One paper builds the vault. The other paper proves the vault is already on fire.
12 min read · 4 parts · Published by Vektor Memory
Part 1: Two Tribes, One Wasteland
You remember the scene in Mad Max Beyond Thunderdome where two fighters are suspended on elastic bungee cords inside the dome, each trying to grab weapons from a rack in the middle while being flung violently in opposite directions. The crowd roars. Auntie Entity watches from her throne. The rules are suspended. The only law is the outcome.
This is, structurally, how I feel about the current state of agent memory research.
Deterministic rule systems, hybrid neuro-symbolic architectures, CLIPS expert engines, explicit contradiction detectors — they are laying masonry and putting up walls and saying look, we made something that cannot be fooled. Noble work. Genuinely ambitious. The kind of engineering that makes you want to stand back, squint at it, and say: “That is a good fortress.”
On the other side, you have the building inspectors and the auditors. They are not building anything. They are walking around the outside of every fortress that has already been built, testing the mortar with a small hammer, and occasionally announcing: “This entire east wall is made of sand.” They are not popular at parties.
They are essential to civilization, as technology or methods can be lost; look at Roman concrete with lime castings, much stronger than current concrete—self-healing, debatable but also provable in their buildings. Still standing hundreds of years later.
Both tribes are necessary. The builders without the auditors give you a confident fortress that collapses the first time someone leans on it. The auditors without the builders give you very thorough documentation of nothing, which is also a distinguished academic tradition but not particularly useful.
This week’s Thunderdome is the builder versus the auditor. Big Hammer vs. Big Ruler. The Thunderdome dome itself, if the dome had opinions about memory management.
Two papers. One ring. No referees.
In the left corner: NeuSymMS — A Hybrid Neuro-Symbolic Memory System for Persistent, Self-Curating LLM Agents (arXiv:2605.17596, May 2026). The builder. The fortress architect. Seven pages of careful, structured confidence.
In the right corner: State Contamination — State Contamination in Memory-Augmented LLM Agents (arXiv:2605.16746, UC Davis / University of Illinois, May 2026). The auditor. The small-hammer-and-mortar person. Here to check your walls.
One paper asks: how do we make agent memory trustworthy?
The other paper asks: what does it mean for agent memory to already be untrustworthy, right now, silently, without your knowledge?
The crowd is restless. Auntie Entity is watching. Someone will leave the dome.
Let’s go.
Part 2: The Contestants — What They’re Actually Arguing
NeuSymMS: The Fortress
The starting premise of NeuSymMS is that every existing LLM memory system has the same underlying failure mode: it trusts the model too much.
Neural memory systems — vector stores, RAG, embedding-based retrieval — are powerful and flexible but they operate on vibes. A fact goes in, a vector comes out, facts are retrieved by approximate semantic proximity, and the whole system has no mechanism for asking whether the retrieved fact is still true, whether it contradicts something else, or whether it should even exist. It’s a filing cabinet with excellent fuzzy search and no audit function. You can ask it “what do I know about the user?” and it will confidently return everything it has, regardless of whether half of it expired, got corrupted, or was quietly wrong from the start.
NeuSymMS’s answer is a hybrid architecture. Two layers, explicitly separated, doing different jobs:
The neural layer handles what neural systems are good at: fact extraction from unstructured dialogue, entity recognition, semantic embedding, fuzzy matching. A conversation happens. The neural layer reads it, pulls out the structured facts — user works in healthcare, prefers direct communication, mentioned a dog named Barker — and passes them upward.
The symbolic layer — the CLIPS-based expert system — then takes over. CLIPS is a rule-based forward-chaining inference engine that has been around since the 1980s. NASA used it. It is not glamorous. It does not hallucinate. It evaluates new facts against a formal rule set: does this contradict something already known? Does it duplicate an existing record? Does it update a prior belief, and if so, in what way, under what confidence level? Every fact that enters long-term memory has to run this gauntlet.
The result is a memory system that is, in the authors’ phrase, self-curating. Not in the vague sense of “the model decides what to keep” — in the explicit sense of: there are rules, the rules are executed deterministically, and facts that violate the rules are rejected, flagged, or reconciled before they persist.
