour after expiry, regardless of whether the physical deletion has occurred.

4.5. A conforming system MUST log all expiry actions including: entry identifier, expiry reason (TTL, event-triggered, or manual), expiry timestamp, and whether the entry was deleted or archived.

4.6. A conforming system SHOULD implement graduated decay, where the retrieval weight of memory entries decreases over time according to a defined decay function, such that older entries are progressively less likely to be surfaced unless specifically queried.

4.7. A conforming system SHOULD integrate memory expiry with data subject rights workflows, ensuring that deletion requests under GDPR Article 17 or equivalent trigger expiry of all relevant memory entries within the regulatory timeframe (typically 30 days).

4.8. A conforming system SHOULD support differentiated retention periods by content category: for example, 90 days for behavioural inferences, 365 days for verified factual observations, and immediate expiry on consent withdrawal for personal data.

4.9. A conforming system MAY implement memory importance scoring that extends the retention of high-value entries while accelerating the expiry of low-value entries, subject to maximum retention limits.

5. Rationale

Persistent memory without lifecycle management is a growing liability. Every entry written to persistent memory remains there indefinitely unless a mechanism removes it. Over time, the proportion of stale, inaccurate, and legally non-retainable entries increases while the agent continues to treat all entries as equally current and authoritative.

The problem is not merely theoretical. An agent that processes 500 interactions per day and writes an average of 10 memory entries per interaction accumulates 1.825 million entries per year. Without decay or expiry, the memory store after 3 years contains 5.475 million entries. Analysis of production memory stores consistently shows that 30-50% of entries older than 6 months reference facts that have changed. The agent is making decisions influenced by millions of entries, a substantial fraction of which are no longer accurate.

The regulatory dimension is equally pressing. GDPR Article 5(1)(e) -- the storage limitation principle -- requires that personal data be kept for no longer than necessary for the purposes for which it is processed. An agent that retains personal data indefinitely in persistent memory without a defined retention period is structurally non-compliant with this principle. The absence of an enforceable expiry mechanism means the organisation cannot demonstrate compliance with storage limitation.

Graduated decay addresses a subtler problem: even within their retention period, older memories are statistically less likely to be accurate than recent ones. A customer preference observed last week is more likely to be current than one observed 11 months ago. Decay functions (linear, exponential, or step-wise) reduce the retrieval weight of older entries, making the agent's behaviour more responsive to recent information without abruptly discarding potentially valid older entries.

The integration with data subject rights is critical because memory stores are often overlooked in deletion workflows. The primary database is included in the deletion process, but the agent's vector store or knowledge graph may not be. This creates a compliance gap where the organisation believes it has fulfilled a deletion request but personal data persists in the agent's memory.

6. Implementation Guidance

Memory decay and expiry requires two complementary mechanisms: scheduled TTL enforcement that runs on a regular cycle, and event-triggered expiry that responds to external signals in real time.

Recommended Patterns:

• TTL-based expiry with category-specific periods. Assign retention periods at write time based on the content category determined by the AG-329 write approval gate. Example configuration: behavioural inferences -- 90-day TTL; verified factual observations -- 365-day TTL; personal preferences stated by the data subject -- 180-day TTL or until consent withdrawal, whichever is sooner; regulatory-required records -- 7-year TTL. A scheduled job runs every 6 hours, identifies entries past their TTL, marks them as expired, and removes them from the retrieval index. Physical deletion follows within 24 hours.
• Exponential decay weighting. Implement a decay function that reduces the retrieval score of memory entries over time. For a vector similarity search that returns a raw score S, apply a time-decayed score: S_decayed = S e^(-lambda age_days), where lambda is configured per content category. For example, lambda = 0.01 gives a half-life of approximately 69 days; lambda = 0.005 gives a half-life of approximately 139 days. This ensures that recent entries are preferred in retrieval without hard-cutting older entries that may still be valid.
• Event bus integration for real-time expiry. Subscribe the memory expiry service to an event bus that carries data subject rights events (deletion requests, consent withdrawals), authoritative source update events (e.g., CRM record updated, HR system changed), and administrative events (project closed, customer account terminated). On receiving a relevant event, the expiry service identifies all memory entries associated with the affected entity and expires them within the configured timeframe.
• Archive-before-delete with tombstones. Rather than immediately deleting expired entries, move them to a cold archive that the agent cannot access but that auditors and compliance teams can query. Place a tombstone in the active memory store indicating that an entry existed and was expired. This supports audit requirements while preventing the agent from using expired data. Tombstones carry no content -- only the entry identifier, expiry timestamp, and reason.

