The infrastructure assumption
Most agentic architectures treat memory as operational infrastructure. It serves the agent’s task performance. It accumulates context so the agent can reason across turns. It gets retrieved, compressed, and refreshed as the session progresses. Memory, in this framing, is a performance subsystem — something you optimize, not something you govern.
Post 1 argued that this framing creates a consistency problem: the governance plane cannot see the memory state that produces the decisions it is authorizing. The memory witness feed closes the visibility gap.
This post argues that the infrastructure assumption creates a deeper problem. Even with full visibility, the governance plane can be operating against memory that was shaped without its knowledge — before it observed it, after it authorized it, or through channels it has no instrumentation to detect. Treating memory as infrastructure means treating it as something beneath governance. The sovereignty argument is that memory must be elevated: from operational state to governed artifact.
Infrastructure is optimized. Governed artifacts are attested. The difference is not operational — it is architectural. An agentic system that treats memory as infrastructure has no structural mechanism for the governance plane to verify that what it is observing is what was actually produced. A system that treats memory as a governed artifact does.
What adversarial memory looks like
Memory manipulation in agentic systems does not require a dramatic attack. It requires only that something with write access to the agent’s context shapes what the agent retrieves and retains.
The most documented form is indirect prompt injection: content retrieved from external sources — documents, web pages, tool outputs — that contains instructions designed to modify the agent’s behavior. The agent processes the content as part of its task. The malicious instruction enters the context. The agent’s subsequent decisions are shaped by it. The governance plane, observing current tool calls through the memory witness feed, sees authorized-looking behavior produced by a compromised context.
The MAIF framework (arXiv:2511.15097) addresses this directly: without an artifact-centric provenance substrate, agentic systems cannot distinguish between memory state that emerged from authorized sources and memory state that was injected through retrieval. The feed surfaces memory. It cannot, on its own, attest its origin.
But adversarial memory shaping does not require external injection. It also occurs when compression removes constraints that were operative and replaces them with approximations that are not — the write-time compression failure Post 1 named. The result in both cases is the same: the agent is operating on a memory context that does not accurately represent what the governance plane authorized. The governance plane observes the behavior. It cannot verify the context.
A governance plane with full feed visibility sees what the agent is doing. It does not, without attestation, know whether the memory state driving that behavior is the one it authorized. Seeing and verifying are different operations. The feed provides the first. The attestation layer provides the second.
The distinction between observation and authority
The consistency argument establishes that the governance plane needs to see memory. The sovereignty argument establishes that seeing is insufficient if the governance plane cannot verify the integrity of what it sees.
Memory integrity has two requirements. First, the content of memory at any given moment must be attributable: traceable to the sources and actions that produced it. Second, changes to memory must be observable events, not silent background operations. Compression, pruning, retrieval, and injection are all memory-modifying events. A governance plane with authority over memory knows when those events occur, what they changed, and whether the resulting state is consistent with what was authorized.
The research literature frames this as the difference between a passive append-only log and an active governed artifact. AGENTSAFE (arXiv:2512.03180) identifies the governance gap in current agentic architectures as precisely this: systems that accumulate memory without structural mechanisms for verifying its provenance or enforcing governance at modification boundaries. MemArchitect (arXiv:2603.18330) proposes a policy-driven memory governance layer as the architectural response — treating memory management as a first-class governance concern rather than an operational detail.
Hooks as attestation points
This is where hooks become something more than instrumentation. If PreToolUse and PostToolUse are the memory witness feed — the visibility layer — then hooks at compaction boundaries and session lifecycle events are the attestation layer.
An attestation point is a moment at which the state of memory is recorded, verified, and made immutable for governance purposes. It is not a snapshot for debugging. It is a checkpoint in the provenance chain — a link in the record of what the agent knew at each decision moment, where that knowledge came from, and whether it was consistent with what the governance plane authorized.
The PreCompact hook is the natural attestation boundary: the moment before memory is irreversibly modified. A governance plane that receives an attested memory state at each PreCompact event has a verifiable record of what existed before compression. It can compare what was preserved against what was authorized. It can detect gaps — constraints that were operative before compaction that are no longer traceable after it.
The SessionStart and SessionEnd hooks extend the attestation chain across session boundaries. In multi-session or multi-agent architectures, these are the handoff points where memory state crosses harness boundaries. Without attestation at those points, memory sovereignty cannot be maintained across the full agent lifecycle. The provenance chain has structural gaps at every session boundary where attestation is absent.
The PostToolUse hook becomes an attestation point when it records not just what the tool returned, but the provenance of that return: what source produced it, whether that source was within the authorized retrieval envelope, and whether the tool output modified the agent’s context in ways consistent with what the governance plane sanctioned.
Memory sovereignty as a governance requirement
Memory sovereignty is not an engineering preference. It is the logical consequence of taking agentic governance seriously.
If governance authority means anything, it means that the behavioral context the governance plane authorized is the behavioral context the agent is operating on. Not an approximation of it. Not a version that was modified after the authorization was granted. Not a context that was shaped by an injection the governance plane had no instrumentation to detect. The same context — attested, traceable, and consistent with what was approved.
Hooks make this possible. They are the architectural mechanism currently available for surfacing memory state to the governance plane at defined moments, creating attestation checkpoints in the provenance chain, and making memory-modifying events observable rather than silent. The organizations that build the full Memory Governance Surface — visibility through the memory witness feed, and sovereignty through the attestation layer — will be governing something real. The organizations that rely on tool-call interception alone will be governing declared intent while the agent’s actual behavioral context evolves beneath them.
The larger classification
The Memory Governance Surface is one instance of a structural pattern that the Luminity corpus has been mapping across multiple series. At the compliance layer, the Regulatory Surface names where policy mandates make contact with agentic systems. At the behavioral constraint layer, the Alignment Gate names where behavioral persistence fails without deliberate architecture. At the audit layer, the Provenance Gap names where the trace record is structurally absent.
Each of these names a surface where agentic systems require governance instrumentation that does not emerge automatically from model capability or operational tooling. Together they constitute what this series has introduced as the Governance Surfaces framework: the classification of architectural planes where deliberate governance instrumentation is structurally required, not optional, not compensable by controls that operate at a different layer.
The Memory Governance Surface adds a fourth surface. Each surface requires different instrumentation. None can substitute for another. The governance substrate that agentic infrastructure must provide is not any one of these surfaces — it is all of them, addressed deliberately, in architecture rather than in policy.
