Governed Forgetting

Mechanism

Each datum admitted into the agent's lineage is wrapped in a retention envelope at the moment of admission. The envelope binds the datum to a retention policy declared in the agent's policy reference, to a key drawn from a per-datum or per-cohort key hierarchy, and to a commitment that records the existence and class of the datum without exposing its contents. The datum itself is stored under encryption with the bound key. The lineage records the envelope, not the plaintext. Reads of the datum during the retention window proceed through a controlled decryption path that authorizes the read against the retention policy and records the access in the lineage.

When the retention policy declares the datum eligible for forgetting, the agent invokes the forgetting operation. The operation does not delete the encrypted datum from underlying storage; it destroys the binding key and records the destruction in the lineage. After destruction, the encrypted datum is computationally inaccessible to any party, including the agent itself. The commitment in the lineage remains, providing a verifiable witness that the datum was held and that the binding has been severed. A third party presented with the lineage can verify, by checking the commitment against the retention policy and confirming the absence of the binding key, that the agent's claim of forgetting is structurally accurate.

The cryptographic structure is what converts forgetting from a procedural assertion into a verifiable property. A purely procedural deletion leaves no record that distinguishes a compliant agent from one that simply fails to log; a key-destruction operation under a published commitment scheme leaves a record whose absence of recoverable plaintext is itself the evidence of compliance. The agent cannot un-forget by recovering the key, because the destruction is recorded and any subsequent appearance of the plaintext would contradict the lineage.

Operating Parameters

The retention policy admits multiple parameters that govern when forgetting is triggered and what scope of data is affected. The temporal parameter declares the maximum interval between admission and forgetting, expressed in absolute time, in agent-clock cycles, or in event-counted intervals such as the number of subsequent decisions that have referenced the datum. The scope parameter declares whether forgetting applies to a single datum, to a cohort identified by a shared label, or to a transitive closure of data linked by lineage edges. The override parameter declares the conditions under which the retention window may be extended, such as a pending audit or a regulatory hold, and the conditions under which forgetting may be accelerated, such as an explicit subject request.

The key hierarchy is parameterized by the granularity at which keys are bound. Per-datum keys provide the finest granularity and the strongest forgetting guarantee but impose the highest key-management cost. Per-cohort keys allow forgetting of an entire cohort with a single key destruction and impose lower cost but coarser granularity. Hybrid hierarchies, in which per-datum keys are wrapped under per-cohort keys, allow either granularity to be invoked depending on the scope of the forgetting trigger.

The commitment scheme is parameterized by the verifier model. A commitment that must be verified by an external auditor with no shared state with the agent uses a publicly verifiable construction such as a Merkle commitment over the lineage with periodic anchoring to an external log. A commitment that must be verified by a regulator with access to a shared trust root uses a lighter construction with shorter proofs. The choice of scheme is declared in policy and recorded in the lineage so that any future verification proceeds against the same construction under which the commitment was made.

Alternative Embodiments

The mechanism admits embodiments that vary along the storage substrate and the verifier topology. In a single-substrate embodiment, the encrypted data and the lineage reside in the same store, and key destruction is a local operation. In a multi-substrate embodiment, encrypted data is distributed across replicas or across a federation of cooperating stores, and key destruction is propagated through a coordinated protocol that confirms the destruction has been observed by every party that may have held the binding. In an external-custody embodiment, the binding key is held by a custodian distinct from the data store, and forgetting is invoked by instructing the custodian to destroy the key and to record the destruction in a custody log that is itself anchored into the agent's lineage.

The verifier topology can be embodied as a single auditor, as a quorum of auditors with threshold verification, or as a public log against which any party can verify. The choice does not change the structural property of the mechanism but affects the proof artifacts the agent must publish. The mechanism also admits an embodiment in which forgetting is partial: the binding key for a derived view is destroyed while the binding key for the underlying datum is retained, allowing the agent to forget a particular projection without forgetting the source.

