Command Palette
Search for a command to run...
Agents perpétuellement actifs : un état de l’art sur la mémoire persistante, l’état et la gouvernance dans les agents LLM
Agents perpétuellement actifs : un état de l’art sur la mémoire persistante, l’état et la gouvernance dans les agents LLM
Tianyu Ding Aditya Nannapaneni Bingfan Liu Ling Zhang
Résumé
Les agents perpétuellement actifs sont des systèmes dont le comportement futur dépend d’un état durable accumulé au fil des interactions antérieures. Nous les traitons comme des systèmes à état persistant : le système opérationnel inclut des mémoires récupérables, mais aussi des registres de tâches, des autorisations, des justificatifs, des engagements, des enregistrements de provenance et d’audit, un état partagé, des conditions de déclenchement et des effets engagés en externe liés à ces enregistrements. L’état de l’art analyse la littérature selon six axes diagnostiques pour chaque élément d’état — autorité, portée, mutabilité, provenance, récupérabilité et actionnabilité — et à travers un cycle de vie où l’état est écrit, validé, organisé, récupéré, mis en œuvre, mis à jour, oublié, audité et parfois annulé. Dans un corpus codé de 435 travaux, traité comme une carte ciblée plutôt qu’un recensement exhaustif, la littérature se concentre davantage sur l’accumulation et la récupération de l’état que sur sa gouvernance, sa récupération ou son abandon. Nous introduisons donc le Protocole d’évaluation des agents perpétuellement actifs (AOEP-v0), un contrat d’évaluation pilote qui concrétise ces exigences de gouvernance en notant les obligations de mutation et de récupération de l’état plutôt que la seule qualité des réponses. L’agenda qui en résulte relie les agents perpétuellement actifs aux bases de données, aux systèmes distribués, aux méthodes formelles, à la sécurité par capacités et au désapprentissage automatique.
One-sentence Summary
The authors propose a survey treating always-on LLM agents as persistent-state systems, introducing six diagnostic axes—authority, scope, mutability, provenance, recoverability, and actionability—and a lifecycle of writing, validation, organization, retrieval, action, update, forgetting, audit, and rollback, then present the Always-On Evaluation Protocol (AOEP-v0) that scores state mutation and recovery obligations to concretize governance, thereby connecting the agenda to databases, distributed systems, formal methods, capability security, and machine unlearning.
Key Contributions
- A survey of 435 works codes always-on agents against six diagnostic axes (authority, scope, mutability, provenance, recoverability, actionability) and a lifecycle of state operations, revealing that the literature concentrates more on accumulating and retrieving state than on governing, recovering, or relinquishing it.
- The Always-On Evaluation Protocol (AOEP-v0), a pilot evaluation contract that scores state mutation and recovery obligations rather than answer quality, shifts evaluation to concrete governance requirements.
- An integrative research agenda links the governance gap to databases, distributed systems, formal methods, capability security, and machine unlearning, proposing a unified persistent-state governance layer that composes the currently scattered axes and invariants.
Introduction
The authors address a fundamental shift from episodic LLM agents, which reset after each task, to always-on agents that accumulate and rely on persistent state across sessions. This persistence enables personalization and long-term learning but introduces novel risks: stale, poisoned, or unauthorized records can silently authorize harmful actions because the safety reasoning that worked for single-episode agents no longer applies. Prior work on agent memory has largely focused on accumulation and retrieval, treating memory as a passive store and ignoring the governance dimensions that persistent state demands, such as authority, scope, provenance, recoverability, and the ability to roll back incorrect decisions. The authors reframe always-on agents as persistent-state systems requiring lifecycle governance, define six state axes and five invariants that any safe system must preserve, and, through a coded corpus of 435 works, quantify the field’s skew toward retrieval over governance. Their main contribution is this governance-centered taxonomy, along with a pilot evaluation protocol that scores state mutation and recovery rather than answer quality alone.
Dataset
The paper surveys over a hundred datasets, benchmarks, and structured memory substrates across ten application domains to diagnose how they handle persistent agent state. The authors do not introduce a new dataset; instead, they reuse published resources to taxonomize memory types and governance axes.
The dataset description below groups the surveyed resources by the dimensions most relevant to always-on agents: composition, sources, processing rules, and how the paper uses them to expose governance gaps.
-
Semantic facts and personalization benchmarks Sources: synthetic user interactions, crowdsourced profiles, and long-running conversation logs. Key subsets:
-
PersonaMem tracks an evolving user persona over many interactions and scores recall of the current profile.
-
PrefEval tests whether a model follows a stated fact or preference across long context.
