HEINI
DE Book demo Choose plan
Start Features
Solutions Managing directorsCFO & financeIT leadershipTax advisorsTradesFreight & logisticsAll industriesEnterprise
Pricing Integrations
Customers All customersPSE TechnikKnowledge staysSupplier with HeiniGroup & holdingAgencies & partners
Resources All resourcesFAQBlogCustomers & casesStories
Login Book demo Choose plan
← Back to blog Technical

Verifiable Forgetting in Multi-Tier Memory Systems via Tier-Specific Mutual-Information Thresholds

A Technical Note — Defensive Publication

A defensive publication on a tier-specific mutual-information threshold method for verifying record deletion in multi-tier memory systems used in agentic AI products. Establishes prior art under § 3 Abs. 1 PatG, Art. 54 (2) EPC, and 35 USC § 102(a)(1).

HEINI · May 6, 2026 ·12 min
#machine-unlearning#verifiable-forgetting#mutual-information#gdpr#eu-ai-act#multi-tier-memory#agentic-ai#defensive-publication#prior-art

Verifiable Forgetting in Multi-Tier Memory Systems via Tier-Specific Mutual-Information Thresholds

A Technical Note · Defensive Publication

Author: HEINI Operations UG, trademark holder of HEINI® Contact: Book via Susi Version: 1.0 Published: 2026-05-06 License: CC0 1.0 Universal (Public Domain Dedication, with the dedication scope defined in Section 8 below) DOI (this version): 10.5281/zenodo.20054270 Concept DOI (all versions): 10.5281/zenodo.20054269 Trademark notice: HEINI® is a registered trademark at the DPMA, registration number 30 2026 214 789, classes 09, 35, 42, registered 25.03.2026. Holder details in the imprint.

Abstract

This technical note describes a method for empirically verifying the deletion of a record from a multi-tier memory system used in agentic AI products. The method is targeted at regulated deployments under GDPR Article 17 and EU AI Act Article 10 in scenarios where conventional procedural deletion confirmations are insufficient because residual statistical information about the deleted record may persist in derived representations such as embeddings, attention patterns, or fine-tuning gradients. The contribution is a tier-specific mutual-information threshold chain combining a configurable estimator family with a sensitivity-classification-driven threshold lookup and an automatic re-training or re-indexing trigger. The note is published to establish prior art under § 3 Abs. 1 PatG, Art. 54 (2) EPC, and 35 USC § 102 (a)(1) for the purposes of any subsequent patent application by third parties regarding the specific embodiment described herein.

1. Background and prior art

The problem of demonstrable deletion in machine-learning systems has been studied under multiple terminology conventions, including machine unlearning, certified removal, and verifiable forgetting. A non-exhaustive selection of prior work that informs the present note is listed below.

  • Eisenhofer, T. et al. (2022). Verifiable and Provably Secure Machine Unlearning. arXiv:2210.09126.
  • Li, Y. et al. (2025). AuditableLLM: Auditable Forgetting in Large Language Models. Electronics, 15(1), 56. DOI: 10.3390/electronics15010056.
  • European Data Protection Supervisor (2023). TechSonar Report: Machine Unlearning.
  • Kraskov, A., Stögbauer, H., Grassberger, P. (2004). Estimating Mutual Information. Physical Review E, 69, 066138.
  • Belghazi, M. et al. (2018). MINE: Mutual Information Neural Estimation. Proc. ICML 2018.
  • van den Oord, A. et al. (2018). Representation Learning with Contrastive Predictive Coding (InfoNCE). arXiv:1807.03748.
  • Mironov, I. (2017). Rényi Differential Privacy. Proc. CSF 2017.
  • Packer, C. et al. (2023). MemGPT: Towards LLMs as Operating Systems. arXiv:2310.08560.
  • Bourtoule, L. et al. (2021). Machine Unlearning. Proc. IEEE S&P 2021.
  • Sekhari, A. et al. (2021). Remember What You Want to Forget: Algorithms for Machine Unlearning. Proc. NeurIPS 2021.
  • Cao, Y., Yang, J. (2015). Towards Making Systems Forget with Machine Unlearning. Proc. IEEE S&P 2015.
  • Ginart, A. et al. (2019). Making AI Forget You: Data Deletion in Machine Learning. Proc. NeurIPS 2019.

