No Memory of Its Own: Governing a Visiting Agent on Sovereign Data

Kendall Clark · Pentad Labs · 30 June 2026 · PLRN-016

Abstract

The enterprise already knows how to let an outsider work on sensitive data. It stands up a data room, decides who may see what, logs every access, and lets counsel hold the door. The arrangement assumed the outsider was a person because the outsider was a person or a team of them. A person reads under an agreement, forgets most of it, and is bound by contract when they leave.

Things, as they say, have changed recently. Now the outsider is likely an agent, or a team of them, and an agent breaks all three assumptions at once: it reads, it remembers exactly, and it carries that memory out the moment it leaves, into a model and an operator the data owner does not control. A room built for human eyes does not contain it.

This note is not the construction of a new mechanism. It is a characterization of a problem and a claim about where the solution must live. The problem is cross-organization data sharing in the agentic era: one organization must let another’s agent work over its most sensitive data, and must govern what the agent touches, prove what it saw, and control what it keeps. We survey the two research literatures that each solve half of this, show that no work sits at their intersection, and argue that the intersection is reachable only from a single architectural commitment. The commitment is that memory is a service of the agentic operating system, not a possession of the agent. When the memory of the visit belongs to the host rather than to the visitor, the data room can be rebuilt for agents. The rebuilt room is an agentic data enclave.

1. What crosses the threshold now

Letting one organization’s agent work safely on another’s data is where much of the agentic era’s enterprise value will be made; the diligence, supply-chain, and partner workflows that once took a quarter of legal review collapse to an afternoon. Doing nothing new does not avoid this, because the agents arrive regardless, through a vendor’s product or a business unit that never asked, so refusal buys the exposure of ungoverned access and none of the speed. And the value you decline is not left on the table; it is captured by the competitor who learned to host visiting agents safely, in the partnerships and compounding data relationships you forfeit by saying no.

The virtual data room turned secure outside access into routine software years ago, and the idea faded into the semi-boredom of routine. It faded because the thing crossing the threshold was stable, well-known, and limited. A diligence reviewer, an auditor, a counterparty’s counsel: each was a person, admitted under a data-use agreement, shown documents through a controlled surface, and trusted afterward to honor the terms. The room governed exposure, what was placed in front of the person, and left retention to law. A person’s memory is lossy, unauditable, and legally bound, so leaving retention to contract was the only available choice and a tolerable one.

An agent inverts every term of that arrangement. Its memory is not lossy; it retains what it reads with increasing fidelity, though of course not perfectly. Its memory is not unauditable in principle; but it is unaudited in practice, held inside the agent’s own process where the data owner has neither access to it nor purchase on it. And its memory is not bound by the agreement the counterparty signed, because the moment the agent leaves, what it read flows through a foundation model and into an operator’s infrastructure that were never party to the room.

In short, the problem is that the exposure the data room governed and the retention it left to law have collapsed into one event, and that event now happens on the wrong side of the boundary.

The exposure is also new in kind because it’s irreversible. A person admitted under an agreement and later found to have abused it can be sued; the remedy is after the fact, but it exists. Data that has left inside an agent’s memory cannot be recalled, and no audit after the fact undoes the transfer. Every ungoverned agentic visit is a disclosure the owner never approved and cannot take back. This is why the problem will not wait. The agents are already arriving: a partner points one at your records, a vendor ships one inside its product, a business unit wires one up without asking, and the two available answers are both bad. Forbid them and forfeit the partnerships the rest of the business is demanding. Admit them ungoverned and own the breach, the regulator’s question, and the disclosure that cannot be unwound.

A room is in any case the wrong shape, because a room is a place in which one is shown things, and an agent does not want to be shown things; it wants a place to work. Research computing already has the right word for a bounded environment where an outsider works on sensitive data and the owner reviews what may leave: an enclave. The data room, rebuilt for an agent that works rather than merely reads, is an agentic data enclave.

A data room offers exactly one service: mediated access, the controlled showing of things. An enclave offers many, because an agent that works rather than reads needs services to work with, memory and identity and tools, including dynamic data integration, and a place to act, and the host needs services to stay sovereign, governance and proof and recovery and control of what leaves. Several of these are one service seen from two sides: the provenance that lets the host audit the visit is the provenance that lets the agent show its work, and the capability that bounds the agent is the capability that authorizes it.