-
LaMP provides early baseline of profile-conditioned generation.
-
CarMem narrows semantic facts to declared categories, applying scheduled deduplication and contradiction pruning.
-
DynamicMem models attribute and preference drift with multiple decay timelines, avoiding a single decay rate.
-
MemProbe reframes evaluation by auditing post-interaction memory for hidden user state rather than downstream task success. How the paper uses them: to illustrate semantic-fact failure modes of staleness, contradiction, and authority confusion, and to argue that recall benchmarks miss authority revocation.
-
Temporal reasoning and structured knowledge graph benchmarks Sources: time-evolving Wikipedia, synthetic graphs, streaming document feeds, and conversational logs. Key subsets:
-
TimeQA builds time-indexed answers from Wikipedia, asking about facts at different timestamps.
-
StreamingQA measures whether a store keeps pace with knowledge arriving over time, simulating a news stream.
-
FreshQA categorizes questions by answer-change speed and includes false-premise distractors.
-
ChroKnowBench partitions evolving vs. constant knowledge across domains and years.
-
Temporal probing suites (TempReason, TimeBench, MenatQA, Test of Time, TimeR4) isolate scope, order, counterfactuals, and pure temporal reasoning.
-
Substrates like Chronos (time-stamped events), APEX-MEM (temporal property graph), and Engram (bi-temporal knowledge graph with valid-time and transaction-time) turn time into a first-class field. How the paper uses them: to show that structured stores make provenance and validity representable, while vector stores miss them, and to highlight gaps in mutation under concurrent access and authority.
-
Web and computer-use agent environments Sources: self-hosted web replicas, live operating systems, Android emulators, and enterprise SaaS platforms. Key subsets:
-
WebArena: reproducible web environment with realistic sites; tasks reset after each episode, no persistent identity.
-
OS-World: open-ended computer control in a real OS with screenshots in, keyboard/mouse out.
-
AndroidWorld: live Android device with programmatic tasks that read, modify, and tear down real system state.
-
BrowserGym, WorkArena, TheAgentCompany extend to enterprise workflows and simulated workplaces.
-
iOSWorld: native iOS simulator with persistent user identity across twenty-six apps, many tasks require carrying that identity correctly.
-
Memory extensions (Agent Workflow Memory, ReasoningBank, WebAtlas, OS-Copilot’s FRIDAY, etc.) build external retrievable records to carry state across resets. How the paper uses them: to critique that most benchmarks score task success, not rollback or recovery; the web domain provides a strong substrate for actionability but a thin one for rollback traceability.
-
Healthcare benchmarks Sources: simulated patient records, longitudinal clinical conversations, and EHR interactions. Key subsets:
-
AgentClinic: seminal clinical-agent benchmark with notebook memory surviving across cases.
-
MedAgentBench: EHR-agent benchmark with tool calls that write irreversibly to patient records.
-
ClinEnv: LLM as attending physician over ordered irreversible decision stages per admission.
-
MediLongChat, ESMemEval, PsychEval: test recall and reasoning over longitudinal patient history.
-
TheraMind: explicit cross-session write-retrieve-update lifecycle for therapeutic relationships.
-
MedMemoryBench: targets always-on memory and formalizes memory-saturation failure mode.
-
VitalTrace: compact persistent patient-state memory with physiologically gated updates.
-
Dual-stream clinical memory systems separate self-report from authoritative FHIR record and run reconciliation engines. How the paper uses them: to show that healthcare imposes legal obligations of consent, deletion, and auditability; no clinical benchmark scores deletion propagation through derived tiers.
-
Finance, legal, and cybersecurity benchmarks Sources: historical market data, trading simulations, policy-constrained fintech dialogues, and legal procedure corpora. Key subsets:
-
FinMem: layered memory aligned to decision timescales for trading.
-
FinAgent, FinCon: diversified memory retrieval and self-critique to update persistent investment beliefs.
-
InvestorBench: standardized benchmark for memory-equipped financial decision agents across products.
-
τ-Banking: fintech customer-support domain with roughly 700 policy/procedure constraints.
-
RetailBench: thousand-day-scale retail inventory simulation where errors compound.
-
KTD-Fin: separates pretraining-memorized market data from genuinely retrieved current state.
-
LegalWorld: Chinese civil litigation as connected five-stage state chain built on tens of thousands of paired judgments.
-
SimCourt, civil-court multi-agent simulations with role-bound state and statute retrieval. How the paper uses them: to argue that none scores rollback of a trade, filing, or credential grant after authorizing evidence lapses; the non-repudiation gap is deployment-blocking.