A further embodiment integrates governed forgetting with relevance decay. In this embodiment, decay reduces the weight of a datum in active reasoning while retention remains valid; forgetting is invoked only when retention expires. The two operations are structurally distinct: decay is reversible and affects only the agent's prioritization, while forgetting is irreversible and affects the agent's capacity to access the datum at all.

Composition with Adjacent Mechanisms

Governed forgetting composes with the agent's lineage substrate, with the integrity field, and with downstream confidence governance. The lineage substrate provides the canonical record against which commitments are made and against which third-party verification is performed. The integrity field provides the policy reference under which retention windows are declared and under which forgetting triggers are evaluated. Confidence governance consumes the lineage's record of forgotten data when computing the agent's confidence in derived conclusions: a conclusion that depended on a now-forgotten datum is annotated as such, allowing downstream consumers to weight it appropriately.

Composition with these mechanisms ensures that forgetting is not an isolated event but a structural participant in the agent's ongoing reasoning. The agent's behavior after forgetting is not the same as its behavior before, and the difference is observable through the lineage rather than only through changes in output.

Distinction from Prior Art

Prior approaches to data deletion in regulated systems fall into procedural and cryptographic categories. Procedural deletion removes data from active stores and relies on operational discipline, backup expiry, and tombstone records to demonstrate compliance. The compliance evidence is the absence of the data in subsequent queries, supplemented by audit logs of the deletion event. Cryptographic deletion, sometimes termed crypto-shredding, destroys keys to render encrypted data inaccessible and uses the key-destruction record as evidence of compliance. Crypto-shredding is well established in storage systems but is typically applied at coarse granularity and without integration into a system that reasons over the data.

The mechanism described here is structurally distinct in that it integrates cryptographic forgetting with the agent's lineage and reasoning substrate. The forgetting event is not merely a storage operation; it is a structural transition of the agent that affects subsequent inference, that is recorded in the lineage as an admissible event, and that is verifiable to third parties through commitments declared at admission. The integration is what permits the agent's continued reasoning to remain coherent across forgetting events and what permits external parties to verify compliance without observing the forgotten data.

Disclosure Scope

The disclosure covers the binding of admitted data to retention policies through cryptographic envelopes, the destruction of binding keys as the structural forgetting operation, the publication of commitments that allow third-party verification, the parameterization of retention and key hierarchy, the alternative embodiments described above, and the composition with lineage and confidence governance. It covers any system in which an agent's claim to have forgotten a datum is verifiable through cryptographic evidence anchored in a canonical lineage, regardless of the storage substrate, the verifier topology, or the granularity of the key hierarchy.

Implementations that delete data through procedural means alone, without cryptographic binding and without verifiable commitments, fall outside the disclosure. Implementations that perform crypto-shredding without integration into a reasoning substrate, such that the agent's continued behavior is not annotated by the forgetting event, fall outside the disclosure with respect to the integration. The structural property is that forgetting is a first-class, verifiable event in the agent's lineage, and the disclosure scope tracks that property.

The disclosure further covers the treatment of derived data. When a datum admitted under retention contributes to a derived projection, embedding, or summary, the lineage records the derivation edge and the retention envelope of the source. Forgetting the source datum invalidates the derivation edge, and the policy reference declares whether the derivation must also be forgotten, whether it may be retained as an opaque artifact disconnected from the source, or whether the derivation must be re-computed from currently retained sources. Each of these declarations is recorded and verifiable, allowing third parties to audit not only direct retention but also the propagation of forgetting through the agent's reasoning chain.

The disclosure also covers the temporal verification model. A verifier presented with the lineage at any point after a forgetting event can reconstruct the agent's compliance trajectory: the time at which the datum was admitted, the retention window it was bound to, the time at which forgetting was triggered, and the time at which the binding key destruction was confirmed. The trajectory is itself a structural property recorded in the lineage and verifiable without access to the forgotten plaintext. Implementations that record forgetting events without preserving the temporal trajectory, such that subsequent verification cannot distinguish timely from belated compliance, fall outside the disclosure with respect to verifiability.