When Should Memory Stay Silent: Measuring Memory-Use Boundaries in Memory-Augmented Conversational Agents
Lingxiang Xu, Jiaoyun Yang, Min Hu, Hongtu Chen, Ning An
Abstract
Long-term memory enables language model agents to support personalized interactions, but it remains unclear when available memories warrant integration into responses. Existing memory evaluations emphasize retrieval accuracy and downstream task utility, while overlooking whether retrieved sensitive memory content is warranted in the current turn. We introduce RBI-Eval, a controlled measurement study built around a probe set that compares model behavior with and without access to sensitive memory under identical benign prompts. We evaluate four base LLMs against a matched no-memory reference across four memory-access settings: full-context exposure and three retrieval systems. Our results reveal substantial behavioral divergence. With memory available, the separation score for sensitive-memory integration decreases by 8.9\%--26.6\% relative to the matched no-memory reference for GPT-5.4-mini, but by 51.1\%--82.9\% for Claude-Sonnet-4.6, DeepSeek-V4-Flash, and Qwen3.5-9B. Control experiments on DeepSeek and GPT-5.4-mini show this effect is specific to sensitive content, rather than general personalization. Retrieval systems reduce exposure but do not eliminate integration once sensitive memory reaches the generator. These findings suggest safe personalization requires memory-aware decisions at both retrieval and generation time.
AI Impact Assessments
(1 models)Scientific Impact Assessment: "When Should Memory Stay Silent"
1. Core Contribution
This paper identifies and operationalizes the memory-use boundary problem: when should a memory-augmented conversational agent integrate retrieved personal history into its current response? The authors distinguish this from privacy leakage (no adversary involved) and retrieval accuracy (memory may be correctly retrieved but inappropriately used). They introduce RBI-Eval, a controlled probe set of 2,400 items across 10 personas, measuring behavioral differences between memory-augmented and stateless conditions under identical benign prompts.
The central concept of "current-turn warrant" — whether the present user message provides sufficient justificatory basis for surfacing prior sensitive history — is a genuinely novel framing. This fills a gap between privacy research (which focuses on information flow norms) and memory-system evaluation (which focuses on retrieval accuracy and task utility). The paper correctly argues that a memory can be *relevant* yet *inappropriate* to surface, which existing benchmarks do not test.
2. Methodological Rigor
The experimental design is well-controlled. The paired comparison structure (same probes with and without memory access) cleanly isolates the effect of memory availability. Several aspects strengthen validity:
However, there are notable limitations. The benchmark uses only 10 personas derived from a single dataset (LoCoMo), which constrains diversity. The "conservative disclosure perspective" is explicitly acknowledged as a normative choice, but the paper doesn't explore how results would change under different norms. The automatic judge (GPT-5.4) scoring continuous 0-1 dimensions may introduce systematic biases, despite condition-blinding. The paper also relies on single-turn probes, missing multi-turn dynamics where users might gradually signal openness to discussing sensitive topics.
3. Potential Impact
Immediate applications: The findings directly inform the design of memory-augmented assistants (e.g., ChatGPT's memory feature, Claude's memory, personal AI assistants). The two-stage defense recommendation (retrieval filtering + generation-time safeguards) is actionable, and the finding that prompt-level boundary policies can dramatically improve BSS (DeepSeek Mem0 from 28.3 to 99.9) provides an immediate mitigation strategy.
Broader influence: The paper bridges contextual integrity theory (Nissenbaum) with practical LLM evaluation, potentially influencing how the AI safety community thinks about personalization risks. The distinction between storage consent and use permission could shape product design patterns (e.g., "background only" memory tags, per-topic sensitivity levels).
Cross-field relevance: The framework connects to healthcare AI (where patient history is sensitive), educational technology, mental health chatbots, and any domain where historical context is valuable but contextually constrained.
4. Timeliness & Relevance
This paper arrives at a critical moment. Major AI companies (OpenAI, Anthropic, Google) have all introduced or expanded persistent memory features in 2024-2025. The paper addresses a concrete, emerging problem that existing safety benchmarks (HarmBench, SorryBench, etc.) do not cover — they focus on adversarial attacks and harmful requests rather than benign prompts with inappropriate memory integration. The finding that three of four model families show 51-83% BSS degradation under memory access is a striking result that should concern practitioners building memory-augmented systems.
5. Strengths & Limitations
Key Strengths:
Notable Weaknesses:
Additional observations: The case studies (Figures 9-10) effectively illustrate the two-stage failure mode. The paper's framing of "permission as runtime state" — separating storage, retrieval, and use permissions — is a conceptually valuable contribution that could influence system architecture beyond just evaluation. The 2026 publication dates for the evaluated models suggest this is contemporaneous work, though the specific version numbers are unusual.
Summary
This paper makes a meaningful contribution by identifying and measuring a previously under-studied failure mode in memory-augmented AI systems. The experimental design is careful, the controls are well-motivated, and the findings are both surprising in magnitude and actionable. The main limitations are scope-related (persona diversity, single-turn only, single cultural norm) rather than methodological. The work opens a productive research direction at the intersection of personalization, privacy, and AI safety.