The paper demonstrates this on multi-session dialogue tasks. Contradictory user statements across sessions are reconciled rather than blindly accumulated. Outdated preferences are revised rather than stacked on top of current ones. The memory grows cleanly. It does not metastasize.
The philosophy: neural systems are good at understanding language; symbolic systems are good at maintaining logical consistency. Stop making one system do both jobs badly. Give each job to the system that was designed for it.
State Contamination: The Auditor With The Hammer
State Contamination begins from a different observation, and it is one of those observations that is so obvious in retrospect that it makes you slightly angry it wasn’t said sooner.
Here it is: LLM agents with persistent memory do not just have outputs. They have state. And state is different from output.
An output is a single response. If it’s bad, it’s bad once, and then it’s over. You can patch it. You can rate it. You can draw a line through it and say “that was wrong.”
State is a different animal entirely. State accumulates. State persists. State influences future outputs in ways that may not be traceable to any single input. And crucially — state can be contaminated without the system knowing it, without the user knowing it, and without any individual stored memory item being obviously wrong.
That last point is the knife.
The paper identifies and names state contamination as a distinct failure mode: a situation where the agent’s persistent memory — transcripts, summaries, retrieved context, memory buffers — contains information that subtly warps future behavior, not through any single catastrophic entry but through an accumulation of small, individually plausible items that collectively produce unsafe or unreliable outputs.
The contamination sources are multiple:
Direct injection is the obvious one — a malicious actor plants a bad memory through an adversarial prompt. Existing security literature covers this reasonably well. State Contamination dismisses it as the boring case.
The interesting cases are the indirect ones:
Retrieval-induced distortion: the agent retrieves a memory that was accurate when stored but is no longer accurate in the current context. The memory is not wrong. The world changed. The memory doesn’t know that. It gets retrieved anyway. The agent acts on it with confidence.
Summarisation drift: over multiple sessions, a memory system that compresses conversation histories into summaries will, through small rounding errors in each compression pass, gradually drift from the original content. No single summary is inaccurate. The cumulative drift is a different story. By session twenty, the agent’s “summary” of the user’s preferences may share only a passing resemblance to what was actually said in session one.
Interaction-layer contamination: the agent’s memory doesn’t only contain facts about the user. It contains records of what the agent itself did — tool calls made, decisions taken, responses given. If any of those agent-generated records were themselves subtly wrong, they get stored, retrieved, and used to condition future agent behaviour. The agent is learning from its own mistakes as if they were correct procedures. It is becoming more confident in the wrong direction.
The paper introduces a taxonomy of contamination sources, a contamination propagation model that describes how bad state spreads through a memory system over time, and an evaluation protocol for measuring contamination level in a deployed agent. They test across several memory architectures — RAG-based, summary-based, and hybrid — and find that all of them are vulnerable, that the vulnerability grows with session count, and that it is almost entirely invisible to standard output-level safety evaluations.
The empirical result that deserves its own paragraph: agents that pass every standard safety evaluation may still be operating from a contaminated memory state. The safety evaluations look at outputs. The contamination lives in state. These are different layers. Current tooling watches one layer and ignores the other.
The philosophy: your memory system is not just a capability. It is a liability surface with no maintenance schedule and no inspection protocol. The question is not whether it will become contaminated. The question is how quickly, and whether you will notice.
Part 3: The Fight — Divergence, Overlap, and the Exact Point Where It Gets Uncomfortable
Here is where NeuSymMS and State Contamination have their actual disagreement, and it is not the one you might expect.
What they agree on:
Both papers accept that existing memory systems — pure neural, pure vector, pure RAG — are not trustworthy by default. NeuSymMS says this and offers a structural fix. State Contamination says this and offers a structural warning. Neither paper is kind to the status quo. The status quo, frankly, earned it.
Both papers also agree that the memory management layer is being systematically underengineered relative to the model layer. Enormous effort has gone into making language models smarter, faster, and more capable. Comparatively modest effort has gone into asking what happens when those models start accumulating history. Both papers are arguing, from different directions, that the accumulation problem deserves first-class engineering attention.
Where they diverge:
NeuSymMS’s architecture assumes that the contamination problem is fundamentally a consistency problem. If you can verify that every incoming fact is non-contradictory, non-duplicate, and properly reconciled with existing knowledge — via a deterministic rule engine — then the memory state stays clean by construction. The CLIPS expert system is the bouncer at the door. Bad facts don’t get in. Good facts enter cleanly. The state is therefore trustworthy.