A data room is a viewing surface; an enclave is an operating system, and the distance between them is the count of services it must run and the fact that visitor and host both depend on them.

The rest of this note asks what such a thing must do, what the research field already provides, and what is missing that only one kind of system can supply.

2. Two literatures, and the gap between them

The research relevant to this problem divides cleanly along two axes, and the division is the finding of this research note. One literature governs an agent. The other governs data-sharing across organizations. Each is mature in its own terms. Almost no work sits on both axes at once, and the empty intersection is exactly the agentic data enclave.

The first axis governs the visiting agent: it asks how to keep an autonomous agent with memory and tool-calls from doing harm, and the field has converged on five families. There is cryptographic memory provenance, which signs and hash-chains every write to an agent’s memory and tracks each fact’s lineage, so a poisoned or smuggled recollection is detectable rather than trusted (MemLineage, Ouyang and Hou, 2026). There is the declarative policy engine with attestation, which states in a rule language which tools may be called, with which arguments, under which identity, and proves the running agent obeyed the policy before each call (Trusted AI Agents in the Cloud, Bodea et al., 2025; Defeating Prompt Injections by Design, Debenedetti et al., 2025). There is information-flow control and taint tracking, which labels data with its confidentiality at the point it enters and follows the label through the agent’s reasoning to block a tool call that would carry it to a disallowed sink (Securing AI Agents with Information-Flow Control, Costa et al., 2025; An AI Agent Execution Environment to Safeguard User Data, Stanley et al., 2026). There is the transactional runtime, which wraps a multi-step workflow as a single unit recorded in shadow state and rolls back every side effect when a validator finds a violation, so a bad action is undone rather than merely logged (Enforcing Benign Trajectories, Dang, 2026; Cordon: Semantic Transactions for Tool-Using LLM Agents, Chen et al., 2026). And there is enclave-based confidential computing, which runs the whole agent inside a hardware-isolated VM with remote attestation and emits a tamper-evident, replayable trace of what it did (Two-Way Confidential VMs, Thijsman et al., 2026; VET Your Agent, Grigor et al., 2025).

Every one of these governs a single agent’s safety. None was written for the case where the agent belongs to a counterparty and the data belongs to you.

The second axis shares data across organizations without moving it: it asks how mutually distrustful parties can let computation touch each other’s records while each owner keeps sovereignty, and its families are older and hardware-rooted. There is the dual-layer confidential VM, where a hardware enclave wraps a sandbox that wraps the workload and a sealed commitment manifest names the only data channels it may use, so the owner can admit foreign code without reading it (Two-Way Confidential VMs, Thijsman et al., 2026). There is consortium governance over trusted hardware, where a programmable constitution decides who may join and what the shared service is permitted to compute (Confidential Consortium Framework, Howard et al., 2023). There is the data-escrow platform, where a gatekeeper runs a counterparty’s function over encrypted data inside an isolated container and logs every access, so the raw data never leaves the owner’s custody (Data Station, Xia et al., 2023). There is TEE-backed federated analytics, where each party computes locally inside trusted hardware and only differentially-private aggregates ever leave (PACC-Health, Zhang et al., 2025). And there is the formally verified data-use monitor, which carries a sensitivity label through a query plan and proves a disallowed operation never runs (Picachv, Chen et al., 2025).

Every one of these isolates an opaque box of computation. The box predates the agent. None of them governs what an agent’s memory carries out, because none was written for a world in which the computation inside the box is stateful, that is, remembers.

This is the gap. The first axis knows the computation is an agent with memory but assumes the agent and the data share an owner. The second axis knows the data and the computation have different owners but assumes the computation is a stateless box. The lone family that spans both axes, the confidential VM, isolates the box from each side at once and still never reaches the memory within it.

The agentic data enclave is the case both literatures exclude: a visiting agent, with persistent memory, working on data it does not own.

Its defining requirement, to govern what the memory of the visit retains, is named by neither literature, because the first axis has no second organization to protect the memory from, and the second axis has no memory to govern.

3. The five requirements

Strip the problem to its obligations only and five fall out. They are not a feature list; they are the conditions under which a data owner can rationally say yes to a visiting agent. Four are satisfied somewhere in the literature of section 2, except the last, which is satisfied nowhere.

