AI
Portable Memory or Permanent Lock-In: The Architectural Choice That Will Define AI's Next Decade
AI memory is the new vendor lock-in. Open formats from one vendor are not enough - the category needs a neutral interchange standard, and regulation agrees.
Picture a team that has spent 18 months working inside Claude Projects. Hundreds of conversations, project instructions refined over dozens of iterations, an accumulated body of context about the codebase, the customers, the decisions already made and why. Then leadership asks a reasonable question: should we evaluate Gemini? And the honest answer from whoever owns the AI stack is uncomfortable. The subscription is easy to cancel. The 18 months of accumulated context has no migration path. You can export your conversations as JSON and your memory as a text summary, but nothing on the other side can reconstruct what the tool actually knew about you. AI memory portability, as a practical capability, does not exist in July 2026. Starting over is the migration plan.
Here is what changed this summer: the first vendors have noticed. One open-sourced its entire memory engine so customers can inspect and self-host what their agents know. Another ships memory with git semantics - commit, branch, merge, push, pull - and markets itself as the portable memory layer. Both moves are real progress, and I will give both full credit below. Both also illustrate, precisely, what is still missing. A format that only one product writes is not portability. It is a well-documented dialect.
The thesis of this piece is simple to state and has a decade of consequences: memory is the new vendor lock-in, memory portability is the architectural decision of the decade, and the category needs a neutral interchange standard that no single vendor owns. Nobody is building that standard yet. This is the argument for why someone must, what it has to contain, and why the regulatory clock in Europe has already started.
The new lock-in is at the memory layer
The models themselves stopped being the switching cost some time in the last two years. Frontier models leapfrog each other every few months, the API shapes are near-identical, and swapping providers behind a well-built abstraction layer is an afternoon of work. If you doubt how replaceable models have become, June just ran the experiment for us. On June 12, the US government issued an export control directive that forced Anthropic to pull its newest flagship models offline worldwide within hours. Teams that had adopted them fell back to older models within days and kept shipping. Access was restored on July 1, nineteen days later. A frontier model - the most capable one on the market - vanished for nearly three weeks, and the ecosystem absorbed it. Try to imagine absorbing the overnight loss of everything your AI tools have learned about your team. That thought experiment is the whole argument.
So differentiation moved up the stack. What a platform knows about you is the one asset a competitor cannot replicate by shipping a better model, and every major vendor understands this. The pattern I laid out in why AI agents forget by design - and where the captured context lives now has a second act: the same context that applications painstakingly rebuild on every stateless API call is now being captured, persistently, inside each platform’s own memory features. The capture is genuinely useful. It is also, structurally, a moat.
The clearest current example arrived on June 23, when Anthropic launched Claude Tag: Claude as a persistent teammate inside Slack, with channel-scoped memory that accumulates as it works and can extend across an organization’s channels when granted permission. It is an impressive product. It is also memory that lives bound to the Slack workspace and to Anthropic, with no documented export. Every week it runs, it learns more about how a company works - and every week, the cost of ever using anything else grows. Nobody had to design that as a trap for it to function as one.
The economics here are old. Databases, ERPs and cloud data warehouses all ran the same play: the product is replaceable, the accumulated state is not, and the state is priced into the exit. What is new is the breadth of what gets captured. A data warehouse holds your tables. An AI memory layer holds how your organization thinks - preferences, decisions, conventions, the reasoning behind choices, who said what and when. The switching cost is no longer your data. It is your institutional knowledge, in a shape only one vendor can read.
The inversion in one picture. Model switching cost keeps falling - June 2026 proved a flagship can vanish for nineteen days and teams just swap. Memory switching cost compounds with every week on the platform, and the widening gap between the curves is the moat.
Three kinds of lock-in your AI memory creates
It helps to be precise about what accumulates, because the three kinds of memory lock in differently and hurt differently when you try to leave.
Behavioral lock-in is the learned layer: your preferences, your style, the corrections you have made a hundred times. ChatGPT’s Memory is the canonical consumer example, and it is also the canonical one-way door. OpenAI’s own Memory FAQ covers viewing, managing and deleting memories - there is no export. The account-level data export gives you your conversation history; the distilled memory the product actually uses to personalize responses stays inside. What the system learned about you over a year of daily use is, by construction, not yours to take.