The body of work establishes that procedural deletion logging is insufficient evidence for regulators, and that statistical methods based on mutual information, membership inference attacks, or differential-privacy budget accounting are increasingly demanded as technical evidence of removal. The contribution of the present note lies in a specific, tier-aware integration of mutual-information-based verification into a configurable production pipeline for agentic AI memory systems, not in any of the underlying primitives.

2. Method description

The method, hereinafter the tier-specific MI threshold chain, operates after a deletion event in a multi-tier memory system. A multi-tier memory system in this context comprises at least two storage tiers, each with its own retention semantics, sensitivity classification, and access pattern.

After a deletion event for a record r, the method executes the following steps:

Step A — Tier enumeration

The method enumerates the memory tiers T1, T2, ..., Tn of the system that may contain derived information from r. Examples of tiers include vector indices (embedding storage), active model parameters (in fine-tuned or adapter-tuned configurations), cache layers (recently accessed retrievals), and retrieval-augmented document indices.

Step B — Per-tier mutual-information estimation

For each tier Ti, the method computes an estimate I(r ; S_Ti_post) of the mutual information between the deleted record r and the post-deletion state S_Ti_post of that tier. The estimator can be selected from a family of admissible estimators including but not limited to:

  • the Kraskov-Stögbauer-Grassberger (KSG) k-nearest-neighbour estimator
  • the Mutual Information Neural Estimation (MINE) lower bound
  • the InfoNCE contrastive lower bound
  • a Bayesian Model-Averaged MI estimator (BMA-MI)
  • a Conditional MI Neural-Network estimator (CMI-NN)

The choice of estimator is parameterised by the operator and recorded in the verification result.

Step C — Tier-specific threshold comparison

For each tier Ti, the estimate is compared against a tier-specific threshold θ_Ti. The threshold is derived from a sensitivity classification of the data stored in that tier. Sensitivity classifications can include but are not limited to: EU AI Act Annex III high-risk categories, GDPR special categories under Article 9, sector-specific classifications (medical, financial, legal), and operator-defined custom classifications.

The threshold derivation can be:

  • static (fixed value per classification class, configured at deployment time),
  • dynamic (recomputed periodically based on operator-defined drift baselines), or
  • learned (adapted via reinforcement learning against operator-defined reward signals reflecting compliance audit feedback).

Step D — Trigger emission

If the estimate I(r ; S_Ti_post) > θ_Ti for any tier Ti, the method emits a trigger. The trigger type can be any of:

  • a re-training trigger for the affected tier (parameter recomputation),
  • a re-indexing trigger for the affected tier (vector or document index rebuild),
  • a fallback-to-purge trigger (full state reset for the affected tier), or
  • a regulatory escalation trigger (notification of the data protection officer).

The emitted trigger is logged according to the operator’s audit policy. The detailed audit logging architecture is outside the scope of this technical note.

Step E — Verification result emission

The method emits a verification result containing, at minimum: the tier identifier, the estimate value, the threshold value, the estimator family used, and a binary verification status. The transmission and persistence of the verification result are outside the scope of this technical note.

3. Variants and admissible embodiments

The following variants are explicitly disclosed as admissible embodiments of the method described in Section 2.

