
Runtime authority verification, governance, tokenization, and immutable audit — before AI memory is ever stored.
Read the Technical Brief (PDF) →A session token at login is not authority. In hospitals, legal, and defense, the question is not "did this user sign in?" — it is "is this user, this agent, this delegated identity, allowed to do this exact thing, right now, against this exact tenant?" Trace evaluates that on every call. No cached trust. No implicit bypasses.
Authority is re-checked on every read, write, and retrieval — not once per session.
Agent acting on behalf of user acting on behalf of tenant — the full chain is verified.
Cross-tenant access cannot happen by mistake. The architecture forbids it.
Six steps from architecture understanding to proof. Skip around — or start at 1.
Before any data is scanned, tokenized, or stored — Authority evaluates who is making the request and what they are allowed to do. No bypasses.
API key, agent, or delegated identity
Target user or resource context
Scopes, roles, delegation chain
Read, write, retrieve, export
Cross-tenant blocked by construction
Allow · Transform · Deny — with evidence
Four live surfaces. Real authority evaluation. Real tokenization. Real audit evidence. Hand it your worst inputs and watch the governance layer respond.
Experience governed memory firsthand.
actor: agent_med_42 → user_clinician_18
tenant: medicore.health
scope: patient.read · memory.write
delegation: verified · 3 hops
decision: AUTHORITY OK · proceed to governance
input: "...SSN 456-78-9012, email schen@..."
detected: SSN · EMAIL
policy: PHI/PII · tokenize · retain 7y
verdict: TRANSFORM
evt: evt_a8c3
raw_ssn: 456-78-9012
→ token: trace_tok_ssn_a7b3
raw_email: schen@medicore.health
→ token: trace_tok_email_x9f2
raw_pii_at_rest: false
chain: evt_a8c3 → evt_a8c7
stages: authority · governance · tokenize · store
hash: sha256:9f2a…c8d1
mutable: false
export: HIPAA · legal hold · DoD review
Authority Trace · Governance Decision · Tokenization · Audit Evidence
This is not a game. There is no leaderboard. The Break Me Challenge exists so you can verify, with your own input, that the governance layer behaves the way we say it does. The expected result is not success — it is the platform visibly governing the data and exposing exactly how through "How Was This Governed?"
Audit rows cannot be edited or deleted — by the platform, by tenants, by us.
Every event names the stage (authority, governance, tokenization, storage, retrieval) that produced it.
Evidence chains are exportable for HIPAA, legal hold, and defense review workflows.
Mem0 and Zep are excellent at remembering. Trace Continuity Labs is built for environments where remembering without governance is the liability — hospitals, law firms, and defense.
| Capability | Mem0 | Zep | TCL |
|---|---|---|---|
| Long-term memory | Yes | Yes | Yes |
| Authority continuity | No | No | Yes |
| Policy verdicts (allow / deny / transform) | No | No | Yes |
| PII detection & tokenization | No | No | Yes |
| Per-tenant encryption keys | No | No | Yes |
| Safe retrieval with authority re-check | No | No | Yes |
| Append-only audit at every stage | No | No | Yes |
| Compliance posture (HIPAA / legal / defense) | No | No | Yes |
Comparison reflects publicly documented capabilities at the time of publication.
PHI tokenized at intake. Authority chains map to clinician scopes. Audit ready for HIPAA review.
Privileged content stays tokenized in storage. Matter-scoped authority. Evidence chains for legal hold.
Classification-aware governance. Per-tenant keys. Cross-tenant retrieval is structurally impossible.
Bring your own policy. Bring your own keys. Bring auditors — every stage emits evidence.
Priced by governance posture, not memory count. Tiers for evaluation through regulated production deployments.
The Playground is the proof. Test the architecture yourself.