State Contamination would read that description and smile thinly, the way auditors smile when you show them your fire suppression system and the fire is already inside the server room.
Because the contamination modes State Contamination identifies are not entry-time problems. They are time-and-context problems. Retrieval-induced distortion doesn’t happen when the memory is stored — it happens when it’s retrieved, in a context for which it’s no longer appropriate. Summarisation drift doesn’t happen in a single pass — it accumulates over thirty compression cycles. Interaction-layer contamination doesn’t come from outside the system at all — it comes from the agent’s own correct operation.
A deterministic rule engine on memory ingestion — however good — cannot catch a fact that was accurate when it entered and became misleading three months later. The bouncer checked the ID at the door. The ID was real. The person changed.
NeuSymMS has excellent answers for: will garbage get into my memory?
State Contamination is asking: what happens to your memory over time, regardless of what went in?
These are adjacent questions but they are not the same question. Solving one does not solve the other.
What’s genuinely novel:
NeuSymMS’s contribution is the specific combination of CLIPS and a neural extraction layer in an end-to-end persistent memory architecture. The paper is not the first to suggest neuro-symbolic memory — that lineage goes back through structured knowledge bases, SQL-as-memory, and a dozen hybrid systems. What’s new is the self-curating property: the rule engine doesn’t just store facts, it actively maintains the logical coherence of the whole memory over time. That is an architectural discipline that most memory systems lack, and it matters.
The CLIPS choice is particularly interesting. CLIPS is deterministic, auditable, and interpretable — you can read the rules, understand why a fact was rejected, trace any decision. In a world of opaque embedding stores where you cannot explain why two memories were merged, “I can show you the rule that triggered this reconciliation” is a genuine differentiator. It is also, honestly, a little retro, in the way that LED headlights are retro now that everyone has moved to lasers. The technology is good. The aesthetic is vintage. This is not a criticism.
State Contamination’s novelty is the interaction-layer contamination finding. Prior work on memory poisoning assumes an external attacker or a malicious input. The idea that an agent can contaminate its own memory through ordinary, correct operation — by storing accurate records of decisions that were reasonable at the time and are now outdated — is a conceptually new class of failure. It means the safety problem cannot be solved by filtering inputs. It is a property of the system’s own history. That is genuinely new ground.
The verdict:
NeuSymMS wins on architectural conviction. It makes a structural bet — symbolic verification is the right primitive for memory consistency — and follows it through cleanly. The CLIPS integration is unusual and bold. The self-curating property is something the field needs. The seven-page paper punches above its weight.
State Contamination wins on threat surface accuracy. The contamination taxonomy is precise. The interaction-layer finding is original. The core argument — that current safety evaluations are measuring the wrong layer — is correct, inconvenient, and important. If you are building a memory system and you have not read this paper, you are building it with one eye closed.
Neither paper is the complete answer. NeuSymMS gives you a cleaner memory at ingestion. State Contamination tells you ingestion-time cleanliness is necessary but not sufficient. Together, they make a more complete picture of the actual problem than either does alone.
A word about the Thunderdome framing, which I owe you.
In Beyond Thunderdome, the rule is “two men enter, one man leaves.” Spoiler: in the film, neither man actually leaves in the way the rule implied. Max refuses to kill his opponent. The crowd revolts. Auntie Entity makes a different decision entirely. The dome’s clean binary logic — two enter, one leaves — turned out to be a simplification that the actual situation refused to honour.
This is also how memory papers work.
You want a clean winner. You want to be able to say “this approach is right and that approach is wrong” and walk away with a decision. The papers themselves resist this. NeuSymMS is right that symbolic verification improves consistency. State Contamination is right that consistency at ingestion is not the same as trustworthiness over time. Both of them leave the dome. The crowd is confused. Auntie Entity is on the phone with her technical advisor.
The real answer is somewhere in the middle, probably involving a CLIPS rule engine and a longitudinal state auditing layer and a contamination detection protocol, which is how most real engineering answers look when the dust settles: complicated, expensive, and obviously correct in retrospect.
Welcome to Bartertown. Pig methane is the power source. The accountants are midgets riding on the backs of giants. There is a wall with rules written on it. The rules have already been violated.