  • Variant A — Tier granularity. The method admits any number of tiers n ≥ 1, including two-tier (hot/cold), three-tier (active/warm/cold), and arbitrary n-tier hierarchies.
  • Variant B — Estimator family. The method admits any of the estimators listed in Step B and any combination thereof. The method also admits ensemble estimators that aggregate multiple estimators via mean, median, or worst-case aggregation.
  • Variant C — Threshold derivation. The method admits static, dynamic, and learned thresholds in any combination across tiers, including mixed configurations where one tier uses a static threshold and another a learned threshold.
  • Variant D — Sensitivity classification source. The method admits sensitivity classifications from EU AI Act Annex III, GDPR Article 9, ISO/IEC 27701:2019, NIST SP 800-60, sectoral schemes (HIPAA, PSD2, MiFID II), and operator-defined custom schemes.
  • Variant E — Trigger granularity. The method admits trigger emission at any of: per-tier, per-record, per-batch, per-time-window granularities.
  • Variant F — Estimator parameter. For the KSG estimator, k can be any integer in the range [1, 20]. For MINE and InfoNCE, the underlying neural network can be any feed-forward, recurrent, or attention-based architecture.
  • Variant G — Deployment topology. The method admits single-tenant and multi-tenant deployments. In multi-tenant deployments, per-tenant configuration of estimators and thresholds is admissible. The architecture of tenant isolation is outside the scope of this technical note.

4. Pseudocode

The following pseudocode describes a reference implementation of the method as described in Section 2. The pseudocode is provided for clarity and is part of the disclosure under this technical note.

function verify_deletion(deleted_record r, tiers T):
    results = []
    for each tier Ti in T:
        S_post = get_post_deletion_state(Ti)
        estimator = select_estimator(Ti.config.estimator_family)
        I_est = estimator.compute(r, S_post)

        sensitivity = classify_sensitivity(Ti, scheme=Ti.config.classification_scheme)
        theta = derive_threshold(sensitivity, Ti.config.threshold_mode)

        verified = (I_est <= theta)

        if not verified:
            trigger_type = Ti.config.trigger_type
            emit_trigger(trigger_type, tier=Ti, record=r,
                         I_est=I_est, theta=theta)

        results.append({
            tier: Ti.id,
            estimator: estimator.name,
            I_est: I_est,
            theta: theta,
            sensitivity: sensitivity,
            verified: verified
        })

    emit_verification_result(results)
    return results

5. Disclosure Statements (claim-style)

The following statements summarize the method in claim style for the avoidance of doubt regarding the scope of the disclosure under this technical note.

Statement 1. A method for verifying deletion of a record r in a multi-tier memory system comprising at least two memory tiers, the method comprising:

(a) for each memory tier Ti, computing a mutual-information estimate I_est(r ; S_Ti_post) between the deleted record r and a post-deletion state S_Ti_post of that memory tier, using an estimator selected from a family comprising at least Kraskov-Stögbauer-Grassberger, MINE, InfoNCE, BMA-MI, and CMI-NN;

(b) for each memory tier Ti, comparing the estimate against a tier-specific threshold θ_Ti derived from a sensitivity classification of data stored in that memory tier;

(c) emitting a trigger from a trigger family comprising at least re-training, re-indexing, fallback-to-purge, and regulatory escalation, when the estimate exceeds the threshold for at least one memory tier; and

(d) emitting a verification result.

Statement 2. The method according to Statement 1, wherein the sensitivity classification is derived from at least one of: EU AI Act Annex III, GDPR Article 9, ISO/IEC 27701:2019, NIST SP 800-60, HIPAA, PSD2, MiFID II, or an operator-defined custom scheme.

Statement 3. The method according to Statement 1 or 2, wherein the threshold θ_Ti is derived statically, dynamically, or via reinforcement learning against an operator-defined reward signal reflecting compliance audit feedback.

Statement 4. The method according to any of Statements 1 to 3, wherein the estimator is a single estimator or an ensemble of multiple estimators aggregated via mean, median, or worst-case aggregation.

Statement 5. The method according to any of Statements 1 to 4, wherein the trigger is emitted at any of per-tier, per-record, per-batch, or per-time-window granularity.

Statement 6. The method according to any of Statements 1 to 5, wherein the multi-tier memory system comprises at least one of: a vector index, an active model parameter store, a cache layer, or a retrieval-augmented document index.

Statement 7. A computer-implemented system comprising at least one processor and at least one memory device, configured to execute the method according to any of Statements 1 to 6.

Statement 8. A non-transitory computer-readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to execute the method according to any of Statements 1 to 6.

