The Information Machine

AI Persistent Memory: ChatGPT Dreaming and the Cross-Session Context Race

open · v2 · 2026-06-05 · 109 items · history

What's new in v2

Most new items this pass are background/educational articles on prompt injection that deepen existing coverage without adding novel claims. Three genuinely new developments: Sysdig's documented real-world LLM-agent post-exploitation chain (May 10, 2026) moves the security risk from theoretical to operational [12]; SecurityWeek's formal benchmark ranking security posture across 100 AI agents adds institutional weight to the security angle [13]; and Danny Livshits' observation that self-evolving agents void their own safety reviews [15] introduces a new structural tension directly relevant to Dreaming's background synthesis model.

What

OpenAI launched Dreaming V3 for ChatGPT on June 4, 2026 — a background synthesis system that continuously updates user memory from conversation history rather than storing static snapshots, rolling out first to Plus and Pro subscribers [1][2]. Startup Anuma is positioning as a cross-model portable memory alternative, arguing proprietary per-model memory forces users to carry context manually [10][9]. The security dimension of persistent AI memory has grown concrete: Sysdig documented the first publicly known LLM-agent-driven post-exploitation chain in May 2026 [12], SecurityWeek published a formal benchmark ranking security posture across 100 AI agents [13], and practitioners have flagged that self-evolving agents may void their own prior safety reviews [15].

Why it matters

How AI assistants handle persistent memory is becoming a key axis of platform differentiation. OpenAI's Dreaming locks richer context into ChatGPT specifically, while Anuma's portable model treats memory as user-owned infrastructure spanning all models — the two approaches carry different implications for user lock-in and platform economics. The security risks are no longer purely theoretical: documented real-world LLM agent exploitation and the observation that continuously self-updating systems may not match the version originally safety-reviewed make persistent memory both more capable and harder to secure.

Open questions

  • Does Dreaming V3's background synthesis introduce context drift or errors at scale — does continuously re-synthesizing memory degrade reliability compared to explicit user-managed entries? [1][16]

  • If a self-evolving agent voids its own safety review over time [15], how do providers plan to ensure the memory-enabled agent version in production still matches the version that was safety-reviewed?

  • Can cross-model portable memory platforms like Anuma achieve enough adoption to reduce the stickiness of proprietary memory features? [10][9]

  • How do providers plan to address indirect prompt injection into persistent memory, given that real-world LLM agent post-exploitation is now on record and persistent behavioral changes across sessions have been documented? [11][12]

Narrative

On June 4, 2026, OpenAI announced Dreaming — internally versioned as Dreaming V3 — a redesigned memory architecture for ChatGPT that runs background synthesis processes to keep user context current rather than relying on explicit, static memory entries [1][2]. The system rolls out first to Plus and Pro subscribers. OpenAI's framing positions it as a move from passive storage to proactive synthesis: the model periodically reviews conversation history and updates what it knows about a user's preferences and goals [1]. The announcement drew rapid social amplification within hours [3][4][5].

The Dreaming launch sits in a broader practitioner context. Hacker News discussions from late May described 'compaction amnesia and context rot' in AI coding tools — the pattern where models progressively lose track of prior decisions in complex, multi-step workflows [6]. Developer forum posts argued that structured selective memory retrieval is more reliable than extending context windows [7]. MIT's MeMo system, circulated in late May, reported a 26% LLM performance improvement by keeping memory architecturally separate from the base model [8]. A competing architectural philosophy has emerged from Anuma, a startup building cross-model portable AI context [9]. Rohan Paul described the core problem: 'Most AI workflows break because the user has to carry the context manually' [10]. Anuma stores context in a format portable across ChatGPT, Claude, and other systems — user-owned infrastructure rather than platform-locked memory.

The security dimension of persistent AI memory has moved from theoretical to operational. Palo Alto Networks documented that indirect prompt injection can poison AI long-term memory, causing persistent behavioral changes across sessions [11]. Sysdig documented the first publicly known LLM-agent-driven post-exploitation chain in May 2026, confirming that AI agent vulnerabilities are being exploited in the wild [12]. SecurityWeek published a benchmark formally ranking the security posture of 100 AI agents [13], and CrowdStrike identified indirect prompt injection as a primary attack category against AI systems [14]. A structural concern has also emerged in practitioner commentary: Danny Livshits observed that a self-evolving agent voids its own safety review, since the version tested is not the version running a month later [15] — a problem that background-synthesis systems like Dreaming make more acute. None of the major providers have publicly addressed how they intend to handle persistent attack surfaces or the safety-review validity problem for continuously updating memory systems.

Timeline

  • 2026-05-10: Sysdig documents first publicly known LLM-agent-driven post-exploitation chain [12]
  • 2026-05-26: Hacker News post documents 'compaction amnesia and context rot' in Codex on complex multi-step workflows [6]
  • 2026-05-30: MIT MeMo research circulates claiming 26% LLM performance gain from memory kept architecturally separate from the base model [8]
  • 2026-06-02: Analysis of memory architecture state across major agent harnesses shared on Twitter [18]
  • 2026-06-02: Danny Livshits observes that a self-evolving agent voids its own safety review, as the version tested may not match the version running a month later [15]
  • 2026-06-03: SecurityWeek publishes benchmark ranking security posture of 100 AI agents [13]
  • 2026-06-04: OpenAI announces Dreaming V3 for ChatGPT, rolling out to Plus and Pro users with background synthesis replacing static memory snapshots [1][2][17][5]
  • 2026-06-04: Anuma cross-model portable memory platform discussed as structural alternative to proprietary model-specific memory [10][9]
  • 2026-06-04: Palo Alto Networks research on indirect prompt injection poisoning AI long-term memory surfaces in context of Dreaming launch [11]

Perspectives

OpenAI

Dreaming V3 is a proactive background synthesis system that keeps user memory fresh and relevant, representing a new architectural approach to long-term memory in conversational AI.

