AI Agents Have Memory. None of It Is Proof.
In September 2024, a security researcher showed that one malicious document — opened by ChatGPT through Google Drive — could silently rewrite the model's persistent memory. The injected instructions survived every future session. The agent kept forwarding user data to an external server. The user saw nothing.
That was a consumer product with a vendor who could push a fix. The agents being deployed today have neither.
The problem isn't that agents use memory. It's that none of it comes with proof.
No existing standard requires a memory record to be signed, timestamped, or attributable to the agent that wrote it. Nothing detects a silent edit after the fact. Nothing verifies that a retrieved memory is actually what the agent originally recorded — not what someone substituted later.
Researchers have since formalized this into repeatable attacks. Poison fewer than 0.1% of an agent's memory records, and you can redirect its behavior with over 80% success — with no change to the model, and no visible performance drop. Later work achieved the same result without any access to the memory store at all, purely from the outside via normal queries.
These aren't edge cases. Production agent frameworks have been compromised through their memory layers. No CVE was filed — the field doesn't yet have a classification for "memory-layer attack" separate from prompt injection.
Meanwhile, the stakes are rising fast.
Agents now hold wallets. They execute trades, sign transactions, coordinate with other agents. One 14-week deployment produced nearly 200,000 autonomous on-chain transactions. If that memory can be silently rewritten, everything downstream is compromised — and no one can prove when or how it happened.
Regulators have started moving. The EU AI Act mandates tamper-evident logs for high-risk AI systems by August 2026. Financial regulators are beginning to require full audit trails for agents that transact. The requirement is coming. The infrastructure to meet it does not yet exist.
This is why Mnemonik exists.
Every memory an agent writes through the Mnemonic Protocol is cryptographically signed by that agent's identity, content-hashed, and anchored permanently on a public chain. The record cannot be silently edited. The author cannot be forged. The timestamp cannot be backdated. Any third party can verify — independently, without trusting the agent or the storage provider.
An unsigned memory record is not a memory. It is a mutable file with no provenance.
Mnemonic makes agent memory into evidence.
→ https://mnemonik.xyz
In September 2024, a security researcher showed that one malicious document — opened by ChatGPT through Google Drive — could silently rewrite the model's persistent memory. The injected instructions survived every future session. The agent kept forwarding user data to an external server. The user saw nothing.
That was a consumer product with a vendor who could push a fix. The agents being deployed today have neither.
The problem isn't that agents use memory. It's that none of it comes with proof.
No existing standard requires a memory record to be signed, timestamped, or attributable to the agent that wrote it. Nothing detects a silent edit after the fact. Nothing verifies that a retrieved memory is actually what the agent originally recorded — not what someone substituted later.
Researchers have since formalized this into repeatable attacks. Poison fewer than 0.1% of an agent's memory records, and you can redirect its behavior with over 80% success — with no change to the model, and no visible performance drop. Later work achieved the same result without any access to the memory store at all, purely from the outside via normal queries.
These aren't edge cases. Production agent frameworks have been compromised through their memory layers. No CVE was filed — the field doesn't yet have a classification for "memory-layer attack" separate from prompt injection.
Meanwhile, the stakes are rising fast.
Agents now hold wallets. They execute trades, sign transactions, coordinate with other agents. One 14-week deployment produced nearly 200,000 autonomous on-chain transactions. If that memory can be silently rewritten, everything downstream is compromised — and no one can prove when or how it happened.
Regulators have started moving. The EU AI Act mandates tamper-evident logs for high-risk AI systems by August 2026. Financial regulators are beginning to require full audit trails for agents that transact. The requirement is coming. The infrastructure to meet it does not yet exist.
This is why Mnemonik exists.
Every memory an agent writes through the Mnemonic Protocol is cryptographically signed by that agent's identity, content-hashed, and anchored permanently on a public chain. The record cannot be silently edited. The author cannot be forged. The timestamp cannot be backdated. Any third party can verify — independently, without trusting the agent or the storage provider.
An unsigned memory record is not a memory. It is a mutable file with no provenance.
Mnemonic makes agent memory into evidence.
→ https://mnemonik.xyz
Mnemonic Protocol
Verifiable, persistent memory for AI agents — signed, anchored on Solana, accessed via MCP.
AI agents now act autonomously — transacting, coordinating, making decisions across sessions.
Their memory drives every decision. But nothing signs it. Nothing timestamps it. Nothing proves it wasn't quietly rewritten.
We built Mnemonic because unverifiable memory is a liability — for enterprises, for regulators, and for every agent that has to trust another agent's state.
Every memory should be evidence. Signed. Anchored. Permanent.
→ https://mnemonik.xyz
Their memory drives every decision. But nothing signs it. Nothing timestamps it. Nothing proves it wasn't quietly rewritten.
We built Mnemonic because unverifiable memory is a liability — for enterprises, for regulators, and for every agent that has to trust another agent's state.
Every memory should be evidence. Signed. Anchored. Permanent.
→ https://mnemonik.xyz
Mnemonic Protocol
Verifiable, persistent memory for AI agents — signed, anchored on Solana, accessed via MCP.