The Context Vault Becomes the Retrieval Gate
Misha Sulpovar, Benn R. Konsynski, Qaish Kanchwala, and Gabe Goodhart's ContextNest paper treats retrieved knowledge as a governed artifact before it becomes agent context.
The Paper
The paper is ContextNest: Verifiable Context Governance for Autonomous AI Agents, arXiv:2607.02116 [cs.AI]. The arXiv record lists v1 as submitted on July 2 2026 and lists the authors as Misha Sulpovar, Benn R. Konsynski, Qaish Kanchwala, and Gabe Goodhart. The arXiv metadata title uses the singular "Agent," while the paper HTML and PDF title use "Agents"; this page follows the paper text.
The angle is simple: retrieval relevance is not the same thing as organizational permission to use a document as knowledge. An agent can retrieve a passage that is textually relevant while the passage is stale, unapproved, unattributed, modified after publication, or impossible to reconstruct later. ContextNest names that difference as context governance.
Governance Gap
The paper's "context governance gap" is the distance between giving an AI system access to information and knowing that the information it consumed was approved, current, attributable, versioned, tamper-evident, and auditable. That gap matters most when agents leave the chat window and answer policy questions, draft decisions, coordinate workflows, or invoke tools on behalf of an organization.
A vector index can make old and new policy text equally searchable. A keyword retriever can surface a deprecated runbook because the words still match. A dense index can return a near neighbor whose organizational status is wrong. None of those failures require the model to be malicious or confused. The retrieval layer can do its relevance job while the governance layer is absent.
Vault Mechanics
ContextNest proposes a governed knowledge vault rather than another answer generator. Its atomic unit is a typed Markdown document with YAML frontmatter. Documents can be marked as documents, snippets, glossary entries, personas, prompts, sources, tools, or references. Cross-document links use contextnest:// URIs, and tags plus explicit references form a graph that can be resolved without converting every sentence into triples.
The control machinery is deliberately artifact-shaped. A stewardship layer binds principals to scopes and roles. Published document versions are protected by SHA-256 hash-chained histories. Vault-wide checkpoints bind the current graph state to per-document chain hashes. The system can reconstruct the version of the graph that existed at a prior checkpoint and detect later history rewrites by checking the chains.
The specification also defines deterministic set-algebraic selectors. Instead of asking which passage is semantically closest, a selector can ask for a structural set, such as published incident runbooks for a named service. Source nodes extend the vault to live data through the Model Context Protocol, but the paper keeps hydrated external results inside an audit model rather than treating live tool output as unrecorded background context.
Retrieval Boundary
The paper is careful not to claim that ContextNest replaces Retrieval-Augmented Generation. Its composition is underneath RAG: first determine which artifacts are approved, current, attributable, integrity-verified, and eligible for AI use; then let retrieval operate over that governed subset. Semantic search remains delegated through the contextnest://search/{query} surface rather than built into the vault format.
This boundary is the useful part. RAG answers a relevance question. ContextNest answers a governance question. An organization using both would not ask a vector index to prove who approved a policy version. It would ask the vault to produce an eligible, checkpointed corpus, then let retrieval choose useful passages inside that corpus.
Experiments
The paper reports two first empirical results, and both should be read as controlled demonstrations rather than broad retrieval benchmarks. In a 30-query stale-version attack, the authors compared governed selector resolution with two BM25 conditions. The selector condition reached a 97 percent answer-quality pass rate at an average 215 input tokens. BM25 over a leaky corpus that included version history reached 93 percent at 655 tokens, and BM25 over a clean published-only corpus reached 90 percent at 725 tokens.
The second experiment measured determinism over a synthesized 1,060-document corpus. The selector and BM25 baselines returned stable document sets across 50 queries and 20 repetitions per method, with mean Jaccard 1.0. A dense + HNSW baseline using bge-small-en-v1.5 embeddings and FAISS HNSW was nondeterministic on 40 of 50 queries, with mean Jaccard 0.611 and worst-case 0.210. The point is not that dense retrieval is bad; the point is that audit replay needs the knowledge set to be reproducible after the fact.
Context Receipt
A ContextNest-style receipt for an agent answer would include the vault checkpoint, selector expression or URI, resolved document IDs, consumed version numbers, chain hashes, author or steward fields, publication status, source-node hydration records, result hashes for live data, model route, access timestamp, and the agent output that consumed the context. If the answer is challenged later, the receipt should let a reviewer reconstruct the knowledge basis, not just read the final response.
That changes the audit posture. The question becomes less "did the model cite something plausible?" and more "which governed artifact was injected, under whose authority, at which checkpoint, and could the same artifact set be reconstructed now?"
Claim Boundary
The paper specifies inference-time knowledge governance. It does not solve agent identity, owner attestation, revocation, action authorization, training-data governance, multi-user editing, real-time conflict resolution, or every form of tamper prevention. Its hash-chain mechanism detects history modification; it does not stop an actor with write access from attempting a modification. Its author attribution is document-level in v1, not line-level.
The experiments are also bounded. The stale-version suite is synthesized and intentionally adversarial. The determinism corpus is structured. Sparse retrieval was tested more fully than dense retrieval in the stale-version setup, and the paper labels several larger experiments as scheduled or in progress. Within those limits, the work gives a clear governance lesson: the retrieval gate should not open until the context vault can say what is eligible, current, attributable, integrity-checked, and reconstructible.
Sources
- Misha Sulpovar, Benn R. Konsynski, Qaish Kanchwala, and Gabe Goodhart, ContextNest: Verifiable Context Governance for Autonomous AI Agent, arXiv:2607.02116 [cs.AI], checked for arXiv metadata, submission date, subject class, authors, abstract claims, and DOI record.
- arXiv HTML for ContextNest: Verifiable Context Governance for Autonomous AI Agents, checked for paper title, abstract, context governance gap, RAG complementarity, architecture overview, implementation description, experiments, limitations, and conclusion.
- arXiv PDF for ContextNest: Verifiable Context Governance for Autonomous AI Agents, checked against the HTML for author/title presentation, paper date, table values, reference-implementation discussion, and limitations.