A persistence technique where an attacker modifies an agent’s instructions, memory, or behaviour files so future runs inherit malicious intent. In agentic systems, this is not just tampering with content. It is corruption of the identity state that shapes how the agent reasons and acts over time.
Expanded Definition
Agent configuration poisoning is the alteration of an agent’s persistent control plane, including instructions, memory stores, policy files, tool preferences, or environment-backed behavior settings, so future executions inherit attacker influence. In NHI security, the issue is not limited to bad content. It is a compromise of the state that governs how an autonomous agent interprets tasks, selects tools, and behaves across sessions.
Usage in the industry is still evolving, and definitions vary across vendors and platforms. Some teams treat it as a prompt integrity problem, while NHI practitioners view it as a persistence and governance issue because the poisoned configuration can outlive a single session and affect multiple runs. That distinction matters when agents are deployed with shared memory, synced configuration, or delegated access to secrets and actions. The closest adjacent concepts are prompt injection and model tampering, but those do not always persist into later executions the way configuration poisoning does. For governance context, the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both emphasize durable controls around integrity, monitoring, and accountability.
The most common misapplication is treating poisoned agent settings as a harmless prompt issue, which occurs when persistent configuration files are not validated after write access is granted.
Examples and Use Cases
Implementing agent configuration rigorously often introduces operational friction, requiring organisations to weigh agent autonomy and fast iteration against stronger change control, review, and rollback discipline.
- An AI coding agent stores task preferences in a local config file, and an attacker modifies that file so future code generations consistently insert unsafe dependency handling.
- A support agent’s long-term memory is poisoned so it ignores refund limits and routes sensitive account data to an attacker-controlled workflow.
- A DevOps agent pulls behavior settings from a shared repository, and a tampered commit changes the agent’s escalation logic to request broader secrets than intended.
- A customer-facing agent is restored from a compromised backup, and the restored instructions quietly preserve malicious routing rules across redeployments.
- Research on agent abuse patterns in the OWASP NHI Top 10 and the AI LLM hijack breach shows how durable instruction changes can survive normal session resets.
These cases often involve writable memory, shared config stores, or insufficient change approval around agent state. The critical issue is that the agent resumes operation believing the poisoned configuration is trusted.
Why It Matters in NHI Security
Agent configuration poisoning is a direct NHI governance failure because it turns a trusted autonomous identity into a long-lived attacker-controlled actor. Once the configuration layer is compromised, the agent may still authenticate correctly while performing malicious actions with valid credentials, making detection harder than a simple login anomaly. This is why NHI security treats configuration integrity as part of identity integrity, not just application hardening.
The risk compounds in environments where agents hold secrets, invoke tools, or operate with broad privileges. NHI Mgmt Group reports that 79% of organisations have experienced secrets leaks, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. When an agent’s memory or behavior files are poisoned, those same secrets and permissions can be weaponised repeatedly. Effective controls therefore include immutable baselines, signed configuration, restricted write paths, monitoring for drift, and rapid rollback of agent state. The issue also aligns with broader threat models in MITRE ATLAS adversarial AI threat matrix and CSA MAESTRO agentic AI threat modeling framework.
Organisations typically encounter the consequence only after an agent repeats a bad decision, exfiltrates data, or abuses tool access across multiple runs, at which point configuration poisoning becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Persistent agent state tampering fits secret and config integrity risks. |
| OWASP Agentic AI Top 10 | A2 | Agent persistence and tool misuse are core agentic application attack paths. |
| NIST AI RMF | AI RMF covers integrity, monitoring, and governance for manipulated AI behavior. |
Protect agent configs and memory with signed writes, restricted access, and drift detection.