One: govern what the agent may touch. Access is not all-or-nothing. The agent is admitted to exactly the data the work requires and no more, and the grant is scoped, bounded, and revocable. This is the policy-manifest and capability line of the second axis.

Two: prove what the agent saw. Every access traces through a bounded authority to the person who granted it, and the record holds who asked, what ran, and what it touched, in a form a regulator can be shown rather than asked to trust. This is audit-grade provenance.

Three: replay the record. A log one is asked to believe is weaker than a record one can re-run. Every governed decision is deterministic, so the visit replays and the boundary reaches the same verdicts each time. The regulator re-runs the visit rather than reading a summary of it.

Four: unwind a mistake. An error inside the enclave, an action taken that should not have been, is reversible by the substrate, undone rather than merely regretted. This is the transactional, compensating line of the first axis.

Five: curate what the agent keeps. When the agent leaves, the owner decides what it retains of the visit: erased, edited, or supplemented at the owner’s discretion. This is the requirement no literature meets, and it is the one that distinguishes an agent from a stateless box and an enclave from a data room.

If the memory of the visit belongs to the agent, the agent leaves with it and the owner governs nothing that matters. If the memory belongs to the host, the owner governs the one thing the whole arrangement exists to govern. We’ve found the crux of the whole matter here.

4. WunderOS is one point in that space

The five requirements have a common precondition, and naming it is a contribution of this note. Requirements one through four can each be met by governing the boundary around a computation, wrapping it, labeling its flows, logging its calls, transacting its actions. The fifth cannot, because the memory of the visit is not at the boundary; it is inside the agent, and a boundary cannot reach inside a box it has agreed not to open.

The fifth requirement is met only if the memory was never inside the agent to begin with. It is met only if memory is a service of the agentic operating system, i.e., of the agentic data enclave itself, rather than a possession of the visiting agent. That single inversion is the architectural commitment from which the agentic data enclave becomes reachable, and it is the commitment WunderOS is built on. The inversion cannot be bolted onto an agent that owns its memory, which is why every system that did not start here is on the wrong side of it.

The hinge: R5 lives inside the box R1 R2 R3 R4 access proof replay undo │ │ │ │ governed at the boundary, ▼ ▼ ▼ ▼ by both literatures ┌────────────────────────────────────────┐ │ visiting agent │ │ ┌────────────────────────────┐ │ │ │ R5: the memory of │ │ the hinge: inside the box, │ │ the visit keeps │ │ reached by neither │ └────────────────────────────┘ │ └────────────────────────────────────────┘ turn the hinge: memory is the OS's, not the agent's ┌──────────────────────────┐ ┌─────────────────────────┐ │ visiting agent │ │ R5: memory of the │ │ (no memory of its own) │──▶ │ visit, owned and │ └──────────────────────────┘ │ curated by the host │ └─────────────────────────┘ R1-R4 unchanged at the boundary; R5 is now an ordinary operation on the owner's own store

WunderOS does not supply the agent. It supplies the enclave, the operating system the agent runs inside, which carries the agent’s memory, identity, governance, and recovery for it. These are the many services of section 1, some the agent’s, some the host’s, several belonging to both. The agent it hosts can be a visitor’s, brought by a counterparty and never modified, because WunderOS governs an unmodified agent through the substrate it must use rather than through cooperation it must volunteer (PLRN-004, Kinetic Control of Unmodified Agents). This is the line between a harness and an operating system. A harness wraps an agent and governs only what the agent volunteers to route through it, so to govern more is to modify the agent. An operating system runs the agent as a guest, and every memory write, every tool call, every byte that would leave is a syscall the kernel mediates whether the agent consents or not. A kernel governs an unmodified binary completely, by owning the substrate beneath it rather than by asking it to cooperate. That an agent is unmodified and that it is wholly governed are then the same fact, not opposing ones, and that is why the right object here is an operating system and not a harness. The agent has memory, identity, and tools only as services the operating system extends and can withdraw (PLRN-000, The Sovereign Agency Grid). Against that commitment, the five requirements stop being aspirations and become properties of components the system already has.