-
Education and tutoring benchmarks Sources: learner interaction traces, knowledge-tracing models, and simulated tutoring sessions. Key subsets:
-
TutorLLM: persistent learner-state substrate using a knowledge-tracing model to condition the tutor.
-
TASA: couples event memory with a forgetting curve over knowledge tracing, deliberately decaying old skills.
-
DeepTutor, AgentTutor, PsychAgent: dynamic learner memories with organize/retrieve operations and parametric consolidation. How the paper uses them: to highlight that no education benchmark scores validation at the write boundary, or rollback of an erroneous mastery update; the learner state lacks FERPA-style governance.
-
Ambient, wearable, and IoT benchmarks Sources: egocentric video streams, smart-home sensor data, and mock shopping interfaces. Key subsets:
-
EgoLife: 300-hour, six-participant, one-week AI-glasses dataset with EgoLifeQA for recall and habit monitoring.
-
TeleEgo: 14+ hours of synchronized streaming multimodal data; scores Memory Persistence Time and Real-Time Accuracy.
-
LifeDialBench: one-year simulated horizon plus seven-day real EgoMem, evaluated under online temporal causality.
-
ContextAgent-Bench: fuses historical personas with sensory data to predict proactive service needs.
-
Memento: wearable AR assistant that proactively resurfaces matching interests.
-
PersonalHomeBench, IoTGPT, AirAgent: evolving household state with proactive device control and preference reuse.
-
Shopping-companion benchmark: cross-session preference over 1.2M items, isolating preference-hallucination cascades. How the paper uses them: to point out that proactivity calibration and privacy are acute and ungoverned; no ambient benchmark scores deletion completeness across derived tiers of a lifelog.
-
Scientific discovery agent memories (systems with persistent state, not packaged datasets) Sources: internal simulation of research campaigns. Key details:
-
DeepScientist maintains a cumulative tiered Findings Memory with Bayesian explore-exploit; findings are validated, promoted, and never deleted.
-
EvoScientist separates ideation and experimentation memories, recording failed directions as first-class durable writes. How the paper uses them: to observe that cumulative memory amplifies both benefit and damage; neither system scores retraction propagation when a promoted finding is contaminated.
The paper uses this survey to map each resource onto four governance axes: authority, provenance, mutability, and recoverability. It finds that nearly all benchmarks measure recall or task success, but none validate deletion propagation, authority revocation, or rollback of side effects—the central gap in persistent agent memory.
Method
The authors propose a comprehensive frameworkfor analyzing and governing "always-on agents," defined as systems whose actions are conditioned on durable state accumulated across sessions. To operationalize this, they characterize persistent state along six diagnostic axes: authority, scope, mutability, provenance, recoverability, and actionability. These axes form the analytic spine for evaluating how state transitions are managed.
Central to their methodology is the persistent-state lifecycle, which models how state moves through an agent. As shown in the figure below, this lifecycle is divided into two distinct arcs.
The forward arc encompasses the operations that accumulate and utilize state: observe, write, validate, organize, retrieve, and act. This arc carries a signal from the environment into action, focusing on plasticity and the capacity to absorb new information. In contrast, the return arc consists of update, forget, audit, and rollback. This arc activates once the consequences of an action are known, reconciling state with reality and enforcing stability by ensuring old commitments remain intact and reversible. The authors note that while the forward arc is heavily studied in existing literature, the return arc remains sparse, particularly regarding rollback mechanisms.
To ensure these state transitions are legitimate, the authors define five invariants that the lifecycle loop must preserve. These invariants are anchored to specific stages of the lifecycle. Authority monotonicity dictates that a record may influence an action only under a current, unrevoked authority, enforced primarily at the validate and act stages. Scope non-expansion ensures that a transition never silently widens the scope of a state item, governing the organize and retrieve stages. Deletion propagation requires that tombstoning a record reaches all derived copies, governed by the forget stage. Provenance preservation mandates that consolidation retains enough lineage to verify and revise results later, applying to organize and update. Finally, rollback traceability ensures every action carries a handle back to the records that justified it, established at act and consumed at rollback.
The distribution of these invariants across different research domains and taxonomy parts reveals significant gaps in the current literature.
As illustrated in the figure above, the invariants that most depend on the return arc, specifically deletion propagation and rollback traceability, have the fewest stage opportunities in the coded corpus. This structural skew highlights that while current systems are proficient at accumulating and retrieving state, they largely lack the governance mechanisms required to safely update, remove, account for, or reverse that state once it proves consequential. The authors argue that closing this return-arc gap is essential for transforming memory-augmented agents into truly governed persistent-state systems.