Context lock-in is the working-state layer: project history, established facts, decisions and their rationale, the running state of everything in flight. This is the layer teams feel first when they evaluate a switch, because it is the layer that makes the tool useful on Monday morning without a briefing. It is also where the industry’s one genuine interoperability precedent lives. Anthropic ships a memory import that accepts memories brought over from ChatGPT, Gemini or Grok, and Google answered with a ZIP-based import of its own. Credit where due: these are real doors between platforms, and they mattered enough to trigger a minor migration wave this spring. But look at the mechanism. The user runs a prompt that asks the old assistant to write out what it remembers, then pastes or uploads the prose into the new one. It is an on-ramp built by the vendor who benefits from the traffic, it flattens everything to text, and it moves in whichever direction the importing vendor built. An on-ramp is not a standard.
Relationship lock-in is the layer almost nobody prices in, because it only exists in team settings: who established which fact, who decided what and when, which person’s correction superseded whose earlier claim. This is provenance, and it is what turns a pile of remembered facts into organizational memory you can trust and audit. It is also the layer that shared, channel-scoped memory products accumulate fastest and expose least. When memory becomes a teammate rather than a personal notebook, the who-said-what-when graph becomes the most valuable and least exportable thing in the building. It is also the layer auditors and legal teams will eventually ask about, because a decision trail you cannot export is a decision trail you cannot produce on request.
Three kinds of lock-in, three different exit costs. Behavioral memory is annoying to lose, context memory is expensive to lose, and relationship memory - the provenance graph of who established what - is the one organizations cannot rebuild from an export of plain text.
Each layer compounds on the previous one. And the compounding is the point: none of this is a bug a vendor will fix under competitive pressure, because the pressure runs the other way. Retention economics reward capture. Only two forces push against it - customers who demand portability in procurement, and regulators who mandate it. Both are covered below. First, the vendors who deserve credit for moving early.
The vendors who noticed (and why it’s not enough yet)
Two products shipped this year that take memory ownership seriously, and the honest version of this argument has to start by steelmanning them.
Cognee 1.0 launched on June 26 as a fully open-source memory engine: a typed knowledge graph you can run on a single Postgres instance, with an API built around four verbs - remember, recall, improve, forget - and an export path to its own COGX archive format. The launch post is explicit about why: teams were not going to hand the memory of their business to, in Cognee’s words, “a black box they couldn’t inspect, host themselves, or take with them.” That is the correct diagnosis, stated by a vendor, in public. Self-hosting means your memory sits in your database. Open source means you can read every line of the code that writes it. If every memory product met this bar, half of this article would be unnecessary.
ByteRover attacks the same problem from the developer-tools side and calls itself the portable memory layer for coding agents. Its memory is a hierarchical context tree stored as plain markdown, versioned with git semantics - you commit memory changes, branch them, merge them, push and pull them between machines and teammates. Anyone who has watched a team lose a month of agent context to a laptop swap understands immediately why this is the right shape. Files you can read in any editor, with history, that move the way code moves. As a design instinct about who should hold memory, it is exactly right.
Both vendors get full credit for moving first, and neither has solved portability - because a single implementation cannot. Open source makes a format inspectable; it does not make memory portable between vendors. Portability is a property of an ecosystem, not of a codebase. A COGX archive is readable by Cognee. A ByteRover context tree is meaningful to ByteRover. If either company disappeared tomorrow, your memory would be legible - a real improvement over the incumbents - but it would still be stranded, because nothing else writes or reads that shape natively. A format only one implementation writes is a dialect, not a standard. And to be clear, this is an argument neither vendor can rebut without arguing against their own openness, which is exactly why it is the right test.
The demand signal extends beyond vendors. In the first half of 2026 alone, at least three independent interchange proposals appeared: MIF, an individual developer’s memory interchange spec; memorywire, an academic wire-format proposal for memory operations; and the community-driven Open Memory Protocol, which describes itself as vendor-neutral. Add COGX, a vendor’s own export format, and you have four different answers to the same question in six months. None of them has institutional governance, a second independent implementation, or vendor adoption. I am not reviewing them here, and that is deliberate: the wave matters more than any entry in it. When four unrelated parties independently invent the same missing piece, the piece is missing.
