RECORD: AGENTIC_DEV_013LEVEL: foundationAGENTIC_BYTE

Memory: What Agents Should Remember (and Forget)

Published: Unknown
Reading Time: 10 MIN

"Understand different types of agent memory and how to use them without creating confusion, drift, or privacy risks."

Modern SAP AMS: outcomes, not ticket closure — and how to use agentic ways of working without losing control

The interface queue is backing up again. Shipping is blocked, billing is late, and the incident is already on its third reopen. At the same time, a “small” change request sits in the backlog: adjust a pricing rule, update a batch processing chain dependency, and add a validation in a custom enhancement. Someone says, “Just close the ticket and move on.” Everyone knows it will come back after the next release.

That is the L2–L4 reality in SAP AMS: complex incidents, change requests, problem management, process improvements, and small-to-medium developments—all connected by the same weak points: unclear ownership, missing evidence, and knowledge that lives in people’s heads.

Why this matters now

Many AMS contracts and internal scorecards still reward green SLAs: response times, closure times, throughput. Those metrics can look healthy while the business feels constant friction.

What green SLAs often hide:

  • Repeat incidents: the same IDoc failures, batch delays, authorization issues, or master data errors returning after every release or data load.
  • Manual work that never ends: triage done by senior people because intake is low quality; fixes applied without root cause; runbooks out of date.
  • Knowledge loss: handovers where the “real rules” are undocumented; new team members learn by firefighting.
  • Cost drift: more tickets and more escalations, but no reduction in underlying defect rate.

A more modern AMS operating model optimizes for outcomes you can feel in operations: fewer repeats, safer change delivery, stable run costs, and a learning loop that turns incidents into prevention. Agentic / AI-assisted workflows can help—mainly in triage, evidence collection, and documentation—but only if memory and access are controlled. Otherwise you get faster confusion.

The mental model

Classic AMS is a throughput machine: accept tickets, classify, resolve, close. Success is “closed within SLA.”

Modern AMS is a control loop:

  1. Detect (monitoring + tickets)
  2. Stabilize (restore service safely)
  3. Learn (RCA with evidence)
  4. Prevent (problem fixes, monitoring rules, process changes, small enhancements)
  5. Standardize (runbooks + knowledge lifecycle)

Two rules of thumb I use:

  • If a ticket reopens, treat it as a problem until proven otherwise. Reopen rate is a signal of missing root cause or weak testing.
  • No production change without an evidence trail and rollback plan. Speed without rollback discipline is just delayed downtime.

What changes in practice

  1. From incident closure → to root-cause removal
    Closure is not the finish line. The finish line is “repeat rate goes down.” Mechanism: link recurring incidents to a single problem record, track countermeasures (code fix, config change, monitoring, training), and verify after the next release cycle.

  2. From tribal knowledge → to searchable, versioned knowledge
    Not “a wiki page somewhere,” but knowledge with ownership and expiry. The source record is clear: uncontrolled memory leads to inconsistent behavior and most agent bugs come from stale or misused memory. Treat runbooks, decision rules, and anti-patterns as versioned assets with review dates.

  3. From manual triage → to AI-assisted triage with guardrails
    AI can draft classification and ask for missing info, but it must not silently “remember” guesses. The source defines agent memory as persisted information that influences future behavior beyond the current request. That is powerful—and risky.

  4. From reactive firefighting → to risk-based prevention
    Focus on the top operational risks: interfaces/IDocs, batch chains, authorizations, master data, and release regressions. Prevention ownership is explicit: who owns monitoring rules, who owns runbook updates, who owns test coverage improvements.

  5. From “one vendor” thinking → to clear decision rights
    L2 can stabilize and collect evidence. L3/L4 decide on code/config changes. Security owns access decisions. Business owns functional sign-off for process changes and data corrections. Ambiguity is where delays and unsafe fixes happen.

  6. From “documentation later” → to documentation as part of done
    Every fix produces an artifact: updated runbook step, known error pattern, or checklist. If it is not written down, it will be rediscovered under pressure.