6. Implementation context

A reference implementation of the method is being developed for deployment under the HEINI® brand (DPMA registration number 30 2026 214 789). Implementation details specific to the production deployment (including but not limited to the threshold values used in production, the consistency-anchoring architecture interfacing with the trigger mechanism, the audit-chain architecture, and the multi-tenant isolation architecture) are not part of the disclosure under this technical note and remain trade secrets and intellectual property of HEINI Operations UG.

7. Acknowledgements and prior art positioning

The contribution of this note is the integration of tier-aware mutual-information verification into a configurable production pipeline. The note does not claim contribution to: the underlying mutual-information estimators (which are due to Kraskov-Stögbauer-Grassberger 2004, Belghazi et al. 2018, van den Oord et al. 2018, and others), the underlying machine-unlearning theory (which is due to Cao and Yang 2015, Ginart et al. 2019, Bourtoule et al. 2021, Sekhari et al. 2021, and others), or the underlying differential-privacy frameworks (which are due to Dwork 2006, Mironov 2017, and others).

8. License and Dedication Scope

This technical note is released under the Creative Commons CC0 1.0 Universal Public Domain Dedication.

The dedication applies to the specific embodiment as described in Sections 2, 3, 4, and 5 of this technical note. No patent rights are claimed by the named author, his affiliates, or any successor entity (including any future HEINI Operations or HEINI IP entity once duly incorporated) regarding the specific embodiment as described in those Sections.

This dedication does not extend to:

(a) derivative methods that incorporate technical features beyond those disclosed in Sections 2 to 5, including but not limited to consistency-anchoring layers, identity-chained tenant hashes, append-only audit chains, or other architectural components referenced in Section 6 as outside the scope of this disclosure;

(b) methods that combine the disclosed embodiment with additional independently inventive components that are the subject of separate patent applications by the named author;

(c) trade secrets, know-how, and configuration data used in production deployments under the HEINI® brand, including but not limited to specific threshold values, estimator hyper-parameters, and production tier topologies;

(d) the application of Rényi-Differential-Privacy techniques to memory hardening in hierarchical tier systems, which remains the subject of separate patent applications.

This technical note constitutes prior art within the meaning of § 3 Abs. 1 PatG, Art. 54 (2) EPC, and 35 USC § 102 (a)(1) for the purposes of any subsequent patent application by third parties regarding the specific embodiment described in Sections 2, 3, 4, and 5.

The HEINI® word mark (DPMA registration number 30 2026 214 789, classes 09, 35, 42) is not part of this CC0 1.0 dedication and remains protected under the German Trademark Act (MarkenG).

9. Citation

When citing this technical note, please use:

HEINI Operations UG. Verifiable Forgetting in Multi-Tier Memory Systems via Tier-Specific Mutual-Information Thresholds — A Technical Note. Version 1.0, 2026-05-06. CC0 1.0. Available at https://heini.app/en/blog/verifiable-forgetting-multi-tier-memory · DOI (this version): 10.5281/zenodo.20054270

To cite all versions of this work including future updates, use the Concept DOI: 10.5281/zenodo.20054269.

BibTeX:

@techreport{heinen2026verifiableforgetting,
  author       = {{HEINI Operations UG}},
  title        = {Verifiable Forgetting in Multi-Tier Memory Systems via Tier-Specific Mutual-Information Thresholds --- A Technical Note},
  type         = {Technical Note (Defensive Publication)},
  number       = {Version 1.0},
  year         = {2026},
  month        = {May},
  day          = {6},
  doi          = {10.5281/zenodo.20054270},
  url          = {https://heini.app/en/blog/verifiable-forgetting-multi-tier-memory},
  note         = {CC0 1.0 Universal Public Domain Dedication. Concept DOI for all versions: 10.5281/zenodo.20054269}
}

10. Versions and mirrors

This technical note is published in three identical mirrors to ensure long-term availability and verifiable timestamping:

The Wayback Machine snapshot of the HEINI Blog page is available at: https://web.archive.org/web/2026*/heini.app/en/blog/verifiable-forgetting-multi-tier-memory

Posted on the HEINI® Blog · 2026-05-06 · CC0 1.0 · Comments and questions welcome via Susi