No Memory of Its Own: Governing a Visiting Agent on Sovereign Data

No Memory of Its Own: Governing a Visiting Agent on Sovereign Data

Kendall Clark · Pentad Labs · 30 June 2026 · PLRN-016

Abstract

The enterprise already knows how to let an outsider work on sensitive data. It stands up a data room, decides who may see what, logs every access, and lets counsel hold the door. The arrangement assumed the outsider was a person because the outsider was a person or a team of them. A person reads under an agreement, forgets most of it, and is bound by contract when they leave.

Things, as they say, have changed recently. Now the outsider is likely an agent, or a team of them, and an agent breaks all three assumptions at once: it reads, it remembers exactly, and it carries that memory out the moment it leaves, into a model and an operator the data owner does not control. A room built for human eyes does not contain it.

This note is not the construction of a new mechanism. It is a characterization of a problem and a claim about where the solution must live. The problem is cross-organization data sharing in the agentic era: one organization must let another’s agent work over its most sensitive data, and must govern what the agent touches, prove what it saw, and control what it keeps. We survey the two research literatures that each solve half of this, show that no work sits at their intersection, and argue that the intersection is reachable only from a single architectural commitment. The commitment is that memory is a service of the agentic operating system, not a possession of the agent. When the memory of the visit belongs to the host rather than to the visitor, the data room can be rebuilt for agents. The rebuilt room is an agentic data enclave.

1. What crosses the threshold now

Letting one organization’s agent work safely on another’s data is where much of the agentic era’s enterprise value will be made; the diligence, supply-chain, and partner workflows that once took a quarter of legal review collapse to an afternoon. Doing nothing new does not avoid this, because the agents arrive regardless, through a vendor’s product or a business unit that never asked, so refusal buys the exposure of ungoverned access and none of the speed. And the value you decline is not left on the table; it is captured by the competitor who learned to host visiting agents safely, in the partnerships and compounding data relationships you forfeit by saying no.

The virtual data room turned secure outside access into routine software years ago, and the idea faded into the semi-boredom of routine. It faded because the thing crossing the threshold was stable, well-known, and limited. A diligence reviewer, an auditor, a counterparty’s counsel: each was a person, admitted under a data-use agreement, shown documents through a controlled surface, and trusted afterward to honor the terms. The room governed exposure, what was placed in front of the person, and left retention to law. A person’s memory is lossy, unauditable, and legally bound, so leaving retention to contract was the only available choice and a tolerable one.

An agent inverts every term of that arrangement. Its memory is not lossy; it retains what it reads with increasing fidelity, though of course not perfectly. Its memory is not unauditable in principle; but it is unaudited in practice, held inside the agent’s own process where the data owner has neither access to it nor purchase on it. And its memory is not bound by the agreement the counterparty signed, because the moment the agent leaves, what it read flows through a foundation model and into an operator’s infrastructure that were never party to the room.

In short, the problem is that the exposure the data room governed and the retention it left to law have collapsed into one event, and that event now happens on the wrong side of the boundary.

The exposure is also new in kind because it’s irreversible. A person admitted under an agreement and later found to have abused it can be sued; the remedy is after the fact, but it exists. Data that has left inside an agent’s memory cannot be recalled, and no audit after the fact undoes the transfer. Every ungoverned agentic visit is a disclosure the owner never approved and cannot take back. This is why the problem will not wait. The agents are already arriving: a partner points one at your records, a vendor ships one inside its product, a business unit wires one up without asking, and the two available answers are both bad. Forbid them and forfeit the partnerships the rest of the business is demanding. Admit them ungoverned and own the breach, the regulator’s question, and the disclosure that cannot be unwound.

A room is in any case the wrong shape, because a room is a place in which one is shown things, and an agent does not want to be shown things; it wants a place to work. Research computing already has the right word for a bounded environment where an outsider works on sensitive data and the owner reviews what may leave: an enclave. The data room, rebuilt for an agent that works rather than merely reads, is an agentic data enclave.

A data room offers exactly one service: mediated access, the controlled showing of things. An enclave offers many, because an agent that works rather than reads needs services to work with, memory and identity and tools, including dynamic data integration, and a place to act, and the host needs services to stay sovereign, governance and proof and recovery and control of what leaves. Several of these are one service seen from two sides: the provenance that lets the host audit the visit is the provenance that lets the agent show its work, and the capability that bounds the agent is the capability that authorizes it.

A data room is a viewing surface; an enclave is an operating system, and the distance between them is the count of services it must run and the fact that visitor and host both depend on them.

The rest of this note asks what such a thing must do, what the research field already provides, and what is missing that only one kind of system can supply.