Honestly, this will slow you down at first because you are adding approval gates and knowledge hygiene. The payoff comes when repeats drop and senior people stop doing the same triage every week.

Agentic / AI pattern (without magic)

“Agentic” here means: a workflow where a system can plan steps, retrieve context, draft actions, and execute only pre-approved safe tasks under human control.

A realistic end-to-end workflow for a complex incident (L2–L3) might look like this:

Inputs

  • Incident ticket text + attachments
  • Monitoring alerts, logs, batch status summaries, interface/IDoc error texts
  • Recent change records and transport/import notes (not the transports themselves)
  • Runbooks and checklists (knowledge base)
  • Past RCAs (validated only)

Steps

  1. Classify and ask: draft category, impact, suspected area (interface vs batch vs auth vs master data). Ask for missing fields (business impact, timing, recent changes).
  2. Retrieve context (RAG): pull stable procedures and known patterns from long-term knowledge (runbooks, decision rules, anti-patterns). The source calls this “Long-term knowledge (RAG)” with lifetime “days to months.”
  3. Propose action: generate a short plan: stabilize steps, evidence to collect, likely causes, and safe checks to run.
  4. Request approval: if any action touches production behavior (restarts, reprocessing, config change, data correction), the agent requests explicit approval with a rollback plan.
  5. Execute safe tasks: only pre-approved, low-risk actions (for example: compile an evidence pack, draft a timeline, prepare a communication update). Anything that changes data or configuration stays human-executed.
  6. Document: draft the incident summary, RCA draft, and proposed problem record. Crucially, it must state when memory influenced the answer—this is a guard in the source.

Guardrails

  • Least privilege: the agent can read logs/alerts and knowledge, but cannot change SAP configuration, execute data corrections, or move transports.
  • Separation of duties: the person approving is not the same identity executing production changes.
  • Audit trail: every step, retrieved document, and decision is logged and reviewable.
  • Rollback discipline: for any approved change, record rollback steps before execution.
  • Privacy: do not store sensitive personal data in memory. The source explicitly lists it as “what should not be memory.”
  • Memory hygiene: memory writes are explicit, scoped, and expire. Only validated information can become long-term memory.

What stays human-owned: approving production changes, authorizations/security decisions, business sign-off, and any data correction with audit implications. Also: final RCA conclusions. AI can draft; humans must validate.

A limitation: if your monitoring and runbooks are inconsistent, the agent will produce confident-looking output that is still wrong.

Implementation steps (first 30 days)

  1. Define “outcome” metrics
    Purpose: move beyond closure counts.
    How: add repeat rate, reopen rate, backlog aging, MTTR trend, change failure rate, and manual touch time (generalization: pick what you can measure).
    Success signal: weekly ops review discusses repeats and prevention, not only SLA.

  2. Map L2–L4 decision rights
    Purpose: reduce ping-pong and unsafe fixes.
    How: write a one-page RACI for incident stabilization, problem ownership, change approval, and data correction approval.
    Success: fewer “waiting for X” states in tickets.

  3. Create a “minimum intake” checklist
    Purpose: stop low-quality tickets from consuming senior time.
    How: require impact, timing, steps to reproduce, and evidence (logs/screenshots) before L3/L4 work starts.
    Success: fewer clarification loops; faster triage.

  4. Set up knowledge lifecycle rules (memory rules for humans and agents)
    Purpose: prevent stale guidance.
    How: classify knowledge into runbooks (stable), incident notes (expire), and preferences (explicit). Add scope + expiry, as the source recommends.
    Success: runbooks have owners and review dates.

  5. Pilot RAG on validated artifacts only
    Purpose: retrieval without pollution.
    How: index runbooks, approved checklists, and confirmed RCA findings. Exclude one-off errors and speculative conclusions (source: “what should not be memory”).
    Success: answers cite sources; fewer hallucinated “facts.”

  6. Design explicit memory writes
    Purpose: avoid hidden drift.
    How: require a human review step before anything becomes long-term knowledge; version it (source guard).
    Success: you can list what the agent “knows” and delete it safely.