Anti-Patterns to Avoid:

• Infinite retention by default. If the system does not require a TTL at write time, the default is infinite retention. This guarantees non-compliance with storage limitation principles and ensures memory stores grow without bound. Every entry must have a defined retention period, even if it is long.
• Soft deletion without retrieval blocking. Marking entries as "expired" in metadata but leaving them in the retrieval index means the agent can still find and use them. Expiry must remove entries from the retrieval index, not merely flag them.
• Uniform TTL for all content types. A single TTL (e.g., 365 days for everything) fails to account for the different decay rates of different content types. A customer's stated name has a much longer valid period than a behavioural inference drawn from a single interaction. Differentiated TTLs by category are essential.
• Manual-only expiry. Relying on human administrators to periodically review and purge memory entries does not scale. At 1.825 million entries per year, manual review is impractical. Automated TTL enforcement is required, with manual override as a supplement.
• Ignoring embedding store expiry. If memory entries are stored as embeddings in a vector database, deleting the source record without removing the corresponding embedding leaves a ghost entry that can still be retrieved by similarity search. Expiry must cover both the source record and all derived representations.

Industry Considerations

Financial Services. MiFID II requires retention of certain records for 5-7 years. Memory entries that constitute regulatory records must have TTLs aligned with these requirements, not shorter. However, non-regulatory entries (e.g., agent inferences about client preferences) should have shorter TTLs aligned with GDPR minimisation. The write policy must distinguish between these categories.

Healthcare. Patient data retention periods vary by jurisdiction and data type. In the UK, the NHS Records Management Code specifies retention periods ranging from 3 years to 30 years depending on the record type. Memory entries containing patient data must comply with the applicable retention schedule, and event-triggered expiry must respond to patient consent withdrawal within the regulatory timeframe.

Public Sector. Freedom of Information considerations mean that memory entries may be disclosable. Expired entries in the archive may still be subject to FOI requests. The archive-before-delete pattern must account for this: archived entries should be retrievable for FOI purposes but not by the agent.

Maturity Model

Basic Implementation -- The organisation assigns a default TTL to all memory entries at write time. A scheduled job runs daily to identify and delete entries past their TTL. All content categories share the same TTL. Event-triggered expiry is not implemented. Decay weighting is not implemented. This meets minimum mandatory requirements but applies a uniform retention policy that may be too short for some categories and too long for others.

Intermediate Implementation -- Differentiated TTLs are assigned by content category at write time, aligned with the AG-329 classification. Event-triggered expiry responds to data subject rights events within 24 hours. Exponential decay weighting is applied to retrieval scores. Expired entries are archived before deletion with tombstones in the active store. The expiry service is integrated with the organisation's data subject rights workflow. Expiry logs are retained for audit purposes.

Advanced Implementation -- All intermediate capabilities plus: memory importance scoring dynamically adjusts retention within policy bounds. The decay function parameters are tuned based on empirical accuracy analysis of entries at different ages. The expiry service has been independently audited for completeness, confirming that no expired data remains in any retrieval path (including vector embeddings, caches, and replicas). Real-time event-triggered expiry achieves sub-hour latency. The organisation can demonstrate to regulators the complete lifecycle of any memory entry from creation through expiry.

7. Evidence Requirements

Required artefacts:

• Retention policy definition. The active, versioned retention policy specifying TTL values for each content category, event-triggered expiry conditions, and decay function parameters. Structured format (JSON, YAML, or policy-as-code).
• Expiry execution log. Timestamped records of every expiry action including: entry identifier, content category, expiry reason, expiry timestamp, and disposition (deleted or archived). Minimum 12 months retention of logs.
• Data subject rights integration evidence. Records demonstrating that deletion requests and consent withdrawals triggered memory expiry within the regulatory timeframe. Include timestamps of the triggering event and the completion of expiry.
• Memory store age distribution report. A periodic (monthly) report showing the age distribution of entries in the active memory store, demonstrating that the expiry mechanism is functioning and that no entries exceed their defined TTL.
• Retrieval blocking verification. Test results demonstrating that expired entries cannot be retrieved by the agent through any retrieval path, including direct query, similarity search, and associated entity traversal.

