First surfaced in Tandemly Briefing — 2026-05-24.

Agent Safety · Memory

Safe at launch,
not in production.

Researchers built a protocol to ask a question nobody had asked carefully: does a memory-equipped LLM agent become less safe the longer it runs? Testing across eight memory architectures and three deployment scenarios, the answer came back consistently yes. Safety violation rates climbed as memory accumulated, even when the order of past tasks was randomized.

Core concept
Temporal memory contamination: the mechanism by which memories accumulated from earlier, unrelated tasks shift an agent's safety profile in ways no single-task evaluation can detect.
scroll to explore
01The problem

Safety evals test
the first minute.

Standard safety evaluations treat each interaction as independent. They don't ask what happens after months of real use, when memory has accumulated from thousands of unrelated tasks.

Most safety evaluations of LLM agents work like this: you test the agent before deploying it, run it through a set of scenarios that might trigger unsafe behavior, and verify it passes. If it does, it ships. That is a reasonable starting point. But it misses a fundamental question about how production agents actually work.

A deployed agent doesn't serve one task. An email assistant handles correspondence across months. A computing agent runs hundreds of jobs, writing to file systems, executing shell commands, and interacting with credentials along the way. Memory accumulates from every interaction. The designers may not have intended for early memories to affect later ones. But they do.

The failure mode this paper names is "temporal memory contamination." It is not a prompt injection, where an attacker plants a malicious instruction in one message. It works through accumulation. Each individual interaction can look completely clean. Over time, the combination of accumulated context shifts how the agent responds to future tasks it has never encountered before, without any single input having been adversarial.

The question this paper asks

If you evaluated an agent at deployment and it passed every safety check, would it still pass those same checks after 30, 60, or 90 days of real-world use? And if not, what in the accumulated memory is driving the change?

02The experiment

Isolating memory
from everything else.

The challenge with studying longitudinal safety is separating what memory contributes from what the tasks themselves would cause. The trigger-probe protocol addresses this directly.

The researchers designed a trigger-probe protocol to isolate memory's effect from other variables. The idea is straightforward: define a fixed set of probe tasks that stay constant throughout the experiment. Collect snapshots of the agent's memory state at different points in its history. Run the probes against each snapshot with memory in read-only mode, so the probe doesn't add to the history being tested. Then compare results across memory states of different lengths.

The counterfactual is a NullMemory baseline: the identical agent, the identical probe tasks, but with no accumulated memory at all. Any safety violation the memory-equipped agent produces on the probes that the NullMemory agent does not is attributed to the contents of memory. The baseline makes attribution possible and removes confounds from the task stream itself.

1
Fixed probe set
A constant battery of test tasks that remains unchanged throughout the experiment. The same probes run against every memory snapshot, so any change in behavior across time points is attributable to memory state, not to variation in the test itself.
2
Read-only memory snapshots
Snapshots of the agent's accumulated memory at different exposure lengths. Memory is read-only during probe evaluation, so testing a snapshot doesn't contaminate the history it's measuring. This is what makes comparing across time points valid.
3
NullMemory counterfactual
The identical agent and probe set, but with no accumulated memory. Every safety violation the memory-equipped agent produces that the NullMemory agent doesn't is classified as a memory-induced violation. This is the isolation mechanism that makes attribution possible.
Scope of the study

Eight memory architectures, spanning retrieval-based, compression-based, and hybrid designs. Three deployment scenarios covering document management, scheduling, and email correspondence. Two agent classes: an office assistant handling emails and scheduling, and an OpenClaw-style tool-using agent with access to file systems, shell execution, and credentials. Researchers from Virginia Tech, UC Berkeley, and UIUC.

03Findings

More memory,
more risk.

The results held across all eight memory architectures tested. Every configuration became less safe as memory accumulated.

Prior assumption
Safety is a property of the model and the input. If an agent passes a safety evaluation at deployment, it will behave safely in production. Memory is a capability feature, not a safety variable. Evaluate once and ship.
What this study found
Safety is a property of the memory state. Memory-induced violation rates climbed monotonically with exposure length across every architecture tested. The same probes, the same agent, different memory lengths produced different safety outcomes.
Finding 1: Monotonic increase in violations

Across all eight memory architectures and both agent classes, memory-induced violation rates climbed consistently with exposure length. Agents that had accumulated more memory produced more safety violations on probe tasks they would have handled safely with no memory at all. The effect was not confined to one architecture or one deployment scenario. It appeared across all configurations tested.

