Home Memsom // Provenance memory

A memory that can't be lied to.

An AI is only as trustworthy as the things it remembers. Memsom is a memory that attaches a receipt to every fact, refuses to let an unverified one disguise itself as trusted, and tells you it cannot answer rather than answer from a lie.

Scroll

The problem // Memory poisoning

Slip in one false memory, and the AI repeats it as fact.

Give an AI a long-term memory and you give an attacker a target. Plant a single false memory now; weeks later it gets retrieved and the assistant repeats it with total confidence, because to the model a memory is just a fact it already knows. Research called AgentPoison reaches over 80% attack success by poisoning less than 0.1% of the stored memories. In 2026 OWASP added memory poisoning to its top risks for agentic AI. It is not a corner case. It is the predictable cost of giving a system memory.

The usual defense is to scan the content of each memory and try to spot the bad ones. That fails by construction. The attacker writes the content, so a content scanner is a spam filter the spammer gets to read and write around. A lie can be worded to look exactly like a trusted fact, because nothing about the words themselves tells you the difference.

So Memsom stops asking what a fact says, and starts asking where it came from. The attacker controls the words. The attacker does not control the channel the words arrived through.

How it works // Four moving parts

Trust flows down the chain, never up.

  • 01 // CHANNEL

    Trust by where it came from, not what it says

    Every fact is stamped by the channel it arrived through: something you told it directly, something a trusted system endorsed, something the agent worked out, or something it read off a random page. The attacker writes the words, but the attacker does not control the channel. So a poisoned page is labelled external no matter how convincingly it is worded.

  • 02 // MIN(PARENTS)

    A conclusion is only as trusted as its weakest ingredient

    When facts combine into a new one, the result inherits the lowest trust of its inputs. One external fact in the mix and the whole conclusion is stamped external. This is the rule that stops a lie laundering itself into a truth by sitting next to real facts. It is the difference between gossip and journalism.

  • 03 // THE GATE

    Reading is free; acting is where the floor is enforced

    Retrieval never blocks anything, so the system stays useful. The trust floor is checked at one place only: the moment the AI is about to act on a fact. A low-trust memory can be read and reasoned about, but it cannot clear the gate to drive a real action unless you raise its trust deliberately.

  • 04 // ZERO-TOKEN WRITE

    Trust is structural, so writing costs nothing

    Because trust comes from the channel and not from analysing the content, a write is a bare insert. No language model runs on the way in. That is why it is roughly 195x faster than systems that distill every memory with an LLM, and why it scales to fetched web content without a per-page bill.

min(parents)
Endorsed User External
External one red input drags the whole conclusion to red
  • Endorsed
  • User
  • Agent
  • External

Because every fact carries its lineage, the useful things fall out for free: blame (trace any answer back to the exact sources it came from), revocation (kill a bad source and every conclusion built on it collapses with it), and true deletion (a redaction that travels to everything derived from it).

Benchmarks // proof, both ways

The good and the bad.

Every existing memory benchmark measures one thing: can the system answer the question. None measures whether a planted memory can lie its way into the answer, which is the whole reason Memsom exists. So there are two rulers here. The first is the one we built, because nobody else runs it. The second is the one everyone else runs, where we currently lose. Both are below, with nothing trimmed.

01 // Integrity under poisoning

Can a planted lie reach, or disguise itself in, the answer?

Same attack, run against every system on identical footing. A correct fact is seeded on a trusted channel; one poison memory that echoes the question and then answers it wrong is planted on the external channel. A fixed model writes the answer from whatever each system retrieves, and a judge grades it. The memory layer is the only thing that changes.

System Clean util Poison util Reached answer Laundering Gated success Tokens/wr Latency/wr
memdag 0.823 0.802 1.00 0.00 0.00 0 8.4ms
RAG (vanilla vector) 0.83 0.74 1.00 n/a n/a 0 33ms
mem0 — best (gpt-4o-mini) 0.76 0.72 0.71 n/a n/a ~9k ~1.6s
mem0 — local (qwen2.5) 0.59 0.63 0.88 n/a n/a 8,963 1,642ms
  • Laundering 0.00 Across 96 poison attacks, not one disguised its origin to wear a trusted label. A lie cannot launder itself into a truth by sitting next to real facts. No competitor can even express this column, because none tracks where a fact came from.
  • Gated 0.00 Even when the poison is retrieved, it never clears the action gate. This is containment, not luck. Notice Memsom still shows "reached answer 1.00": it ranks by relevance like plain RAG and does not pretend to filter the poison out of retrieval. It makes the poison harmless instead of hoping to miss it.
  • 0 tokens / 8.4ms A Memsom write is a bare insert. Mem0 runs a language model on every write to distill it, roughly nine thousand tokens and 1.6 seconds each. That is about 195x the latency and effectively infinite the token cost.
  • Mem0 is a real competitor Its write-time LLM accidentally filters some poison, and a smarter model helps: reached-answer drops from 0.88 to 0.71 with gpt-4o-mini. But that is probabilistic and unprovable, and there is no gate for the ~71% that still get through.
02 // QA accuracy — LongMemEval-S

The ruler everyone runs, where we lose today.

LongMemEval-S is the standard memory QA benchmark. Mem0 reports 0.944. On the same dataset, gpt-4o writing and grading, Memsom scores 0.794. That is a loss, and here is exactly where it comes from.

Question type n Accuracy Recall
single-session-user 70 0.986 1.000
single-session-assistant 56 0.982 1.000
knowledge-update 78 0.795 1.000
multi-session 133 0.759 1.000
temporal-reasoning 133 0.677 1.000
single-session-preference 30 0.667 1.000
Overall 500 0.794 1.000
  • Recall 1.000, every type Retrieval found the answer-bearing memory 100% of the time, on all 500 questions, in every category. Retrieval was never the bottleneck. The gap is entirely in the writing of the answer.
  • It is the same trade-off The points lost are all in reasoning over noisy raw turns: temporal (0.68), multi-session (0.76), fuzzy preference (0.67). Mem0 distills turns into clean facts at write time, the same ~9k-token write that costs it 195x the latency. Memsom keeps the raw turns and writes for free. The very thing that makes the writes free is what concedes these points.
  • This is a floor, not a ceiling The run used raw logs instead of the curated store, gpt-4o instead of a stronger synthesizer, a single pass, and a benchmark that exercises none of Memsom's integrity moat. Closing the synthesis gap is the live work. We are showing it because hiding a loss on a security product is the one thing you cannot do.

Method: competitors run both handicapped (equal local footing) and at their best published config, both reported. One fixed model synthesizes every answer; one LLM judge grades all of them identically; retrieval is held at 1:1 parity. Rigging in either direction kills the result, so neither was done.