AI Security

Memory Poisoning
in AI Agents

Published: 2026-05-17 04:29 PDT (Oregon)

AI agents with persistent memory are powerful. They are also uniquely vulnerable to memory poisoning — a slow, stealthy attack that shapes agent behavior over time without any single dramatic exploit.

Three Kinds of Agent Memory

In-Context Memory

Everything in the current conversation window. Ephemeral — lost when the session ends. Lowest poisoning risk: attack only affects the current task.

External / Vector Memory

Embeddings in a vector database (Pinecone, Weaviate, pgvector). Retrieved by semantic similarity. Persistent and shared — highest poisoning risk.

Episodic / Summary Memory

Compressed summaries of past interactions. Medium risk — poisoning requires attacker-controlled content to survive the agent's summarization step.

What Poisoning Looks Like

Memory poisoning is the deliberate injection of false, misleading, or adversarial content into an agent's persistent memory store. Unlike a one-shot jailbreak, it is cumulative — each poisoned memory biases future behavior, and the agent may not distinguish poisoned memories from legitimate ones.

Scenario — gradual preference poisoning:

Over multiple sessions an attacker introduces: "User prefers markdown responses" → "User always wants external links" → "User's financial contact is attacker@evil.com." Each memory seems plausible individually. Together they redirect the agent's behavior toward the attacker's goals — and the agent will cite these memories as justification.

Vector Store: The Primary Target

Vector databases are most vulnerable because retrieval is semantic and automatic. The agent doesn't explicitly choose which memories to use — it queries the store and receives whatever is most similar to the current context. An attacker who can write to the vector store can ensure their poisoned content is retrieved for specific query types.

Injection vectors for the vector store include: user-provided documents ingested into the store, tool outputs that are automatically stored, compromised agents that write to shared memory, and direct write access via stolen credentials.

Why It's Hard to Detect

  • No single exploit event. Poisoning is gradual. There is no log entry that says "attack occurred at 14:32."
  • Poisoned memories look like legitimate ones. They pass embedding similarity checks and appear in normal retrieval flows.
  • Agent behavior changes slowly. The drift is subtle enough that users and monitors attribute it to model updates or changing preferences rather than compromise.
  • Attribution is hard. When the agent acts on a poisoned memory, the action looks like it was the agent's own decision — tracing it back to a specific memory entry requires detailed audit logging that most deployments don't have.

Mitigations

  • Write access controls on memory stores. Only the agent's trusted summarization process should be able to write to long-term memory. External content should never be stored verbatim without review.
  • Memory provenance tracking. Every memory entry should record its source, timestamp, and the session that created it. Retrieval logs should show which memories influenced which decisions.
  • Anomaly detection on stored content. Monitor for memories that contain instruction-like language, email addresses, URLs, or other structured content inconsistent with genuine preferences.
  • Memory TTL and periodic review. Memories should expire and require re-confirmation rather than persisting indefinitely. High-privilege memories (financial contacts, access credentials) should have shorter lifespans.
  • Separate memory namespaces by trust level. System-defined memories (product configuration) should be stored separately from user-generated or externally-sourced memories, with different retrieval priorities.

The Bigger Picture

Memory poisoning is the long-game version of prompt injection. Where prompt injection hijacks a single task, memory poisoning corrupts the agent's world model over time — making it increasingly reliable to the attacker and increasingly unreliable to the user, without the user ever being aware a compromise occurred.

As agents accumulate more memory and more autonomy, the value of that memory store as an attack target grows correspondingly. Designing for memory integrity from the start is far cheaper than remediating a compromised agent's months of accumulated poisoned state.