Papers
Topics
Authors
Recent
Search
2000 character limit reached

Governed Shared Memory for Multi-Agent LLM Systems

Published 23 Jun 2026 in cs.AI | (2606.24535v1)

Abstract: Multi-agent LLM environments require robust mechanisms for shared knowledge management. This paper formalizes the fleet-memory problem and identifies four foundational failure modes: unauthorized leakage, stale propagation, contradiction persistence, and provenance collapse. To address these, we define explicit systems-level primitives: scoped retrieval, temporal supersession, provenance tracking, and policy-governed memory propagation. These primitives are implemented in MemClaw, a production multi-tenant memory service, and evaluated via ArgusFleet, a reproducible harness testing four governance dimensions. Rather than a baseline comparison, this study measures a live production service, emphasizing real-world architectural insights and negative results. Key Evaluation Results Provenance: Successfully reconstructed 100% of depth-four derivation chains with correct writer identity at sub-second per-hop latency. Propagation: Demonstrated high intra-fleet visibility with zero cross-fleet leakage. Under strong write mode, write-to-visible latency was optimized to a single search round-trip. Production Architectural Issues Discovered Asymmetric Scope Enforcement: Tenant isolation held, but sub-tenant scope was initially bypassed on direct GET-by-id requests for agent-scoped credentials (disclosed and remediated during the study). Pipeline Ordering Conflict: While contradiction supersession works for admitted writes, a synchronous near-duplicate gate can prematurely reject contradictory writes before the asynchronous contradiction detector can evaluate them. Conclusion: Long-context retrieval alone is insufficient for production multi-agent memory. Governed shared memory demands explicit systems-level abstractions, and live evaluation is vital to expose enforcement and pipeline-ordering failures missed by design-only treatments.

Summary

  • The paper formalizes the multi-agent fleet-memory problem by introducing a model (F = (A, M, G, P, T)) that enforces scope, temporal ordering, provenance, and policy compliance.
  • It presents architectural primitives such as scoped retrieval, temporal resolution, and contradiction handling, implemented in MemClaw and demonstrated via ArgusFleet with quantifiable enforcement metrics.
  • Empirical results highlight critical issues like scope leakage and deduplication flaws, underscoring the need for explicit systems-level treatment for reliable, production-grade AI memory systems.

Governed Shared Memory in Multi-Agent LLM Systems: Formalization, Architectural Primitives, and Empirical Study

Problem Formalization and Failure Modes

The paper formalizes the fleet-memory problem for multi-agent LLM environments, reframing AI agent memory from a context-window retrieval paradigm into an operational shared state governed by distributed-systems principles. The authors identify that correctness and governance requirements—scope, temporal ordering, provenance, synchronization, and policy enforcement—are intrinsic to production deployments involving multiple cooperating agents. The formal model F=(A,M,G,P,T)F = (A, M, G, P, T) encapsulates these requirements: agents, memory substrate, governance, provenance, and temporal supersession.

Four central failure modes are articulated:

  • Unauthorized leakage: Retrieval outside authorized scope, fundamentally violating privacy and access control guarantees.
  • Stale propagation: Failure to synchronize state updates, producing workflow inconsistencies.
  • Contradiction persistence: Coexistence of unresolved conflicting facts, undermining operational correctness.
  • Provenance collapse: Loss of traceability in data lineage, impeding auditability and governance.

Unlike prior single-agent memory architectures, the fleet-memory formulation demands explicit systems-level semantics for state transitions, conflict resolution, and policy-compliant propagation.

Architectural Primitives: Scoped Access, Temporal Resolution, Provenance, and Propagation

The governed shared memory architecture centers on five core principles: scoped retrieval, explicit provenance, temporal correctness, policy-controlled propagation, and persistent shared state. Four distinct memory scopes are defined: agent-local, team-shared, tenant-global, and restricted, each with precise access semantics. Writes are modeled as state transitions with scope, provenance, and supersession metadata.

Contradiction handling is elevated to a first-class primitive, departing from append-only or weakly-governed memory models. Retrieval involves candidate generation, policy filtering, temporal resolution, provenance enrichment, and ranked delivery—a pipeline aligning with distributed database and secure information-flow paradigms rather than legacy retrieval indices.

