No Memory of Its Own: Governing a Visiting Agent on Sovereign Data · Pentad Labs Research Notes
No Memory of Its Own: Governing a Visiting Agent on Sovereign Data
Kendall Clark · Pentad Labs · 30 June 2026 · PLRN-016
Abstract
The enterprise already knows how to let an outsider work on sensitive data. It<br>stands up a data room, decides who may see what, logs every access, and lets<br>counsel hold the door. The arrangement assumed the outsider was a person<br>because the outsider was a person or a team of them. A person reads under an<br>agreement, forgets most of it, and is bound by contract when they leave.
Things, as they say, have changed recently. Now the outsider is likely an<br>agent, or a team of them, and an agent breaks all three assumptions at once:<br>it reads, it remembers exactly, and it carries that memory out the moment it<br>leaves, into a model and an operator the data owner does not control. A room<br>built for human eyes does not contain it.
This note is not the construction of a new mechanism. It is a characterization<br>of a problem and a claim about where the solution must live. The problem is<br>cross-organization data sharing in the agentic era: one organization must let<br>another’s agent work over its most sensitive data, and must govern what the<br>agent touches, prove what it saw, and control what it keeps. We survey the two<br>research literatures that each solve half of this, show that no work sits at<br>their intersection, and argue that the intersection is reachable only from a<br>single architectural commitment. The commitment is that memory is a service<br>of the agentic operating system, not a possession of the agent. When the<br>memory of the visit belongs to the host rather than to the visitor, the data<br>room can be rebuilt for agents. The rebuilt room is an agentic data enclave.
1. What crosses the threshold now
Letting one organization’s agent work safely on another’s data is where much of<br>the agentic era’s enterprise value will be made; the diligence, supply-chain,<br>and partner workflows that once took a quarter of legal review collapse to an<br>afternoon. Doing nothing new does not avoid this, because the agents arrive<br>regardless, through a vendor’s product or a business unit that never asked, so<br>refusal buys the exposure of ungoverned access and none of the speed. And the<br>value you decline is not left on the table; it is captured by the competitor who<br>learned to host visiting agents safely, in the partnerships and compounding data<br>relationships you forfeit by saying no.
The virtual data room turned secure outside access into routine software years<br>ago, and the idea faded into the semi-boredom of routine. It faded because the<br>thing crossing the threshold was stable, well-known, and limited. A diligence<br>reviewer, an auditor, a counterparty’s counsel: each was a person, admitted<br>under a data-use agreement, shown documents through a controlled surface, and<br>trusted afterward to honor the terms. The room governed exposure, what was<br>placed in front of the person, and left retention to law. A person’s memory<br>is lossy, unauditable, and legally bound, so leaving retention to contract was<br>the only available choice and a tolerable one.
An agent inverts every term of that arrangement. Its memory is not lossy; it<br>retains what it reads with increasing fidelity, though of course not perfectly.<br>Its memory is not unauditable in principle; but it is unaudited in practice,<br>held inside the agent’s own process where the data owner has neither access to<br>it nor purchase on it. And its memory is not bound by the agreement the<br>counterparty signed, because the moment the agent leaves, what it read flows<br>through a foundation model and into an operator’s infrastructure that were<br>never party to the room.
In short, the problem is that the exposure the data room governed and the<br>retention it left to law have collapsed into one event, and that event now<br>happens on the wrong side of the boundary.
The exposure is also new in kind because it’s irreversible. A person admitted<br>under an agreement and later found to have abused it can be sued; the remedy is<br>after the fact, but it exists. Data that has left inside an agent’s memory<br>cannot be recalled, and no audit after the fact undoes the transfer. Every<br>ungoverned agentic visit is a disclosure the owner never approved and cannot<br>take back. This is why the problem will not wait. The agents are already<br>arriving: a partner points one at your records, a vendor ships one inside its<br>product, a business unit wires one up without asking, and the two available<br>answers are both bad. Forbid them and forfeit the partnerships the rest of the<br>business is demanding. Admit them ungoverned and own the breach, the<br>regulator’s question, and the disclosure that cannot be unwound.
A room is in any case the wrong shape, because a room is a place in which one<br>is shown things, and an agent does not want to be shown things; it wants a<br>place to work. Research computing already has the right word for a...