Generated Jun 5, 2026
Comparison History (20)
Paper 1 provides a fundamental geometric framework for understanding activation steering in language models, decomposing interventions into interpretable angular and radial components. This has broad methodological impact across the interpretability and alignment communities, offering principled design guidance for steering methods. Its systematic study across seven models and its unifying theoretical lens make it likely to influence future work on model control. Paper 2 addresses an important but narrower problem—memory boundary evaluation in conversational agents—with a measurement study that, while practical, is more application-specific and less likely to reshape broader research directions.
Paper 2 likely has higher impact due to timeliness and broad real-world relevance: it targets safety/privacy boundaries in memory-augmented agents, a fast-emerging deployment setting. It contributes a controlled evaluation framework (RBI-Eval) that isolates causal effects of memory access versus no-memory references across models and retrieval settings, enabling reproducible measurement and benchmarking. The findings inform system design (retrieval + generation-time gating) across many applications (assistants, customer support, healthcare). Paper 1 is innovative for RL with verbal feedback, but its impact is narrower and more dependent on task-specific RLVR setups.
Paper 2 introduces a novel memory architecture (Cue-Tag-Content graph) plus an active reconstruction mechanism that tightly couples reasoning and memory access, addressing a central limitation of retrieve-then-reason pipelines. It reports sizable benchmark gains (up to 23%) alongside token/runtime reductions, suggesting strong methodological payoff and practical deployability for long-horizon agents. Its contribution is broadly applicable across agentic systems, retrieval-augmented reasoning, and efficient inference. Paper 1 is timely and important for safety evaluation of memory use, but is primarily an evaluation framework/measurement study with narrower technical generalization than a new memory paradigm.
Paper 1 offers a deeper mechanistic understanding of a fundamental architectural phenomenon in transformers—how absolute position information emerges in RoPE-based models despite only relative encoding. This addresses a core theoretical question relevant to the entire transformer research community, with implications for positional encoding design, attention sink understanding, and context length generalization. Paper 2 addresses an important but narrower applied problem (memory safety in conversational agents) with an empirical benchmark study. While timely, its contributions are more incremental compared to the mechanistic insights and broader architectural implications of Paper 1.
Paper 1 has higher impact potential due to a more novel and timely contribution with clear methodological rigor: it introduces a controlled evaluation (RBI-Eval) isolating when sensitive long-term memories are inappropriately integrated, compares multiple LLMs and retrieval settings against matched no-memory references, and reports quantitative effects with controls. It targets an urgent real-world problem (privacy/safety in memory-augmented agents) with immediate applicability to system design and evaluation standards. Paper 2 is a valuable conceptual framework, but it is more speculative and less empirically grounded, likely yielding slower or narrower downstream uptake.
Paper 1 is likely to have higher scientific impact due to a clearer novelty: it operationalizes and measures a key, under-evaluated failure mode in memory-augmented agents—unwarranted integration of sensitive memories under benign prompts—via a controlled, matched no-memory reference (RBI-Eval). This yields actionable, broadly applicable evaluation methodology for privacy/safety across many agent architectures and retrieval setups, with timely relevance as long-term memory products deploy widely. Paper 2 is important but more incremental (oversight in self-evolution) and relies on LLM-simulated “human-like” supervision, which may limit rigor and generalizability.
Paper 2 addresses a highly critical and timely issue—AI agent sabotage in software development—with a large-scale, human-centric study. Its findings on human overtrust and the ineffectiveness of standard safety monitors offer profound implications for AI safety, HCI, and software engineering. While Paper 1 provides a valuable evaluation of memory boundaries, Paper 2's focus on real-world human-AI collaboration vulnerabilities gives it broader cross-disciplinary relevance and higher potential real-world impact.
Paper 1 has higher likely impact: it targets a timely, high-stakes problem (safe long-term memory in conversational agents), proposes an evaluation framework (RBI-Eval) that captures a currently under-measured failure mode (unwarranted sensitive-memory integration), and tests multiple major LLMs plus varied memory-access settings with controls isolating sensitivity vs general personalization. Its findings inform both retrieval and generation-time safeguards, with broad applicability across privacy, personalization, agent design, and evaluation. Paper 2 is novel and rigorous but narrower (one dataset/model family) and more diagnostic than directly deployment-shaping.
Paper 2 reveals a fundamental paradox in LLM alignment—that improving safety awareness inherently increases vulnerability to a novel attack vector. This finding challenges core assumptions in the alignment paradigm, has broad implications across all safety research, and is supported by extensive evaluation (30+ models) with causal RL interventions. Paper 1 addresses an important but narrower problem (memory boundary decisions in conversational agents). Paper 2's discovery of a structural flaw in current alignment approaches is more likely to reshape research directions and attract widespread attention across the AI safety community.
Paper 1 addresses a fundamental challenge in LLM reasoning—the opacity of latent thoughts—by introducing a novel test-time query reconstruction method. Given the current intense focus on scaling test-time compute and latent reasoning, this algorithmic advance offers broad applicability and demonstrates highly significant empirical gains on rigorous benchmarks like AIME. While Paper 2 provides a valuable evaluation framework for memory privacy, Paper 1's core methodological innovation is likely to drive more widespread downstream applications and foundational improvements in AI reasoning.