So the gap, precisely stated: it is not that nobody has proposed a format. It is that no format has been placed under neutral governance and implemented, independently, twice. That gap has a well-known shape, and the industry has closed it before.
Why portability is harder than an export button
Every platform’s answer to portability criticism is the same: we have data export. And every one of those exports fails the same way, because a memory archive that preserves the text but discards the structure has exported the words while deleting the knowledge. Real portability has six technical requirements, and it is worth being concrete about each, because this list is what separates an export button from an exit.
Structure. Memory is typed. A fact about a customer, a decision with a rationale, a preference, an event with participants - these are different kinds of objects with different fields and different lifecycle rules. An export that flattens them into paragraphs of prose forces the importing system to re-extract structure with a language model, which means guessing, which means loss. The typed objects are the memory. Prose is a rendering of it.
Attribution. Every memory has an origin: which person stated it, which document it came from, which agent inferred it. Strip attribution and a team archive becomes a pile of unverifiable claims. Keep it and the archive stays auditable - you can ask not just what the system believes but why it believes it and on whose word.
Relationships. Memories reference each other. This decision was made because of that constraint; this fact supersedes that earlier one; these five facts describe the same entity. The edges carry as much meaning as the nodes, and they are the first thing a prose dump destroys.
Temporal validity. Every fact was learned at some time and true for some interval. “The user works at Aiven” and “the user worked at Aiven until March 2025” are different memories, and only one of them is safe to retrieve today. Any export that drops the time dimensions ships stale facts as current ones, at scale, into the importing system. This is the same two-clock problem that makes memory hard to build in the first place, and it is why the architecture underneath matters for what survives the export - a store that never modeled validity intervals has nothing to preserve.
Permissions. Shared memory is scoped. Some of it is channel-visible, some is private to a person, some is restricted to a group. An archive that discards scope converts a permission model into a data breach with a progress bar. Whoever imports it either over-shares or has to re-derive access rules by hand.
Provenance. Beyond who stated a fact: how the memory came to be. Was it asserted directly, inferred by a model, merged from three earlier records? Derived memories inherit the reliability of their sources, and an archive that cannot express derivation chains cannot support trust decisions on the other side.
The six layers, in the order exports lose them. Most current export features drop all six; the open-source engines keep the top four for their own reader. An archive is only as portable as its weakest preserved layer.
Hold current products against those six requirements and the honest finding is that most exports satisfy none of them, and even the best satisfy them for one reader only. Which brings in the test that actually decides the question. Call it import symmetry: an export only counts as portable if a competing product can read it back and reconstruct the memory - the objects, the edges, the timestamps, the scopes - rather than just the text. Symmetry is the property that separates a door from a mail slot. I checked every claim in the table below against vendor documentation and product behavior in the first week of July 2026, including Cursor’s rules and memories, because this is exactly the kind of table that gets screenshotted and fact-checked.
| Product | Export format | Structure | Attribution | Relationships | Re-importable by a competitor |
|---|---|---|---|---|---|
| ChatGPT Memory | Account ZIP covers conversations; saved memories have no export | No | Conversations only | No | No - rivals scrape it via prompt |
| Claude Projects and memory | Account ZIP (JSON); memory exports as a text summary | Partial | Partial | No | No - imports in, no structured out |
| Claude Tag channel memory | None documented | No | No | No | No - workspace-bound |
| Gemini saved info | Takeout covers activity; saved info not separately exportable | No | Partial | No | No - accepts rival ZIPs in, flattened to text |
| Cursor rules and memories | Rules are markdown in-repo; memories have no export | Partial (rules only) | No | No | Rules copy trivially; memories no |
| Cognee | Self-hosted graph in Postgres; vendor COGX export | Yes | Yes | Yes | No - single implementation |
| ByteRover | Markdown context tree with git history | Partial | Yes (commit metadata) | Yes | No - single implementation |
Read the last column top to bottom. Seven products, seven variations of no. The two open-source entries preserve dramatically more than the incumbents - structure, attribution, relationships all survive - and still fail symmetry, because symmetry cannot be shipped unilaterally. It requires a format that at least two independent implementations write and read. Which is a standards problem, not a product feature.