Part 4: How This Connects to Vektor — and Why The Dome Matters
Let us run the thread through directly, because this is where Thunderdome stops being entertainment and becomes a specification document.
NeuSymMS and Vektor’s contradiction layer:
The self-curating architecture in NeuSymMS is the sharpest external validation we’ve seen of a design decision we made early: the contradict module. When Vektor receives new information about a user, it doesn't just append it. It runs a contradiction pass against existing memories — if "user prefers async communication" is already stored and the new memory says "user asked for immediate phone callbacks," the system has to make a decision: update, flag, or hold.
NeuSymMS formalises exactly this process in explicit symbolic rules. Our implementation is probabilistic rather than deterministic — the confidence module weights conflicts rather than hard-rejecting them — which is a different trade-off on the interpretability vs. flexibility axis. The CLIPS approach is more auditable. Ours is more forgiving of ambiguous facts. Neither is wrong. The field is not yet settled on which discipline is better in which contexts, and papers like NeuSymMS are exactly how that question gets resolved.
The dedup module maps onto NeuSymMS's deduplication rules in the symbolic layer. The selforg module handles what NeuSymMS calls reconciliation — restructuring memory to resolve accumulated inconsistencies rather than letting them pile up. We are operating from the same instinct. NeuSymMS just made the instinct explicit in CLIPS.
State Contamination and Vektor’s exposure:
This paper describes Vektor’s threat model with the precision of someone who has read the architecture diagrams, which they haven’t, which means the problem is general enough to be independently derived by researchers who have never seen our codebase.
The summarisation drift finding is the one that lands hardest. Vektor’s briefing scheduler runs summarisation passes — condensing older episodic memories into higher-level consolidated knowledge. Each pass is a compression. Each compression is a small opportunity to drift. We have tested individual passes. We have not tested thirty sequential passes on the same lineage of memory. We now know we should.
The interaction-layer contamination finding is the second uncomfortable one. Vektor stores records of its own previous retrievals and responses as part of the episodic layer. This was a deliberate choice — knowing what you’ve said before helps you be consistent. But State Contamination identifies precisely this pattern as a contamination vector. The agent’s own history, stored as context, becomes a lens that distorts future behaviour. The longer the agent has been running, the more history it has, the more the lens distorts.
The practical response is a feature Vektor does not currently ship: memory epoch auditing — periodic snapshots of the full memory state with explicit drift measurement relative to the original source material. Not just “what do I remember?” but “how much has my memory changed from what was actually said?” The difference is the contamination metric. It is on the roadmap now, firmly, with a Post-It note and everything.
The retrieval-induced distortion finding maps onto an existing but underweighted mechanism: the confidence decay function. Stored memories already lose confidence over time in Vektor — a fact from three months ago retrieves with lower weight than a fact from last week. State Contamination argues this is not enough. Temporal confidence decay addresses the age problem but not the context problem: a memory can be fresh and contextually wrong if the user's circumstances have changed. Distinguishing age-decay from context-invalidation is a harder problem that current decay functions don't fully solve.
The synthesis:
What NeuSymMS and State Contamination together describe is a memory system that needs two things Vektor currently has in partial form: a deterministic consistency layer on the write path, and a contamination audit layer on the long-running state.
The first, we have proxies for. The second, we are building.
The Bartertown power grid runs on pig methane. It works until the pigs run out. The rule on the wall says “embargo.” The embargo gets broken anyway. Then Max shows up and the whole thing burns.
The lesson of Bartertown is not that pig methane is bad engineering. It is that no system is self-sustaining forever without active maintenance, external auditing, and someone willing to ask the uncomfortable questions about whether the walls are still holding.
These two papers are asking the uncomfortable questions. Build the CLIPS engine. Audit the state.
Don’t wait for Max to get you through the wastelands to the Tomorrow-Morrow Land.
VEKTOR Slipstream is our open-source memory SDK — MAGMA graph memory, BM25+vector dual recall, contradiction detection, and a full MCP server that runs as a single SQLite file on commodity hardware. No cloud. No GPU. Just memory that works — and is increasingly honest about where it doesn’t yet.
→ vektormemory.com · @vektormemory
Whitepaper
Agentic Ai
LLM
Arxiv
Vector Database
Top comments (0)