  7. Introduce approval gates for “unsafe” actions
    Purpose: keep control in production.
    How: define safe vs unsafe tasks; unsafe requires named approver and rollback plan.
    Success: no production change executed without recorded approval.

  8. Run one end-to-end incident with the new workflow
    Purpose: learn where it breaks.
    How: pick a recurring pattern (interface backlog, batch delay, auth issue), produce an evidence pack, draft RCA, open a problem, implement one preventive action.
    Success: one repeat prevented or detected earlier next time.

Pitfalls and anti-patterns

  • Automating a broken intake process: faster garbage in, faster garbage out.
  • Trusting AI summaries without evidence links; “sounds right” is not proof.
  • Memory pollution: mixing facts and guesses (explicit failure mode in the source).
  • Stale memory reused as truth after releases or landscape changes.
  • Hidden memory influencing answers without disclosure (source failure mode).
  • Unbounded memory growth: everything kept forever, nothing trusted.
  • Over-broad access for convenience; least privilege gets ignored “temporarily.”
  • Missing rollback plans for config/code changes; recovery becomes improvisation.
  • No single owner for prevention; problems stay open while incidents keep coming.
  • Measuring only what is easy (ticket counts) and missing what matters (repeats, change failure).

Checklist

  • Do we track repeat and reopen rates for top incident categories?
  • Is there a clear RACI for L2–L4 decisions and approvals?
  • Does every production-affecting action have approval + rollback recorded?
  • Are runbooks and checklists versioned, owned, and reviewed?
  • Is agent memory explicit, scoped, and expiring?
  • Do we block sensitive personal data from being stored as memory?
  • Can the agent explain which retrieved knowledge influenced its plan?

FAQ

Is this safe in regulated environments?
Yes, if you treat the agent like any other operational tool: least privilege, separation of duties, audit trails, and explicit approvals. The risky part is uncontrolled memory and undocumented actions.

How do we measure value beyond ticket counts?
Use operational outcomes: repeat rate, reopen rate, MTTR trend, backlog aging, and change failure rate. Pair them with “manual touch time” to show where effort is going.

What data do we need for RAG / knowledge retrieval?
Validated, stable artifacts: runbooks, approved checklists, confirmed RCA findings, decision rules, and anti-patterns. The source is clear on exclusions: one-off errors, temporary states, speculative conclusions, and sensitive personal data.

How to start if the landscape is messy?
Start narrow: one interface flow, one batch chain, or one recurring authorization pattern. Build clean knowledge and evidence practices there first, then expand.

Will AI replace L3/L4 expertise?
No. It can reduce time spent on searching, summarizing, and drafting. Final technical decisions, production changes, and business risk calls remain human responsibilities.

What is the biggest failure mode you should expect?
False confidence from stale or polluted memory. If the agent “remembers everything,” it will produce inconsistent behavior—exactly the warning in the source.

Next action

Next week, pick your top recurring incident pattern and run a single “modern AMS” loop: stabilize → collect evidence → draft RCA → open a problem → implement one preventive control (monitoring rule, runbook update, or small fix) with explicit approval and rollback, and record what knowledge is allowed to persist—with scope and expiry.

#AGENT-MEMORY#RAG#STATE-MANAGEMENT#KNOWLEDGE-HYGIENE

Agentic Design Blueprint — 2/19/2026

EVOLVE_TO_NEXT_PATTERN

Prompt Injection & RAG Defense: How Agents Protect Themselves

About the Author
Dzmitryi Kharlanau

Dzmitryi Kharlanau

SAP Transformation & AMS Lead (S/4HANA Logistics, MDG/MDM, Integrations, Operations)·EPAM Systems

Lead SAP transformations and AMS modernization across S/4HANA logistics (SD/O2C), MDG/MDM, integrations, and operations. Focus: outcomes over ticket volume, reliable releases, and AI/agentic workflows for triage, knowledge retrieval, and safe automation with approvals and audit.

SAPAMSS/4HANAMDGMDMLogisticsSDOrder-to-CashIntegrationIDocAPIsEvent-Driven ArchitectureMonitoringAutomationAI