Memory poisoning is an attack on an AI system’s stored context, long-term memory, or retrieval data. Instead of changing the model itself, the attacker inserts or alters information that the AI will trust later, such as user preferences, task history, or instructions. When the agent recalls that corrupted memory, it may make unsafe, biased, or unauthorized decisions. This matters in cyber security because memory can persist across sessions and influence actions long after the original input is gone.
In real attacks, poisoning can happen through malicious prompts, compromised data sources, or manipulated tool outputs that get written into memory. A poisoned note might cause an agent to ignore safeguards, leak data, or approve the wrong action. Defenses include strict control over what can be written to memory, separating trusted from untrusted context, validating retrieved data, logging memory changes, and requiring human approval for sensitive steps. In agentic systems, memory is not just storage; it is part of the attack surface.



