Memory poisoning
AI assistants have memory now, but memory believes whatever it is told. Slip a false "fact" into it through a webpage, an email, or a sketchy document, and the AI later repeats that lie as gospel.
OWASP ASI06 // 2026
Memsom is a memory that refuses to repeat anything it can't prove. Every fact carries its source, and poison never launders itself into truth.
Proof // measured, not asserted
See the full benchmarksThe problem // OWASP ASI06
AI assistants have memory now, but memory believes whatever it is told. Slip a false "fact" into it through a webpage, an email, or a sketchy document, and the AI later repeats that lie as gospel.
OWASP ASI06 // 2026
And once the lie is in, nothing tells you it is a lie. Ordinary memory keeps the fact but forgets where it came from, so a planted claim and a real one look identical. You cannot audit what you cannot trace.
No provenance // by design
Memsom // Provenance Memory
A courtroom for facts. Everything the AI knows arrives with a receipt: who said it, and how much you should trust them. What you tell it directly is a trusted witness. What it read off a random page is an unverified stranger. Trust is assigned by the channel a fact came through, never by how confident the fact sounds.
The rule that holds it together: when facts combine, the conclusion is only as trusted as its least trusted ingredient. One stranger in the mix and the whole conclusion is stamped unverified. A lie can't launder itself into a truth by sitting next to real facts. That is the difference between gossip and journalism. Memsom forces a citation, or it tells you it can't.
Trust ramp // min(parents)
The handoff // Quarantine > Promote
Secure Fetch reads the web. The info is staged, untrusted, untouched by your memory.
The same fact must be confirmed by multiple independent sources that agree. One site is not enough.
Only then is it written into Memsom as trusted, with its receipt attached.
Think of it as a border. Memsom is the country; nothing external walks in trusted. The most dangerous crossing it guards is the open internet, which is exactly where Secure Fetch comes in.
SECURE FETCH // SEALED EGRESS
To stay useful, memsom sometimes has to read the open web for you. The moment it fetches a URL, a malicious page can turn that fetch back against your own network: your router, your files, your internal systems. Security people call it SSRF (CWE-918). Secure Fetch reads the dangerous page the way a lab handles a live virus, inside a sealed glovebox: hands go in, the threat never gets out.
Egress is owned by the cage. The page never reaches your network.