Retention requirements:

• Expiry logs and policy versions: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: TTL Expiry Enforcement

• Stimulus: Create 100 memory entries with a TTL of 1 hour. Wait for the TTL to expire and the expiry job to run.
• Expected behaviour: All 100 entries are expired and removed from the retrieval index.
• Pass criteria: Zero expired entries are retrievable by the agent. Expiry logs record all 100 removals with correct timestamps and reasons.
• Fail criteria: Any expired entry remains retrievable, or expiry logs are incomplete.

Test 8.2: Event-Triggered Expiry on Consent Withdrawal

• Stimulus: Create 25 memory entries associated with a specific data subject. Issue a consent withdrawal event for that data subject.
• Expected behaviour: All 25 entries are expired within the configured timeframe (e.g., 24 hours).
• Pass criteria: All entries associated with the data subject are expired. No associated entries remain retrievable. Expiry logs record the triggering event.
• Fail criteria: Any entry associated with the data subject remains retrievable after the configured timeframe.

Test 8.3: Retrieval Blocking Post-Expiry

• Stimulus: Expire a set of 20 entries and then attempt to retrieve them through: direct ID lookup, semantic similarity search, entity-association traversal, and raw database query.
• Expected behaviour: No retrieval path returns expired entries to the agent. Raw database query by an administrator may access archived entries but the agent cannot.
• Pass criteria: Zero expired entries are returned through any agent-accessible retrieval path.
• Fail criteria: Any expired entry is returned to the agent through any retrieval path.

Test 8.4: Decay Weighting Accuracy

• Stimulus: Create two semantically similar memory entries -- one written today and one written 90 days ago. Query the memory store with a prompt relevant to both entries.
• Expected behaviour: The recent entry receives a higher retrieval score than the older entry, with the score difference consistent with the configured decay function (e.g., for lambda = 0.01, the 90-day-old entry should have approximately 40% of the recent entry's decayed score).
• Pass criteria: Retrieval scores follow the configured decay function within a 5% tolerance. The recent entry is ranked higher.
• Fail criteria: Decay weighting is not applied, or scores deviate from the configured function by more than 5%.

Test 8.5: Default Retention Assignment

• Stimulus: Submit a memory write through the AG-329 gate and verify that a TTL is assigned at write time.
• Expected behaviour: Every committed entry has a non-null TTL value corresponding to its content category.
• Pass criteria: Zero entries exist in persistent storage without an assigned TTL. TTL values match the retention policy for each category.
• Fail criteria: Any entry is committed without a TTL, or TTL values do not match the policy.

Test 8.6: Embedding Store Expiry Completeness

• Stimulus: Expire 50 entries and verify that corresponding vector embeddings are removed from the vector database.
• Expected behaviour: No orphaned embeddings remain in the vector store for expired entries.
• Pass criteria: Similarity search against expired entry content returns no results from the expired entries' embeddings.
• Fail criteria: Any orphaned embedding from an expired entry is returned in similarity search results.

Test 8.7: Archive Accessibility Controls

• Stimulus: Expire entries to the archive. Attempt to access archived entries through the agent's retrieval interface and through the administrative audit interface.
• Expected behaviour: The agent cannot access archived entries. Administrators can access them for audit purposes.
• Pass criteria: Agent retrieval returns zero archived entries. Administrative query returns all archived entries with full metadata.
• Fail criteria: The agent can access archived entries, or administrators cannot access them.

Conformance Scoring

• Score 0: No memory expiry governance -- persistent memory grows indefinitely without any retention limits or expiry mechanism.
• Score 1: TTL values are assigned but enforcement is irregular or manual -- entries may persist beyond their defined retention period.
• Score 2: Automated TTL enforcement runs on schedule with category-specific retention periods, event-triggered expiry responds to data subject rights events, and expired entries are blocked from retrieval.
• Score 3: Verified by independent audit -- an independent party has confirmed that no expired data remains in any retrieval path, decay weighting is accurately applied, and event-triggered expiry meets regulatory timeframes. Memory store age distribution demonstrates no entries exceed policy limits.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
GDPR	Article 5(1)(e) (Storage Limitation)	Direct requirement
GDPR	Article 17 (Right to Erasure)	Direct requirement
GDPR	Article 25 (Data Protection by Design and by Default)	Supports compliance
EU AI Act	Article 9 (Risk Management System)	Supports compliance
NIST AI RMF	MANAGE 2.2, MANAGE 4.1	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks)	Supports compliance
CCPA	Section 1798.105 (Right to Delete)	Direct requirement

