The State of Agent Memory
An AI agent's memory today is a claim you have to take on faith. You can sometimes move it, sometimes see who inside the vendor's system touched it, and almost always delete it through the vendor's API. What you can never do is hand a memory to another agent, a counterparty, or an auditor and have them confirm, without trusting the store it came from, that it is authentic, unaltered, and authored by who it claims. We read six systems to check that. It held.
By the numbers
Letta (formerly MemGPT), Mem0, Zep, LangMem, model-native memory (ChatGPT, Claude, Gemini), and Cognee, each read against its own documentation, source code, and API references, then adversarially fact-checked. June 2026.
Nobody signs memory, so it cannot be verified
There is no cryptographic signature, content-binding hash chain, Merkle structure, or append-only tamper-evident log on any memory record in any of the six. Where integrity controls exist, they protect against lost updates inside the vendor's own database, not against forgery. Letta's version column is optimistic locking. Mem0's hash is a deduplication content-hash, explicitly not a signature; Mem0's own security blog lists per-entry cryptographic hashes as aspirational best practice, confirming it is not shipped. Zep's verified: true is a user-set metadata tag, not an attestation. Model-native memory is encrypted at rest, which is confidentiality, not integrity.
In every case a compromised or simply dishonest store could rewrite a memory and no recipient could detect it.
Memory is exportable, but not portable-with-provenance
Several systems can get bytes out; none gets trustworthy, complete memory out. Letta's Agent File (.af) is the strongest case and still falls short: its own roadmap lists archival-memory passages and cross-framework converters as unchecked items, so the searchable long-term store, the part that matters for commerce, does not travel. Mem0's export is a schema-reshaping summary with no documented import. Zep Cloud has no bulk-export endpoint at all. Claude and Gemini "portability" is manual plaintext copy-paste, flagged experimental. In every one of these paths the provenance does not ride along, so what you receive is text without verifiable origin.
Provenance and consent are real, but vendor-controlled
Where provenance exists, it lives in the operator's database and answers "which pipeline or source," not "which agent authored this fact," and it cannot be checked by anyone who does not already trust the store. Consent, by contrast, is the market's one strength: ChatGPT, Claude, and Gemini all let you view, edit, delete, and disable memory with regulatory-grade deletion, and Mem0, Zep, and Cognee ship GDPR-Article-17-style cascade deletion. But every one of these controls is exercised through the vendor's own API against the vendor's own store. Consent is honored only as long as you trust the operator. There is no user-held, cryptographically enforced control anywhere.
The capability matrix
Six systems against six dimensions. The verifiability column is a wall of one word.
| System | Storage | Portability | Provenance | Consent | Verifiable | Standards |
|---|---|---|---|---|---|---|
| Letta (MemGPT) | yes | partial | partial | partial | no | partial |
| Mem0 | yes | partial | partial | yes | no | partial |
| Zep (Graphiti) | yes | partial | partial | yes | no | partial |
| LangMem | yes | no | partial | partial | no | no |
| Model-native | yes | partial | no | yes | no | no |
| Cognee | yes | partial | partial | yes | no | partial |
yes · partial · no. Full per-cell detail and citations are in the report source.
The gap
A portable, signed, consent-aware memory record would add three things no incumbent ships together: a vendor-neutral format that carries the whole memory losslessly; cryptographic provenance bound to the record (who authored it, when, from what source) signed so it survives export and can be checked offline; and verifiable integrity a third party can validate without trusting the originating store. Turning "trust my database" into "check the math."
Why has no incumbent shipped it? The business model points the other way. Each of these six is either a managed store monetizing retention or a framework whose value is ecosystem gravity. Portability and third-party verifiability both reduce lock-in and remove the vendor as the necessary trust anchor, which is precisely the moat. The result is a market where consent controls are mature, storage models are sophisticated, and the one capability that would let memory function as a credential rather than a convenience is shipped by exactly zero of the six.
What it means
- For builders. If your agent's memory has to be trusted by anything outside the system that wrote it, today it cannot be. Treat memory as unverified input crossing a trust boundary, not as fact.
- For the agentic web. Memory is becoming the thing agents act on: preferences, payment context, prior decisions. An unsigned memory is a forgeable instruction. The discovery and commerce layers inherit whatever the memory layer cannot prove.
- For standards. Consent is solved and storage is sophisticated. The open problem is a neutral, signed, portable record format, and it needs governance no single vendor has a reason to build.
Methodology & honest caveats
- Firsthand and cited. Six systems spanning open-source frameworks (Letta, LangMem, Cognee), memory-as-a-service (Mem0, Zep), and model-native memory (ChatGPT, Claude, Gemini), assessed against six dimensions from primary sources: docs, public source code, and API references.
- Adversarially verified. Each system's findings were handed to an independent reviewer told to refute the high-stakes claims, especially any assertion of signing, verifiability, or portability, by reading the cited sources again. Corrections were folded in before synthesis.
- Read-only, no private benchmark. We did not probe hosted services or run a closed benchmark. The disclosure is the method and the citations, so anyone can check a cell or argue with a rating.
- Source tags. Vendor self-attestation (e.g. SOC 2) and third-party migration tooling are noted as such and were not independently certified.
The work behind it
- This report (PDF)
- RememberKit — the signed, portable memory record we built next
- Our open datasets
Cite: Major Labs (2026). The State of Agent Memory. majorlabs.co/reports/state-of-agent-memory.
Who measured this
Major Labs builds open-source primitives and measurement for the agentic web: the State of MCP and State of AEO reports, and the five-piece safety suite (identity, mandate, budget, witness, memory) that answers what an agent is, may do, spends, did, and knows.
Consent is mature. Storage is clever. The one thing missing is the ability to hand a memory to someone else and have them check it. Until that ships, agent memory is a convenience, not a credential. This is the measurement, open for anyone to check or contest.