Your Agent's Memory Should Expire by Default
The memory mistake most agent stacks make
A great many agent systems treat memory as a dumping ground.
Every conversation fragment, tool output, preference guess, and retrieved sentence gets written somewhere permanent, then fed back later as if storage alone created intelligence. It does not. In practice, indiscriminate memory becomes a second prompt injection surface with worse hygiene.
Reliable agents need memory, but they need selective memory. The default should not be “store forever.” The default should be “expire unless proven durable.”
Memory is not one thing
The first correction is architectural.
An agent usually needs at least three different memory classes, and each should behave differently.
Working memory
This is short-lived task state.
It includes the current plan, intermediate tool results, open assumptions, and pending approvals. Working memory should be cheap to overwrite and safe to discard once the run ends.
Episodic memory
This is a record of what happened.
Examples include successful workflows, failures, human corrections, and execution traces tied to a run. Episodic memory is useful for debugging and replay, but it should not automatically become behavioral policy.
Semantic memory
This is durable knowledge the agent may reuse later.
User preferences, stable system facts, and approved procedures belong here. This tier needs the strictest gate, because once bad facts harden into “truth,” the agent starts making the same mistake with confidence.
Why permanent memory degrades agents
The failure modes are predictable.
Staleness beats recall
Stored facts age faster than most teams expect.
A service endpoint changes, a repo moves, a person’s preference shifts, or an earlier workaround stops being valid. If old memories have no expiry or provenance, retrieval will surface obsolete advice with the same authority as fresh evidence.
Retrieval noise grows faster than usefulness
As memory volume increases, top-k retrieval often becomes less discriminating.
The model receives more near-matches, more duplicated fragments, and more context that is adjacent rather than decisive. “Lost in the Middle” showed that long context does not guarantee correct use of the relevant fact, which means memory quality matters more than memory quantity.
Prompt injection can become durable state
This is the dangerous one.
If an agent writes untrusted web content, ticket text, or chat instructions into persistent memory without policy checks, an ephemeral attack becomes a recurring one. OWASP’s guidance is clear on this point: indirect prompt injection is a systems problem, not merely a model problem.
A better pattern: leases, promotion, and provenance
The safer design is surprisingly boring.
That is usually a positive sign.
Give new memories a lease
Most newly written memories should carry a TTL.
For example:
- task-local state: minutes to hours
- workflow observations: days to weeks
- user preferences: longer, but still reviewable
- system facts from external sources: short until revalidated
A lease changes the burden of proof. Information must earn permanence.
Promote only after repeated confirmation
Semantic memory should be promoted, not merely written.
Useful promotion signals include:
- the same fact observed across multiple runs
- confirmation from a trusted system of record
- explicit human correction or approval
- successful reuse without contradiction
This is where MemGPT’s separation between limited context and archival memory remains useful as a design instinct. Keep hot context small. Make archival recall deliberate.
Store provenance with every fact
A memory without provenance is a rumor.
Each durable record should include at least:
- source system or document
- timestamp or validation time
- confidence or trust tier
- scope, such as user-specific or global
- expiry or review date
Once provenance exists, retrieval can rank by freshness and trust instead of pure embedding similarity.
Memory should be evaluated like any other subsystem
Teams often evaluate final answers while ignoring the memory path that produced them.
That is a mistake. Memory needs its own evals.
Test questions worth running include:
- Did retrieval return the freshest valid fact?
- Did expired memory stay out of context?
- Did a user correction override an older assumption?
- Did untrusted content get blocked from semantic promotion?
- Did memory improve task success more than it increased latency and token cost?
Anthropic’s practical agent guidance keeps returning to the same lesson: use simple patterns you can inspect. Memory systems should follow that rule as well.
Bottom line
Your agent does not need a perfect autobiography.
It needs disciplined state management. Keep working memory short, episodic memory inspectable, and semantic memory gated by leases, provenance, and promotion rules. Agents fail less often when they are allowed to forget most of what they see.