{"paper":{"title":"MemLineage: Lineage-Guided Enforcement for LLM Agent Memory","license":"http://creativecommons.org/licenses/by/4.0/","headline":"By tracking derivation lineage in agent memory, MemLineage prevents poisoned entries from justifying sensitive actions while preserving useful recall.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Ciyan Ouyang, Rui Hou","submitted_at":"2026-05-14T06:07:54Z","abstract_excerpt":"We introduce MemLineage, a defense for LLM agent memory that attaches both cryptographic provenance and LLM-mediated derivation lineage to every entry. Recent and concurrent work shows that untrusted content can be written into persistent agent state and re-enter later sessions as an instruction; the remaining systems question is how to preserve useful memory recall while preventing such state from justifying sensitive actions. MemLineage treats this as a chain-of-custody problem rather than a filtering problem. It is a six-module design around an RFC-6962 Merkle log over per-principal Ed25519"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"MemLineage is the only configuration in that harness that drives all three columns to zero ASR, while sub-millisecond per-operation overhead keeps it well below the noise floor of any LLM call.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the LLM-mediated derivation lineage accurately identifies which prior entries influenced each new memory and that the max-of-strong-edges propagation rule correctly captures all paths that could justify sensitive actions.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"MemLineage enforces untrusted-path persistence in LLM agent memory through Merkle logs, per-principal signatures, and max-of-strong-edges lineage propagation, achieving zero ASR on three poisoning workloads with sub-millisecond overhead.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"By tracking derivation lineage in agent memory, MemLineage prevents poisoned entries from justifying sensitive actions while preserving useful recall.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"decad05529b50f232af0cd2fec79b00fed7020d7e7f5cc4334e7a687a8c87be1"},"source":{"id":"2605.14421","kind":"arxiv","version":1},"verdict":{"id":"bb11cb12-9545-447d-acb4-271d22f042c3","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T02:15:45.125607Z","strongest_claim":"MemLineage is the only configuration in that harness that drives all three columns to zero ASR, while sub-millisecond per-operation overhead keeps it well below the noise floor of any LLM call.","one_line_summary":"MemLineage enforces untrusted-path persistence in LLM agent memory through Merkle logs, per-principal signatures, and max-of-strong-edges lineage propagation, achieving zero ASR on three poisoning workloads with sub-millisecond overhead.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the LLM-mediated derivation lineage accurately identifies which prior entries influenced each new memory and that the max-of-strong-edges propagation rule correctly captures all paths that could justify sensitive actions.","pith_extraction_headline":"By tracking derivation lineage in agent memory, MemLineage prevents poisoned entries from justifying sensitive actions while preserving useful recall."},"references":{"count":20,"sample":[{"doi":"10.1007/s13389-","year":2012,"title":"Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang","work_id":"e809c0cd-0970-4e40-b811-25d8a5c611cb","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Carsten Bormann and Paul E. Hoffman. Concise binary object representation (CBOR). RFC 8949, Internet Engineering Task Force (IETF), December","work_id":"946b0a60-0415-4f2c-a43e-0e8b573a2abf","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Verified via IETF datatracker","work_id":"7db9ca18-7a88-4d20-a89c-f3c333da7930","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Ghost in the Agent: Redefining Information Flow Tracking for LLM Agents","work_id":"8010c538-559e-41c9-940f-4c2d0ca50745","ref_index":5,"cited_arxiv_id":"2604.23374","is_internal_anchor":true},{"doi":"","year":2024,"title":"Agentpoison: Red-teaming llm agents via poisoning memory or knowledge bases","work_id":"fd576f32-99d7-40a6-866a-ad86ad47565d","ref_index":6,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":20,"snapshot_sha256":"f43824361a36b58213c109f2f9d3a09d2877d6a97447518abb5a68d8cab512e5","internal_anchors":6},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}