Paper 2 addresses the critical and highly timely issue of privacy and sensitive memory integration in conversational AI agents. While Paper 1 provides a solid methodological contribution to VQA, Paper 2's focus on AI safety and memory-use boundaries has broader, more immediate implications for the real-world deployment of personalized LLMs. Its insights into how major models leak sensitive information even with benign prompts will significantly impact both academic AI safety research and commercial industry practices regarding retrieval-augmented generation and personalization.
Paper 2 addresses a novel and important problem—when memory-augmented agents should refrain from using sensitive memories—introducing a new evaluation framework (RBI-Eval) with rigorous methodology. This fills a clear gap in safety/privacy research for personalized AI agents, a rapidly growing area. Paper 1, while engineering-impressive, is primarily a system/product paper describing a hybrid architecture with benchmark results; it contributes less novel scientific insight. Paper 2's findings about behavioral divergence across models and the insufficiency of retrieval-only safeguards have broad implications for safe AI deployment, making it more scientifically impactful.
Paper 2 addresses a critical and timely issue in AI safety and privacy: determining appropriate boundaries for memory use in personalized agents. While Paper 1 offers a highly practical tool for UI/UX design, Paper 2 tackles a fundamental challenge in conversational AI deployment, possessing broader implications for user trust, data privacy, and the foundational architecture of memory-augmented LLMs across multiple domains.
Paper 2 likely has higher scientific impact: it targets a timely, high-stakes problem (privacy/safety in long-term memory agents), proposes a controlled evaluation (RBI-Eval) that isolates causal effects via matched no-memory references, and reports substantial cross-model, cross-retrieval behavioral differences with controls for specificity to sensitive content. The findings have broad applicability to agent design, alignment, and privacy-preserving personalization, with clear real-world deployment relevance. Paper 1 is valuable for education/assessment, but its impact is narrower and depends more on subsequent human validation and adoption.
Paper 2 addresses a critical, highly timely issue in the deployment of memory-augmented LLMs: privacy and the safe utilization of sensitive memories. As personalized AI agents become ubiquitous, the methodological rigor of RBI-Eval provides a necessary benchmark for preventing unwarranted sensitive disclosures. While Paper 1 presents an interesting architectural advance for VLMs, Paper 2 offers broader and more immediate real-world impact by tackling foundational safety boundaries in human-AI interaction.
Paper 1 proposes a fundamental architectural shift in how agent memory is managed (execution state trees vs. semantic similarity), directly addressing critical bottlenecks in long-horizon tasks like context limits and error cascading. Its substantial performance gains and token reductions offer broad, practical applicability. Paper 2, while important for safety evaluation, is primarily an empirical measurement study. Paper 1's innovative methodology and broader utility in advancing agent capabilities give it higher potential scientific impact.
Paper 1 is likely higher impact due to its timely focus on safety/privacy in memory-augmented agents, introducing a controlled evaluation (RBI-Eval) that isolates whether sensitive memories are warranted—an under-measured failure mode with broad relevance to deployed conversational systems. Its methodology (matched no-memory reference, multiple access settings, controls for sensitivity vs personalization) supports rigorous, generalizable conclusions that can influence both retrieval and generation design across many applications. Paper 2 is useful and reusable, but its domain/scenario is narrower and less urgent than memory safety.
Paper 2 has higher impact potential due to its novel and timely framing of memory use as a safety/appropriateness boundary problem (not just retrieval accuracy), with clear real-world relevance to privacy and safe personalization in deployed agents. RBI-Eval offers a controlled, model-comparative methodology with matched no-memory references and sensitivity-specific controls, enabling broader adoption across labs and vendors. Its findings generalize across multiple LLMs and retrieval settings and inform both retrieval- and generation-time safeguards, affecting multiple fields (LLM safety, HCI, privacy, agent design). Paper 1 is useful engineering but narrower and more incremental.
Paper 1 addresses a timely and practically important problem—when memory-augmented LLM agents should refrain from using sensitive personal information—with a novel evaluation framework (RBI-Eval) and empirical findings across multiple major LLMs. Given the rapid deployment of memory-augmented AI assistants, this work has immediate real-world safety implications and broad relevance across AI safety, privacy, and personalization research. Paper 2 provides valuable theoretical clarifications of active inference but addresses a narrower audience within computational neuroscience/theoretical AI, with experiments limited to grid-worlds, limiting its breadth of impact.
Paper 2 introduces a novel framework (OPT*) that addresses a fundamental gap in LLM reasoning—optimization-style step-by-step decision making beyond math/coding. It offers broader impact through scalable task generation, theoretical grounding connecting search budgets to information extraction, and practical training methods (solver-guided RL and search-based offline RL). Paper 1, while addressing an important safety concern in memory-augmented agents, is primarily a measurement/evaluation study with narrower scope. Paper 2's contributions to training methodology and reasoning capabilities have wider applicability across fields.