The EU AI Act Wants Memory Provenance — What That Means for Agents
Transparency and traceability obligations land on systems that remember. Here's what provenance, retention, and erasure mean for an AI memory layer.
As AI systems accumulate memory about people, the questions regulators ask stop being abstract. Where did this fact come from? Who can see it? Can the person get it deleted? The EU AI Act's transparency and traceability themes push these from nice-to-haves into design requirements — and a memory layer is exactly where they have to be answered.
This isn't legal advice, and obligations vary by risk tier and use case. But the direction is clear enough to design for now.
Provenance: trace every claim to its source
If an agent asserts a fact about a person, you should be able to say where that fact came from — which observation, at what time. That's provenance, and it's the backbone of traceability. A memory layer that stores facts as anonymous blobs can't answer the question; one that attaches a source to every claim can. MemMesh treats provenance as part of the record, not an afterthought.
Retention: keep what you must, no longer
Traceability implies you can produce the history when asked — and data-minimisation implies you don't keep it forever. Those pull in opposite directions, which is why configurable retention windows matter: long enough to audit, bounded enough to defend. MemMesh supports retention windows up to seven years for teams that need them, and shorter by default.
Erasure and export: the person stays in control
- Export — produce everything the system remembers about a subject, on request.
- Erasure — delete it, for real, including derived records, when the person exercises their right.
- Scope — memory is bounded to user / team / org, so access is intentional, not accidental.
If you can't say where a memory came from, who can see it, and how to delete it, you don't have a compliant memory layer — you have a liability.
Design for it now, not later
Retrofitting provenance and erasure onto a memory store that wasn't built for them is painful — the source links and scope boundaries have to be present from the first observation. That's the argument for choosing a memory layer where governance is structural: export, erasure, provenance, and scoping are first-class operations, so compliance is a configuration, not a rebuild.
Give your agent memory that predicts.
Wire MemMesh into Claude Code, Cursor, or your own app in one command.
Get started