1. Two literatures, and the gap between them

The research relevant to this problem divides cleanly along two axes, and the division is the finding of this research note. One literature governs an agent. The other governs data-sharing across organizations. Each is mature in its own terms. Almost no work sits on both axes at once, and the empty intersection is exactly the agentic data enclave.

The first axis governs the visiting agent: it asks how to keep an autonomous agent with memory and tool-calls from doing harm, and the field has converged on five families. There is cryptographic memory provenance, which signs and hash-chains every write to an agent’s memory and tracks each fact’s lineage, so a poisoned or smuggled recollection is detectable rather than trusted (MemLineage, Ouyang and Hou, 2026). There is the declarative policy engine with attestation, which states in a rule language which tools may be called, with which arguments, under which identity, and proves the running agent obeyed the policy before each call (Trusted AI Agents in the Cloud, Bodea et al., 2025; Defeating Prompt Injections by Design, Debenedetti et al., 2025). There is information-flow control and taint tracking, which labels data with its confidentiality at the point it enters and follows the label through the agent’s reasoning to block a tool call that would carry it to a disallowed sink (Securing AI Agents with Information-Flow Control, Costa et al., 2025; An AI Agent Execution Environment to Safeguard User Data, Stanley et al., 2026). There is the transactional runtime, which wraps a multi-step workflow as a single unit recorded in shadow state and rolls back every side effect when a validator finds a violation, so a bad action is undone rather than merely logged (Enforcing Benign Trajectories, Dang, 2026; Cordon: Semantic Transactions for Tool-Using LLM Agents, Chen et al., 2026). And there is enclave-based confidential computing, which runs the whole agent inside a hardware-isolated VM with remote attestation and emits a tamper-evident, replayable trace of what it did (Two-Way Confidential VMs, Thijsman et al., 2026; VET Your Agent, Grigor et al., 2025).

Every one of these governs a single agent’s safety. None was written for the case where the agent belongs to a counterparty and the data belongs to you.

The second axis shares data across organizations without moving it: it asks how mutually distrustful parties can let computation touch each other’s records while each owner keeps sovereignty, and its families are older and hardware-rooted. There is the dual-layer confidential VM, where a hardware enclave wraps a sandbox that wraps the workload and a sealed commitment manifest names the only data channels it may use, so the owner can admit foreign code without reading it (Two-Way Confidential VMs, Thijsman et al., 2026). There is consortium governance over trusted hardware, where a programmable constitution decides who may join and what the shared service is permitted to compute (Confidential Consortium Framework, Howard et al., 2023). There is the data-escrow platform, where a gatekeeper runs a counterparty’s function over encrypted data inside an isolated container and logs every access, so the raw data never leaves the owner’s custody (Data Station, Xia et al., 2023). There is TEE-backed federated analytics, where each party computes locally inside trusted hardware and only differentially-private aggregates ever leave (PACC-Health, Zhang et al., 2025). And there is the formally verified data-use monitor, which carries a sensitivity label through a query plan and proves a disallowed operation never runs (Picachv, Chen et al., 2025).

Every one of these isolates an opaque box of computation. The box predates the agent. None of them governs what an agent’s memory carries out, because none was written for a world in which the computation inside the box is stateful, that is, remembers.

This is the gap. The first axis knows the computation is an agent with memory but assumes the agent and the data share an owner. The second axis knows the data and the computation have different owners but assumes the computation is a stateless box. The lone family that spans both axes, the confidential VM, isolates the box from each side at once and still never reaches the memory within it.

The agentic data enclave is the case both literatures exclude: a visiting agent, with persistent memory, working on data it does not own.

Its defining requirement, to govern what the memory of the visit retains, is named by neither literature, because the first axis has no second organization to protect the memory from, and the second axis has no memory to govern.

1. The five requirements

Strip the problem to its obligations only and five fall out. They are not a feature list; they are the conditions under which a data owner can rationally say yes to a visiting agent. Four are satisfied somewhere in the literature of section 2, except the last, which is satisfied nowhere.

One: govern what the agent may touch. Access is not all-or-nothing. The agent is admitted to exactly the data the work requires and no more, and the grant is scoped, bounded, and revocable. This is the policy-manifest and capability line of the second axis.

Two: prove what the agent saw. Every access traces through a bounded authority to the person who granted it, and the record holds who asked, what ran, and what it touched, in a form a regulator can be shown rather than asked to trust. This is audit-grade provenance.

Three: replay the record. A log one is asked to believe is weaker than a record one can re-run. Every governed decision is deterministic, so the visit replays and the boundary reaches the same verdicts each time. The regulator re-runs the visit rather than reading a summary of it.

Four: unwind a mistake. An error inside the enclave, an actio

[truncated for AI cost control]