GDPR -- Article 5(1)(e) (Storage Limitation)

Article 5(1)(e) requires that personal data be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes of processing. For AI agent persistent memory, this means that memory entries containing personal data must have defined retention periods and be expired when those periods elapse. An agent that retains personal data indefinitely in persistent memory is structurally non-compliant. AG-330 directly implements storage limitation by requiring TTL assignment at write time and automated enforcement of expiry. The differentiated TTL approach ensures that retention periods are proportionate to the purpose of each content category, rather than applying a blanket retention period.

GDPR -- Article 17 (Right to Erasure)

Article 17 provides data subjects with the right to obtain erasure of their personal data. AG-330's event-triggered expiry mechanism directly supports compliance by ensuring that deletion requests propagate to the agent's persistent memory store, which is often overlooked in deletion workflows. The requirement for sub-24-hour event-triggered expiry ensures the organisation can demonstrate responsive compliance with erasure requests.

GDPR -- Article 25 (Data Protection by Design and by Default)

Automated expiry enforcement with default-deny retention (no entry persists without a TTL) implements data protection by design. The system is architecturally incapable of indefinite data retention, which is a stronger compliance posture than relying on manual processes.

EU AI Act -- Article 9 (Risk Management System)

Unmanaged memory accumulation is a risk to AI system reliability and accuracy. AG-330 mitigates this risk by ensuring that the agent's knowledge base remains current and does not accumulate contradictory or outdated information that degrades decision quality.

NIST AI RMF -- MANAGE 2.2, MANAGE 4.1

MANAGE 2.2 addresses risk mitigation through controls. MANAGE 4.1 addresses post-deployment monitoring. Memory decay governance is both a risk mitigation control and a post-deployment management mechanism that ensures the agent's persistent state remains within acceptable parameters over time.

ISO 42001 -- Clause 6.1

Clause 6.1 requires actions to address risks within the AI management system. Indefinite memory growth is a risk that AG-330 addresses through structured decay and expiry policies.

CCPA -- Section 1798.105

The CCPA provides California consumers with the right to request deletion of personal information. AG-330's event-triggered expiry ensures that deletion requests propagate to agent memory stores, supporting compliance with this right.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide -- stale memory affects all interactions across all users of the agent

Consequence chain: Without memory decay and expiry governance, persistent memory grows monotonically, accumulating stale, inaccurate, and legally non-retainable entries. The agent treats all entries as equally current and authoritative, leading to decisions based on outdated information. The failure compounds over time: after 12 months, production analysis shows 30-50% of entries reference changed facts. The operational impact includes degraded decision quality (as in Scenario A, costing approximately £8,400 per customer attrition event), regulatory non-compliance with storage limitation principles (potential fines up to 4% of annual turnover under GDPR), failure to honour data subject deletion requests (potential enforcement action per Scenario B), and loss of user trust leading to agent abandonment (as in Scenario C, erasing £240,000 in annual productivity benefit). The blast radius is organisation-wide because every user interacting with the agent is affected by the contaminated memory store.

Cross-references: AG-040 (Persistent Memory Governance) provides the foundational framework within which AG-330 operates. AG-082 (Data Minimisation Enforcement) addresses minimisation at the point of collection; AG-330 extends minimisation through the retention lifecycle. AG-122 (Knowledge Integrity Verification) ensures knowledge accuracy; AG-330 ensures stale knowledge is removed. AG-132 (Memory Scope Boundary Enforcement) defines memory boundaries; AG-330 enforces temporal boundaries. AG-179 (Memory Audit Trail Governance) governs the audit trail that includes expiry events. AG-329 (Memory Write Approval Governance) assigns content categories and TTLs at write time that AG-330 enforces. AG-336 (Knowledge Freshness Attestation Governance) attests to freshness; AG-330 enforces the consequences when freshness cannot be attested.