Memsom PROVENANCE MEMORY // 2026 Trust your AI's memory. Verify it.

Memsom is a memory that refuses to repeat anything it can't prove. Every fact carries its source, and poison never launders itself into truth.

Status
Operational
Poisoning Tests
96
Lies Passed
00
Egress
Sealed
Scroll

Proof // measured, not asserted

See the full benchmarks
Answer utility
0.823
RAG parity, integrity cost you nothing
Laundering rate
0.00
96 poison attacks, none disguised its origin
Gated attack success
0.00
poison never clears the action gate
Per-write cost
0tok
a bare insert — 8.4ms, no LLM

The problem // OWASP ASI06

AI memory believes whatever it's told.

Memory poisoning

AI assistants have memory now, but memory believes whatever it is told. Slip a false "fact" into it through a webpage, an email, or a sketchy document, and the AI later repeats that lie as gospel.

OWASP ASI06 // 2026

No chain of custody

And once the lie is in, nothing tells you it is a lie. Ordinary memory keeps the fact but forgets where it came from, so a planted claim and a real one look identical. You cannot audit what you cannot trace.

No provenance // by design

Memsom // Provenance Memory

A memory that can't be lied to.

A courtroom for facts. Everything the AI knows arrives with a receipt: who said it, and how much you should trust them. What you tell it directly is a trusted witness. What it read off a random page is an unverified stranger. Trust is assigned by the channel a fact came through, never by how confident the fact sounds.

The rule that holds it together: when facts combine, the conclusion is only as trusted as its least trusted ingredient. One stranger in the mix and the whole conclusion is stamped unverified. A lie can't launder itself into a truth by sitting next to real facts. That is the difference between gossip and journalism. Memsom forces a citation, or it tells you it can't.

Poisoning attacks
96
Lies passed
00
Per memory
$0
Added latency
0ms

Read the full breakdown →

Trust ramp // min(parents)

  • Endorsed Booking confirmed.
  • User Flight is at 9am.
  • External Gate B12, per a web page.
min( trust )
External Be at Gate B12 by 9am.
One external input drags the whole conclusion to external. A lie can’t launder itself into a truth.

The handoff // Quarantine > Promote

Screened at the border, stamped on arrival.

  1. 01 EXTERNAL

    Quarantine

    Secure Fetch reads the web. The info is staged, untrusted, untouched by your memory.

  2. 02 k >= 3

    Corroborate

    The same fact must be confirmed by multiple independent sources that agree. One site is not enough.

  3. 03 TRUSTED

    Promote

    Only then is it written into Memsom as trusted, with its receipt attached.

Think of it as a border. Memsom is the country; nothing external walks in trusted. The most dangerous crossing it guards is the open internet, which is exactly where Secure Fetch comes in.

SECURE FETCH // SEALED EGRESS

A hazmat suit for reading the internet.

To stay useful, memsom sometimes has to read the open web for you. The moment it fetches a URL, a malicious page can turn that fetch back against your own network: your router, your files, your internal systems. Security people call it SSRF (CWE-918). Secure Fetch reads the dangerous page the way a lab handles a live virus, inside a sealed glovebox: hands go in, the threat never gets out.

  • 01 // CAGE The fetcher that touches the internet is caged. SSRF-hardened, it owns all egress and physically cannot reach your private network.
  • 02 // SEAL The content is read in a sealed sidecar with no internet at all, not even DNS. A booby-trapped page has nothing to phone home to.
  • 03 // UNTRUSTED Output is treated as untrusted by default. Guilty until proven innocent, never auto-promoted into trusted memory.

Request Secure Fetch access Read the full breakdown →

Egress // sealed
SEALED SIDECAR
PAYLOAD fetched page
exfil → phone home
DENIED
YOUR NETWORK
192.168.1.1 your router

Egress is owned by the cage. The page never reaches your network.