Governing what the agent may touch is sealed identity and earned capability: the agent acts only through bounded grants that trace to an authority, and holds no ambient power it was not given (PLRN-014, Authority Without Assertion). Proving what it saw is provenance by construction: the record of what was accessed is not instrumentation bolted on but a property of how every fact is written, hash-chained and signed at the point of access (PLRN-006, Audit-grade Provenance by Construction). Replaying the record is the deterministic clock the whole substrate already runs on, so a governed visit is replayable exactly rather than merely re-observed (PLRN-002, Composing Deterministic-Simulation Testing). Unwinding a mistake is the saga tree and append-only retraction: an action inside the enclave compensates and a fact retires by a later fact, so the visit has an undo (PLRN-011, The Saga Tree; PLRN-007, Append-Only with Retraction). The single governed egress through which anything leaves is where taint becomes decisive: a labeled flow that should not cross does not cross (PLRN-008, Taint Tracking for Agent Tool-Calls).

The fifth requirement is the one the inversion was for. Because the memory of the visit is the enclave’s, not the agent’s, curating it is an ordinary operation on the owner’s own store rather than a negotiation with the visitor. Externalizing memory to a store, which agent frameworks already do, is a place to put bytes and fetch them back; it is not this. Curation reads what the retained memory means and governs what of it may leave, a power a store does not have and the visitor’s own framework never held. The owner erases, edits, or supplements what the agent retains, by the same retraction the substrate uses for every correction (PLRN-007), and the agent leaves with exactly what the boundary passed and nothing it did not. The visiting agent does not decide what it carries back out, because it never held the memory to carry. And because two organizations meeting in the enclave do not share one view of the truth, each sees the data under its own authority and perspective rather than a single merged record (PLRN-013, No View From Nowhere), which is what makes the same enclave safe for a counterparty and its host at once.

What this governs is retention, not in-session inference. While the visit is live the model still conditions on what it reads, and no substrate un-reads it; the enclave bounds that residue rather than erasing it, on two sides. The session is ephemeral, so at teardown whatever was not curated into the owner’s store is reclaimed with the rest of the agent’s transient state. And any result the agent would emit from what it read is itself a flow across the one governed egress, curated like any other, so a visitor that tries to launder in-context data into its own output is checked at that boundary. What is left is in-session exfiltration through a channel the owner allowed, the irreducible floor for any architecture rather than a gap in this one.

What the field treats as five separate problems, solved by five separate mechanisms wrapped around five separate boxes, the enclave treats as five facets of one decision about where memory lives. The literature isolates the box; WunderOS owns the memory. That is the whole of the difference, and it is the difference that lets a data owner host a visiting agent and still govern the one thing a contract never could: what the visitor is allowed to remember.

The two literatures this note joins are surveyed in section 2; here they are placed against the claim. On the agent-governance axis, cryptographic memory provenance (MemLineage, Ouyang and Hou, 2026), the declarative policy engine with attestation (Trusted AI Agents in the Cloud, Bodea et al., 2025; Defeating Prompt Injections by Design, Debenedetti et al., 2025), information-flow control (Securing AI Agents with Information-Flow Control, Costa et al., 2025; An AI Agent Execution Environment to Safeguard User Data, Stanley et al., 2026), the transactional tool-runtime (Enforcing Benign Trajectories, Dang, 2026; Cordon, Chen et al., 2026), and enclave execution with verifiable traces (VET Your Agent, Grigor et al., 2025) each govern a single agent under a single owner. On the cross-organization axis, the dual-layer confidential VM (Two-Way Confidential VMs, Thijsman et al., 2026), consortium governance over trusted hardware (Confidential Consortium Framework, Howard et al., 2023), the data-escrow gatekeeper (Data Station, Xia et al., 2023), TEE-backed federated analytics (PACC-Health, Zhang et al., 2025), and the formally verified data-use monitor (Picachv, Chen et al., 2025) each isolate an opaque box of computation across distrustful owners. The contribution claimed here is not a sixth mechanism on either axis. It is the observation that the agentic data enclave is the unoccupied intersection of the two, and that the intersection is reachable only by moving memory out of the agent and into the operating system, the commitment the WunderOS substrate of PLRN-000 through PLRN-015 was already built on, here read off as the enclave the field has not yet named.

A note on method

Written in conversation with Claude Opus 4.8 (Anthropic) as structured interlocutor and prose editor. The research backstop was assembled with Paper Lantern. The ideas, claims, framing, copy edit, and architectural commitments are mine.

Kendall Clark · k@pentad.ai
Great Falls, Virginia
June 2026