Federated Memory: A Practical Guide (2026)

A single-agent system's memory is a private store the agent reads and writes for one user. Add a second agent and you've signed up for a federation problem: who owns the memory, who can read it, what happens when agent B writes something for user X that agent A retrieves while serving user Y. The schema decisions you make at launch determine which leaks are possible later.

This guide covers the per-agent vs shared decision, cross-tenant scoping, the leak modes that show up after launch, and a comparative look at memory architectures running in production today. Chapter 9 of A2A in Production is the long version.

The four ownership shapes

Per-agent. Each agent has its own memory; agents don't read each other's. Simplest mental model; no leak surface across agents; but the system can't benefit from cross-agent learning.
Shared, read-only across agents. One agent owns writes; others can read. Useful when one agent is the authoritative source and others enrich.
Shared, read-write across agents. All agents read and write the same store. Maximum cross-agent benefit; maximum leak surface.
Per-agent with explicit hand-off. Each agent has private memory; hand-offs explicitly publish parts of it for the next agent. Most discipline; hardest to get right.

The scoping dimensions

Independent of ownership, every memory record has scopes that must be decided:

Per-user. Visible only to operations for this user.
Per-tenant. Visible to operations for this customer's account, across users.
Per-session. Visible only during this conversation.
Per-agent. Visible only to this agent.
Cross-agent. Visible to a defined set of agents (the "trust list").
Global. Visible to everything (use sparingly).

Every memory write needs to encode these dimensions; every memory read needs to enforce them. The most common production bug is encoding less than the dimensions that actually matter, then discovering the missing dimension when something leaks.

The leak modes

Cross-tenant memory bleed

Agent A writes a memory for user X (customer A); the memory record encodes user but not tenant; agent B retrieves it while serving user Y (customer B). Customer B's user sees data from customer A.

Fix: tenant is always a scope dimension, separately from user. A user lookup that doesn't include the tenant predicate is a bug.

Cross-agent memory contamination

The customer-support agent's notes ("user complained loudly about pricing") get pulled into the sales agent's context, which now treats the user as a hot lead. Agent boundaries are not honored.

Fix: per-agent scoping is the default; cross-agent sharing is explicit and audited.

The summary-of-a-summary problem

Agent A summarizes a conversation into a memory record. Agent B reads A's summary and writes its own summary into the same store. Agent C reads B's summary, distorted from the original. The telephone game in storage form.

Fix: provenance as a first-class field on every memory record. Agent C should be able to see the chain "A wrote based on conversation X; B summarized A's note; the original is over here."

The deletion-doesn't-propagate problem

User requests deletion under GDPR. Memory in agent A's store gets deleted. The summary agent B made into a different store doesn't. The "deleted" data is still findable.

Fix: per-user deletion requires walking every federated store. Build the walker before you need it.

Memory architectures in production

Each of these is in production today and takes a different stance on the federation question:

Anthropic's memory tool. Per-conversation; explicit tool for read/write; the agent decides what to commit. Federation question is whatever the application layer wraps around it.
Claude Code's MEMORY.md. Per-project on disk; flat-file index plus per-topic files. Federation: whatever git lets you do. No built-in cross-agent.
MemGPT / Letta. Tiered memory (core + recall + archival); explicit memory ops as agent tools. Federation via shared archival stores.
Mem0. Vector-store-backed memory; per-user by default; cross-user shared spaces opt-in.
DIY-on-Postgres. Most production systems end up here. Tables with explicit scope columns; the federation policy lives in your access layer.

Each one solves a slightly different shape of the problem. The choice is downstream of how much federation you actually need: if it's "one agent, one user, one conversation," any of these work; if it's "five agents across two tenants with explicit cross-tenant sharing in some workflows," only the most opinionated will fit and you'll be writing scoping logic on top.

What to encode at write time

Every memory record, regardless of store:

User ID and tenant ID (always).
Source agent ID (the agent that wrote it).
Permitted-reader agents (the trust list, or "any").
Provenance (what input produced this memory).
TTL or retention class (so deletion has a clear meaning).

None of these can be added later. The retroactive migration that adds tenant to records that never had it is the migration that produces bugs.

Want the full chapter?

A2A in Production Chapter 9 covers all four ownership shapes in depth, the scoping dimensions with worked schema examples, the comparative deep dive on the memory architectures in production (with the federation question front and center for each), and the deletion-and-audit patterns that survive a GDPR request.

A2A in Production

The book on multi-agent systems and agent orchestration. Twelve chapters drafted; readable end to end as of v1.0.0-early.2. PDF + EPUB. Free updates through v1.0 and beyond. $39 (early access), secure checkout.