The format should be open even when the platform isn’t
Here is the split that makes this argument workable for commercial vendors rather than a demand that everyone open-source their product: the platform can stay proprietary. The retrieval engine, the ranking models, the integrations, the UX - compete on all of it, keep all of it closed. The customer’s archive of their own memory is the part that must not be proprietary. What a company’s people taught the system belongs to the company, and belonging means being able to hold it in a form that survives the vendor.
Concretely, the archive format has to be six things: openly documented, so anyone can write a parser without reverse engineering; permissively licensed, so implementing it requires nobody’s permission; readable with standard tooling, so a customer can inspect their own archive tomorrow without the platform; verifiable, so checksums and record counts let a third party confirm the export is complete and untampered; implementation-plural, meaning at least two independent codebases write and read it; and vendor-surviving, meaning the spec lives somewhere that outlasts any company that contributed to it.
The container industry already ran this exact play, and the history is worth getting right because it assigns the virtue correctly. In June 2015, Docker took the two things that made containers Docker-shaped - its image format and its runtime, runc - and donated them to a newly formed Open Container Initiative under the Linux Foundation. Docker did not stop being a company or open-source its platform. It gave up unilateral control of the format, and that single move is what turned “runs on Docker” into “runs anywhere”: containerd, CRI-O and Podman followed as independent implementations, and portability became the category’s default property rather than one vendor’s promise. WebAssembly repeated the pattern for compute - a W3C standard with multiple competing engines, which is precisely why nobody worries about their .wasm binaries being stranded. The lesson is not that proposing a format is presumptuous. The opposite: publishing a candidate spec and offering it to neutral governance is the virtuous first move, the one Docker made. The failure mode is keeping the format captive - and the current memory market is all candidates, no donations.
The sequence that turns a dialect into a standard. Stage two is the move that matters - and the one no memory vendor has made. Everything before it is a well-documented dialect; everything after it is portability.
What would the neutral archive actually contain? Not any existing product’s schema - the point of a standard is that it is nobody’s internal format - but the shape of the manifest is easy to sketch. Something a procurement team, an auditor or a competing importer could open and understand in one screen:
{
"format": {
"spec": "https://example.org/memory-archive/spec",
"version": "1.0",
"license": "CC-BY-4.0"
},
"created_at": "2026-07-14T06:00:00Z",
"exported_by": "vendor-platform-name/4.2.1",
"source_platforms": ["vendor-platform-name"],
"coverage": {
"from": "2025-01-08",
"to": "2026-07-13"
},
"records": {
"facts": 18432,
"decisions": 921,
"relationships": 44210,
"participants": 63
},
"scopes": ["org", "team:data", "personal"],
"integrity": {
"algorithm": "sha256",
"archive_checksum": "9f2c4a...e81b",
"per_file_manifest": "checksums.txt"
}
}
Everything in that sketch serves the exit scenario. Record counts let you verify nothing was silently dropped. The date range tells you what period you hold. Scopes tell the importer which permission boundaries to reconstruct before anything is shared. The checksum block means a third party can attest completeness without trusting either vendor. And verification is genuinely trivial - ten lines of Python, no SDK, no API key, no platform:
import hashlib, json, sys
manifest = json.load(open("manifest.json"))
digest = hashlib.sha256(open(sys.argv[1], "rb").read()).hexdigest()
claimed = manifest["integrity"]["archive_checksum"]
total = sum(manifest["records"].values())
print(f"records claimed: {total:,}")
print(f"checksum match: {digest == claimed}")
# -> records claimed: 63,626
# -> checksum match: True
That a customer can run those ten lines against their own memory, on their own machine, with the vendor’s servers switched off, is the entire meaning of ownership in this context. Every requirement in this section is boring, established engineering. None of it is a research problem. It is a coordination problem wearing a technical costume.
Protocol portability is the other half
An archive format solves the divorce. It does not solve the marriage. Batch export is what you reach for when leaving; what prevents lock-in from accumulating in the first place is the ability to run more than one tool against the same memory while you stay. That requires the second half of the standard: a read/write protocol, so that an agent, an IDE and a chat interface from three different vendors can consult and update one memory store the way three different mail clients speak IMAP to one inbox.