Finding 2: Content drives the effect, not ordering

A skeptical reading of monotonically increasing violations could blame task ordering: maybe the first few tasks happened to be bad, and that early contamination explains the degradation. The researchers ruled this out with order-randomization experiments, shuffling the sequence of past tasks before accumulating memory. The safety degradation persisted. Accumulated content in aggregate is what causes the shift, not which tasks arrived first.

Finding 3: Risk is detectable at retrieval time

Memory-induced risk is detectable from the retrieval state before the model generates any output. This means a monitoring layer does not have to wait for an unsafe output to appear. It can inspect what is about to be retrieved from memory and flag elevated risk before the generation step runs. Early warning is tractable from architecture already present in the system.

Scope and limitations

The paper studies a specific threat model: safety drift caused by accumulated memory from ordinary, non-adversarial tasks. It does not address cases where a single task intentionally poisons memory. The two agent classes cover important deployment patterns but do not represent all memory-equipped agent types. Specific violation rates depend heavily on probe set design and deployment context, so direct numeric comparisons to other systems require care.

04Practical takeaways

What to do
with this.

The practical implication is direct: safety evaluations that test agents at deployment and call the work done are missing most of the picture for any agent with persistent memory.

1
For safety evaluators
Add a temporal dimension to your evals. Run your probe set not once at deployment, but again after 30, 60, and 90 days of real usage. Compare against the NullMemory baseline. Without this, you have no data on whether the agent's safety profile is holding up under actual production conditions.
2
For agent developers
The NullMemory baseline is a cheap diagnostic you can run now. Take your existing safety probe set. Run the same probes against your deployed agent with and without memory. The delta is the memory-induced violation rate for your specific system. If it is non-zero and growing across time points, you have confirmed the effect in your own stack.
3
For architects choosing memory designs
Not all memory architectures produced the same violation rate in this study. Safety is now a criterion in memory architecture selection, not just capability or retrieval quality. Before committing to a design, run the trigger-probe protocol across candidate architectures to understand the safety tradeoff alongside the recall tradeoff.
4
For production monitoring
Finding 3 is an engineering opportunity. If risk is detectable at the retrieval stage before generation, you can build a monitoring layer that inspects what is about to be retrieved and flags elevated risk before the model runs. This shifts the detection timeline from post-output to pre-output, giving the system a chance to intervene earlier.
5
A note on scope
This paper addresses safety drift from ordinary, non-adversarial task accumulation. It is a complement to, not a replacement for, evaluations that cover prompt injection, adversarial memory poisoning, and other active attack surfaces. The two threat models are distinct and require different mitigations.
05Further exploration

Where to go
from here.

If you want to go deeper on longitudinal agent safety.

1
Read the paper
Al-Tawaha, A., Gu, S., Niu, P., Jia, R., & Jin, M. (2026). Remembering More, Risking More: Longitudinal Safety Risks in Memory-Equipped LLM Agents. Virginia Tech, UC Berkeley, UIUC. arXiv:2605.17830.
2
Define a fixed probe set before memory accumulates
The fixed probe design is what enables longitudinal measurement. Without a constant probe baseline established at deployment, you have no reference point to compare against later. Define the set before you ship the agent, not after months of production use.
3
Run the NullMemory diagnostic on your deployed agent
If your agent has been running in production for more than a few weeks, compare its safety behavior with and without memory on a representative probe set. The comparison requires no new infrastructure beyond the ability to run the agent with memory cleared.
4
Read the complementary work on memory safety
AgentTrust (arXiv:2605.04785) covers runtime tool-call interception as a safety layer before execution. The delta-mem paper (arXiv:2605.12357) covers memory architecture design. Together, these three papers address memory safety at the architecture, runtime, and longitudinal evaluation layers.
5
Explore retrieval-time detection
Finding 3 suggests the detection layer should operate on what the retrieval step returns before it reaches the model. If your architecture logs or hooks retrieval, you already have the substrate needed to prototype this. Start with flagging retrieval states that show elevated similarity to known unsafe content patterns.