Experiment
The evaluation surveys existing memory benchmarks and finds they partition the six always-on stressors across families, leaving governance properties like recovery, privacy, and authority unmeasured. A pilot of the Always-On Evaluation Protocol (AOEP) runs seven memory systems through fault patterns that require permission epochs, deletion ledgers, and conflict records, showing that systems pass recall obligations but fail on governance obligations because the necessary structured metadata is absent. Larger models do not close this gap, indicating that the failure is a representational deficit rather than a retrieval weakness. The findings motivate lifecycle-complete evaluation and the integration of authority, provenance, and rollback primitives into persistent memory stores.
Always-on agents retain persistent state across task episodes, demanding governance over what persists, how state moves, and who controls it. Studies reveal that most persistent memory is silently system-created, leaving users with little authority, while current evaluations remain surface-local. A cross-surface benchmark that enforces privacy and deletion policies end-to-end is absent, blocking tests of crucial invariants like deletion propagation and scope non-expansion. 96% of persistent-memory entries in a real-user audit were system-generated, shifting authority from the user to the agent. Users lack granular interfaces to review, edit, and delete memory, despite interview studies showing they want such control. No benchmark exercises an agent across retrieval stores, tool APIs, long-term memory, and inter-agent channels under one privacy policy. Deleting a source fact does not cascade to remove derived summaries or embeddings, leaving sensitive information exposed.
The corpus was built through an admission-based flow starting from a 97-work seed set, then expanding with mainstream memory and evaluation literature, followed by deliberate over-sampling of governance, rollback, and authority topics to capture a sparse but critical return arc. This skew ensures the observed governance patterns are visible as a large signal inside the query frame, not a field-wide census, and the final saturation round added only two works, confirming thorough coverage of the core memory frontier. Rounds 3 to 10 added 171 works via targeted governance, rollback, authority, deletion, and systems sweeps, deliberately over-sampling the sparse return arc that the survey expected to find. The final saturation check in round 11 over the mainstream agent-memory vocabulary yielded only 2 additional works, indicating that the core literature had been exhaustively covered under the admission rules.
The coded corpus shows a pronounced skew toward early lifecycle stages like write and retrieve, while later stages such as rollback are far less studied. Authority is the rarest state axis, underscoring a field-wide focus on state creation and access over governance and deletion. Subarea distribution reinforces this pattern, with state substrates and representations dominating, and multi-agent, evaluation, and governance remaining comparatively small. Write (200 works) and retrieve (269) dominate lifecycle coverage, whereas rollback appears in only 27 works. Authority is the least coded state axis, addressed by only 72 of the 435 works. State Substrates and Representations is the largest subarea (117 works), more than double the size of the next largest parts. While Governance as a whole includes 53 works, the low authority count suggests even governance research prioritizes other aspects over authority. No benchmark in the corpus exercises an agent across all surfaces under a single privacy and authority policy, leaving a critical evaluation gap.
Prior work on agent memory and security treats persistence, authority, and deletion as separate, surface-local concerns. This survey unifies them by framing persistent state as a first-class unit and proposing recoverability and authority as diagnostic axes. It identifies a missing cross-surface evaluation contract that would test whether deleted or revoked data truly disappears from all memory surfaces, a condition current benchmarks do not verify. Removing a source fact does not automatically clear its downstream summaries and derived facts, so stale information can persist across memory surfaces. The vast majority of persistent memory entries are silently system-created, giving the agent de facto authority over what it remembers and limiting user control.
The table contrasts always-on agents with five adjacent system classes, showing that the core distinction is not whether information persists but whether the system governs durable, agent-owned state: which retained signals become authoritative and how they can be revised, scoped, revoked, or rolled back. Episodic agents, long-context models, and RAG systems completely lack durable state governance, while memory-augmented agents and personalized assistants manage state only partially, leaving critical governance operations implicit. Episodic agents reset between tasks and never authorize actions from past episodes, fulfilling governance vacuously by forgetting everything. Memory-augmented agents provide cross-session reads and writes but omit explicit authority, deletion propagation, and rollback, leaving state governance implicit.
The survey uncovers that always-on agents heavily rely on system-generated persistent memory, leaving users little authority to review or delete stored information. Research and benchmarks overwhelmingly focus on write and retrieve operations, while rollback, deletion propagation, and user authority remain critically understudied. No existing evaluation exercises an agent across all memory surfaces under a unified privacy and governance policy, meaning deleted facts often survive in derived summaries or embeddings. The work frames persistent state as a governable unit and proposes cross-surface recoverability and authority as essential missing diagnostic axes, highlighting the urgent need for benchmarks that verify true, cascading deletion and user-controlled memory.