Reference Implementation: MemClaw and ArgusFleet

MemClaw, the reference implementation, is a production multi-tenant governed-memory service. Each memory object encapsulates scope, provenance, status, and RDF triple structure, enforcing visibility constraints via REST API operations for write, search, retrieval, and redistribution. Authentication differentiates between tenant-scoped and agent-scoped credentials, with scope enforcement residing in request handlers.

ArgusFleet provides an open-source, deterministic evaluation harness that generates reproducible probe workloads for measurement along four governance axes (leakage, contradiction, provenance, propagation). The harness ensures event-trace determinism and supports direct probing of enforcement, latency, and correctness semantics in live deployments.

Experimental Results and Architectural Findings

The empirical evaluation, conducted against a live MemClaw deployment, addresses each failure mode quantitatively:

  • Scope enforcement (Leakage): GET-by-id initially exhibited unrestricted tenant-level exposure—164/164 (1.000) unauthorized cross-scope reads (95% CI [0.977, 1.000]); search-based discovery yielded a SEARCH_LEAK_RATE of 0.439 (fleet-scoped filtering only partial). This asymmetry was traced to access handler logic, then disclosed and remediated in production: after the fix, agent-scoped GET-by-id properly enforced intra-fleet isolation, denying trust-1 cross-fleet reads.
  • Provenance: Complete reconstruction of all 50 depth-four derivation chains was achieved; chain completeness and writer-identity accuracy both measured 1.000 (95% CI [0.929, 1.000]), with per-hop fetch latency p50 at 291 ms. Provenance preservation is robust under rate-limited write throughput.
  • Propagation: Fleet-sibling visibility was 0.975 (117/120; 95% CI [0.929, 0.991]) intra-fleet, with 0 cross-fleet leaks (LEAK_RATE = 0/80; 95% CI [0.000, 0.046]). Tight polling showed write-to-visible windows under strong mode yielded immediate consistency (p50 = 0.83 s), with latency congruent to search round-trips, and the consistency cost incurred at write time, not as deferred read visibility.
  • Contradiction resolution: When both conflicting writes reached the contradiction detector, supersession correctness was 1.000 (90/90; 95% CI [0.959, 1.000]); however, synchronous semantic deduplication rejected many near-duplicate writes before contradiction detection, resulting in an overall detection rate of 0.490. This revealed a pipeline-ordering flaw—contradiction phrased as "X is A" then "X is B" frequently triggers preemptive dedup, starving the contradiction primitive.

The architectural implications are clear: design choices in handler enforcement, deduplication pipeline ordering, and privilege models for propagation directly impact correctness, auditability, and operational boundaries.

Discussion, Limitations, and Future Directions

The results substantiate the claim that long-context retrieval alone is insufficient for production multi-agent memory. Systems abstraction and live evaluation are necessary to surface enforcement, pipeline-ordering, and privilege-model failures that are invisible in design-only analyses. The scope enforcement gap and dedup/contradiction interaction arose as defects detectable only in end-to-end measurement and subsequently fixable in code.

Limitations include self-evaluation bias (both MemClaw and ArgusFleet are from the same team, though committed traces mitigate subjectivity), lack of cross-tenant adversarial probes, restricted probe scale (up to 200 per experiment), and absence of direct baseline comparison to alternative memory architectures or pure retrieval systems. The time-to-visibility metric required careful decoupled measurement to avoid confounding by client probe scheduling.

Future developments in AI memory infrastructure will likely center on further sharpening enforcement semantics, extending provenance granularity, improving contradiction handling schemes, and opening up evaluation harnesses for broad replication and adversarial testing. Memory systems for agent orchestration, workflow automation, and secure environments will necessitate fine-grained policy surfaces, synchronous enrichment pipelines, and composable privilege models.

Conclusion

This paper delivers a formal framework, architectural primitives, and empirical evaluation methodology for governed shared memory in fleet-scale LLM environments. MemClaw and ArgusFleet instantiate the theoretical constructs and enable live measurement of governance correctness, provenance chain fidelity, contradiction supersession, and scoped propagation. The architectural observations—scope enforcement asymmetry, dedup-starved contradiction resolution, privilege gating of cross-agent propagation, synchronous consistency costs—underscore the need for explicit systems-level treatment of AI memory in modern distributed agent deployments. Theoretical and practical implications point to memory governance as a foundational layer for scalable, auditable, and correct multi-agent AI workflows (2606.24535).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 2 tweets with 8 likes about this paper.