The protocol requirements are as unexotic as the archive’s. Transport-agnostic, so it works over plain HTTP without vendor SDKs. Standard authorization - OAuth, not bespoke key schemes - so enterprises can govern access with the machinery they already run. Discoverable, so a client can ask a memory server what scopes and capabilities it offers. And versioned, with a real deprecation policy, so implementations written this year still interoperate in three.
There is an obvious precedent for standardizing exactly this kind of seam, and it is instructive both for what it did and for what it has not done. The Model Context Protocol took the tool-access seam - how models call external capabilities - and turned it from N-times-M custom integrations into one contract, now governed under a foundation rather than a single company. Its 2026-07-28 release candidate formalizes an Extensions framework: independently versioned, separately maintained additions to the core spec, which is structurally the natural home for a memory interface. And yet the 2026 roadmap does not mention memory at all - its priorities are transport, agent communication, governance and enterprise readiness - and no memory extension has been proposed through the project’s enhancement process, let alone shipped. I read that absence as opportunity rather than indifference. The rails for a neutral memory protocol now exist, formally, with governance attached. Nobody has put a train on them.
So the full standard is two documents, not one: an archive format for the memory you take with you, and a wire protocol for the memory you share while you stay. Either alone leaves half the lock-in intact. A protocol without an archive means your memory is interoperable right up until the vendor hosting it changes terms. An archive without a protocol means you own a snapshot while the living state stays captive. Together they change the default posture of the whole stack: tools become clients of your memory rather than owners of it, and adding or dropping a tool stops being a data event at all.
The two halves of the standard. The wire protocol prevents lock-in from accumulating while you stay; the archive format makes leaving lossless. Either half alone leaves the other door locked.
The regulatory case (which is already settled)
Let me preempt the strongest objection first, because it is a good one. In March 2026, the Court of Rome annulled the Italian regulator’s fine against OpenAI, the most prominent GDPR enforcement action yet taken against a generative AI provider - so anyone claiming that European courts are reliably punishing AI companies over data rights is ahead of the evidence. Court enforcement is contested. The statutory obligations are not, and the distinction matters, because compliance programs and procurement requirements are built on what the law says, not on which fines survive appeal.
And what the law says is unusually on-point. Article 20 of the GDPR gives every person the right to receive the personal data they provided to a controller “in a structured, commonly used and machine-readable format” and to transmit it to another controller without hindrance - including, where technically feasible, direct controller-to-controller transmission. Read that against the export table above. A text summary of what an AI remembers about a person is a weak answer to “structured and machine-readable”; no export at all, the current state of the largest consumer memory feature, is not an answer. Article 17 adds the right to erasure, which has a quieter architectural implication: you cannot credibly erase what you cannot enumerate. A memory system that can’t produce a complete, structured account of what it holds about a person can’t demonstrate it deleted it either. Portability and erasure are the same engineering problem wearing two legal hats.
The enforcement side is not standing still, it is switching on. Under the EU AI Act, the Commission’s enforcement powers over general-purpose AI providers activate on August 2, 2026 - nineteen days after this piece goes live - ending the one-year grace period since the underlying obligations took effect, with penalties for GPAI violations reaching 15 million euros or 3 percent of global turnover. European regulators have also been explicit that AI memory sits inside existing data protection law: the EDPB’s Opinion 28/2024 works through how GDPR applies to AI models processing personal data, which is what every memory feature in the table does for a living. And this is not only a European clock. California’s CCPA grants access to personal information in a readily useable format plus deletion rights, roughly twenty US states now run comprehensive privacy statutes with portability provisions, and every one of them was written broadly enough to cover a vendor’s memory store about a person.
Sitting in Helsinki, the practical reading is straightforward: for any vendor selling memory to organizations with European employees or customers, structured export is not a differentiator to schedule for some future quarter. It is a compliance surface with an enforcement authority attached and a start date on the calendar. The vendors treating portability as a nice-to-have are accumulating a liability they have not priced.
The economic case
For buyers, the numbers on what lock-in already costs are in, and they are stark. Zapier’s 2026 enterprise survey on AI vendor lock-in - 542 US executives with paid AI contracts - found 81 percent concerned about dependency on specific AI vendors, and only 6 percent saying they could drop their primary vendor without disruption. The gap between belief and experience is the striking part: 89 percent think they could switch providers within a month, while 58 percent of those who actually attempted a migration report it failed outright or took far more effort than expected. That gap lives at the memory layer. Endpoints swap in a sprint. Accumulated context is what makes the confident one-month estimate wrong.