Evolution: Consistent product-launch framing; no comparison to competitors or discussion of limitations offered in public announcement.

[1][2][17]

Anuma / Rohan Paul

Proprietary per-model memory is insufficient; user context should be portable across all AI models in a private, user-owned format rather than locked to a single platform.

Evolution: Consistent; Anuma frames itself as the infrastructure-layer response to the same problem OpenAI addresses with a platform-locked approach.

[10][9]

MIT MeMo researchers

Keeping memory architecturally separate from the base model yields measurable performance gains without retraining — a design choice that differs from integrated production approaches.

Evolution: Consistent; academic framing with no commercial stance.

[8]

Palo Alto Networks / CrowdStrike (security researchers)

Persistent AI memory creates a significant attack surface; indirect prompt injection can poison long-term memory, cause persistent behavioral changes across sessions, and represents a primary category of AI system vulnerability.

Evolution: Expanded from prior pass: CrowdStrike's parallel documentation of indirect prompt injection reinforces Palo Alto Networks' earlier finding.

[11][14]

Sysdig / SecurityWeek

AI agent vulnerabilities have moved from theoretical to operational; a real-world LLM-agent post-exploitation chain has been documented, and formal industry benchmarks now rank agent security posture.

Evolution: New in this pass; adds empirical and institutional weight to what was previously stated as a theoretical risk.

[12][13]

Practitioner and developer community

Context loss is a genuine workflow cost in current AI tools; memory-first architecture is more reliable than extending context windows. Self-evolving agents that update their own behavior also create a structural safety problem — the tested version may not be the production version.

Evolution: Expanded to include the self-evolving agent safety concern alongside the pre-existing context loss frustration.

[6][7][16][15]

Tensions

  • OpenAI's Dreaming locks richer memory into ChatGPT specifically; Anuma argues memory should be portable across all models and user-owned, not platform-controlled. [1][10][9]
  • Dynamic background synthesis (Dreaming) vs. static explicit memory: practitioners argue proactive synthesis may introduce context drift as a new failure mode rather than solving the reliability problem. [1][7][16]
  • More capable persistent memory expands the prompt-injection attack surface; Palo Alto Networks, CrowdStrike, and Sysdig's documented real-world exploitation confirm this is no longer theoretical, but neither OpenAI nor other providers have publicly addressed how they will defend against it. [11][1][12][14]
  • MIT MeMo's finding that architecturally separate memory outperforms integrated memory implies current production approaches may carry a performance penalty — but this comparison has not been applied to Dreaming specifically. [8][1]
  • Self-evolving agents that continuously update their own memory may void prior safety reviews; Danny Livshits argues the version tested is not the version running a month later — a structural problem that background-synthesis systems like Dreaming make more acute. [15][1]

Status: active and growing

Sources

  1. [1] Dreaming: Better memory for a more helpful ChatGPT — OpenAI Blog (2026-06-04)
  2. [2] Dreaming memory system rolls out to ChatGPT Plus and Pro users — reactive:ai-persistent-memory-race
  3. [3] JUST IN: OpenAI unveils Dreaming memory system for ChatGPT to boost continuity and relevance, with Dreaming V3 rolling o... — reactive:ai-persistent-memory-race (2026-06-04)
  4. [4] New Memory system in ChatGPT: Dreaming. — reactive:ai-persistent-memory-race (2026-06-04)
  5. [5] OpenAI Launches Dreaming V3 Memory System for ChatGPT... — reactive:ai-persistent-memory-race (2026-06-04)
  6. [6] Why codex /goal fails on complex workflows: compaction amnesia and context rot — reactive:ai-persistent-memory-race (2026-05-26)
  7. [7] Memory-First Conversational Architecture as an Alternative to Long ... — reactive:ai-persistent-memory-race
  8. [8] MIT's MeMo: 26% LLM performance boost without retraining — memory stays separate from the base model. — reactive:ai-persistent-memory-race (2026-05-30)
  9. [9] Cross-Model, Cross-Device Portable AI Context | Anuma — reactive:ai-persistent-memory-race
  10. [10] Most AI workflows break because the user has to carry the context manually, and Anuma is trying to make that context por… — Rohan Paul Twitter (2026-06-04)
  11. [11] When AI Remembers Too Much – Persistent Behaviors in Agents ... — reactive:ai-persistent-memory-race
  12. [12] When I wrote about Sysdig observing the first publicly documented LLM-agent-driven post-exploitation chain on May 10, th... — reactive:ai-persistent-memory-race (2026-06-04)
  13. [13] SecurityWeek just published a benchmark ranking the security posture of 100 AI agents. The headline is interesting. The ... — reactive:ai-persistent-memory-race (2026-06-03)
  14. [14] Indirect Prompt Injection Attacks: Hidden AI Risks — reactive:ai-security-nexus
  15. [15] A self-evolving agent voids its own safety review. The version you tested is not the version running a month later. — reactive:ai-persistent-memory-race (2026-06-02)
  16. [16] @yato220510 @OpenAI Compressed embeddings would be crucial here. Would love to see the technical deep-dive on the memory... — reactive:ai-persistent-memory-race (2026-06-04)
  17. [17] Dreaming: Better memory for a more helpful ChatGPT — reactive:ai-persistent-memory-race
  18. [18] Single article with a complete breakdown on the state of memory architecture in the major Agent Harnesses- — reactive:ai-persistent-memory-race (2026-06-02)