The AI System Needs a Right to Be Forgotten

Removing a source file is not enough. Private AI must forget across retrieval indexes, memory, logs, caches, evaluations and copied outputs.

The answer

An AI system remembers in more places than its interface admits. A source document may be deleted while its chunks remain in an index, its content survives in a conversation, its prompt sits in a log, its output enters an evaluation set and its conclusion is copied into a memo.

An AI system remembers in more places than its interface admits.

A source document may be deleted while its chunks remain in an index, its content survives in a conversation, its prompt sits in a log, its output enters an evaluation set and its conclusion is copied into a memo. “We removed the file” is not a deletion claim. It is one event in a memory chain.

Forgetting must be designed

Every information object needs an owner, purpose, locations, derived uses, retention rule and deletion trigger. The system must distinguish records that must be preserved from material that should disappear. Legal hold and audit do not justify indefinite operational recall.

The deletion cascade

- Remove or restrict the authoritative source.

- Delete derived embeddings, indexes and caches.

- Close conversations or persistent memory containing the material.

- Apply retention rules to prompts, outputs, traces and support logs.

- Identify downstream documents or actions that require correction rather than silent deletion.

- Record completion without retaining the secret itself as evidence.

The hard limit

Some model training effects cannot be cleanly removed from a general model. That is a reason not to permit sensitive material into training, not a reason to abandon lifecycle control elsewhere. Contracts should state training use explicitly and provide evidence for deletion within the provider-controlled layers.

The position

A private AI system should not be approved until the institution can execute a deletion request across the full use path and explain the legitimate exceptions. Memory is a capability. Unbounded memory is a liability.

Sources

  1. Swiss FDPIC — AI and data protectionSwiss FDPIC

    Primary authority

  2. Swiss FDPIC — Data securitySwiss FDPIC

    Primary authority

  3. EU — Rules for trustworthy artificial intelligenceEU

    Industry guidance

Jonathan P. De CollibusFounding Partner, Svperior / Cyber

Ross Belhomme

Ross leads Legal within Svperior GmbH. His work draws on more than two decades across international fiduciary, wealth-structuring, and private-client environments, combining legal, financial, and technical judgment around governance, privacy, assets, authority, and cross-border operating conditions.

Legal strategy / Governance / Private-client structuring / Digital assets

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry
The AI System Needs a Right to Be Forgotten