The confidence gap, measured. Nine in ten leaders believe a vendor switch takes a month; among teams that actually tried, a majority found it failed or ran far over. Only six percent can leave their primary vendor cleanly - which is another way of saying the memory layer has already locked.
For vendors, the honest framing is a trade. Captive memory is a moat, and moats are valuable - but this particular moat appreciates as a liability at the same rate it appreciates as an asset. Every month of accumulated, non-exportable memory deepens the switching cost and deepens the exposure under the statutes above, while making the eventual forced-export retrofit more expensive. And the moat has a reputational price that compounds too: sophisticated buyers have learned to read “no export” as “we plan to charge you for leaving,” and procurement teams increasingly ask the exit question before signing, not after. Meanwhile the productivity drag of memory that cannot move runs in the background of every tool change, every reorganization, every vendor evaluation that dies at the migration estimate - and the productivity tax compounds when you can’t switch tools, because the re-explanation cost of starting over gets paid by every person on the team, every time.
Exportability inverts the trade. A vendor with a documented, verifiable archive turns the enterprise trust conversation from adversarial to trivial: here is your memory, here is the spec, here is the checksum, leave whenever you want. Confidence that you can leave is what makes committing rational. The counterintuitive economics of portability - the ones OCI proved for containers - are that lowering the exit cost raises the entry rate.
What the next decade looks like
Two paths fork from here, and the fork is being taken now - by default, in this year’s product roadmaps and procurement decisions, mostly without anyone naming it.
On the proprietary path, each platform’s memory is a silo, switching costs quietly become the business model, and the moats work - for a while. Organizations wake up in 2029 with five years of institutional knowledge distributed across three vendors’ opaque stores, none of it consolidatable, all of it hostage to renewal negotiations. Regulators, armed with the statutes above and mounting complaints, start treating memory stores the way they treated closed banking data before open banking: as infrastructure too important to stay captive. The vendors on this path accumulate regulatory exposure faster than they accumulate moat, and the correction, when it comes, is imposed rather than designed.
On the portable path, memory outlives models and vendors both. Your organization’s accumulated knowledge sits in a documented format you hold, served over a standard protocol, and the tools competing for your subscription compete on what they do with that memory - retrieval quality, reasoning, knowing when not to answer, integrations - rather than on the fact that they hold it hostage. Models keep commoditizing, tools keep churning, and none of it threatens the asset, because the asset is yours in the only sense that survives contact with a vendor’s worst quarter: readable, verifiable, elsewhere. June’s three-week disappearance of a frontier model previewed this decade’s texture - models will vanish, get banned, get deprecated, get leapfrogged. Memory should be the layer of the stack that cannot.
Getting to the second path needs exactly one thing that does not currently exist: a candidate standard on the table under neutral governance. Not another proposal in a personal repository - a donated one. The venue already exists: MCP now lives under the Linux Foundation’s Agentic AI Foundation alongside the extension machinery a memory interface would slot into. The move that history rewards is Docker’s move: publish the spec, hand over control, let competitors implement it, and win on the product instead of the format. The first memory vendor to do this sets the terms of the standard everyone else will have to meet. The window for being first is measured in months, and it is the rare strategic decision that is also, simply, the right thing to build.
Three signals will tell you which path is winning, and all three are checkable from the outside. Watch for a vendor donating a memory format to neutral governance rather than publishing one more repository it controls. Watch for a memory extension entering the Model Context Protocol’s enhancement process, because that is where a wire protocol would surface first. And watch for the first regulator or major RFP to name structured memory export explicitly, which converts this argument from strategy into requirement. Any one of these moves the decade. Until one happens, every month is a month of memory accumulating on the wrong side of the wall.
So what?
Add one question to every AI memory procurement conversation, and put it in the RFP verbatim: “Can I export my entire workspace - every memory, relationship, attribution, and temporal annotation - as a documented open format I can read with standard tooling tomorrow, without your platform? And can a competing product write it back?” The second sentence is the import symmetry test, and it is the one single-vendor open formats fail. Any answer other than two yeses is a number: the switching cost you are agreeing to pay later, compounding from the day you sign.