An attack that influences what an AI agent remembers across sessions so later decisions are shaped by false assumptions. In autonomous workflows, memory can become part of the control plane because biased recall may make harmful actions look normal, approved, or previously validated.
Expanded Definition
Memory injection is the deliberate shaping of an AI agent’s retained context so that later actions are based on false, incomplete, or attacker-influenced assumptions. In NHI security, the concern is not just prompt tampering in a single turn, but persistence across sessions, workflows, and tool use. That makes memory a control surface, especially when an agent can retrieve prior observations, policy notes, or user preferences and then act on them without fresh verification. Definitions vary across vendors because “memory” may mean vector stores, conversation summaries, task state, or long-lived agent notes. The security issue is the same: untrusted content is treated as trusted state. Guidance from the NIST Cybersecurity Framework 2.0 is useful here because memory integrity maps directly to protection and detection outcomes for systems that make decisions from stored context. NHI Management Group treats memory injection as a governance problem as much as a technical one, because the attacker is often aiming to influence future authorisation, not just a single response. The most common misapplication is treating memory as harmless convenience, which occurs when organisations persist agent notes without provenance checks or expiry rules.
Examples and Use Cases
Implementing memory controls rigorously often introduces friction, because safer recall usually means more review, shorter retention, and more constrained autonomy.
- An agent tasked with procurement “remembers” that a vendor was already approved after a malicious note is inserted into long-term memory, causing repeat purchasing without fresh validation.
- A customer-support agent stores a false exception about account recovery steps, and later follows that memory during a privileged workflow, bypassing normal verification.
- An operations agent reads a poisoned incident summary from a prior session and suppresses alerts because the memory makes the false state appear previously confirmed.
- An internal assistant is exposed to external content through retrieval, and the agent later treats that content as policy guidance unless the memory layer is isolated and signed.
- For background reading on broader NHI exposure patterns, NHI Management Group’s Ultimate Guide to NHIs helps frame why persistent trust in non-human actors becomes risky when identity state is not tightly governed.
This is closely related to persistent state abuse discussed in NIST Cybersecurity Framework 2.0, especially where stored context influences downstream action selection. The practical distinction is that memory injection targets what the agent believes has already happened, not merely what it is asked right now.
Why It Matters in NHI Security
Memory injection matters because autonomous systems often act on recalled state with more confidence than they deserve. If an attacker can influence what an agent “remembers,” they can steer tool calls, approvals, exception handling, and escalation paths without needing continuous access. That creates a control-plane problem for NHIs: the agent may appear compliant while repeatedly executing harmful actions that seem pre-validated. The risk is amplified in environments where secrets, tickets, policy summaries, and workflow notes are stored alongside operational memory. NHI Management Group research shows that only 5.7% of organisations have full visibility into their service accounts, and that lack of visibility often extends to the state an agent carries forward between sessions. When combined with the finding that 79% of organisations have experienced secrets leaks, memory becomes a plausible path for replaying leaked assumptions into new decisions via Ultimate Guide to NHIs. Organisations typically encounter the consequence only after a harmful action has already been repeated from a poisoned prior session, at which point memory injection becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent memory poisoning is a core agentic AI abuse pattern. | |
| OWASP Non-Human Identity Top 10 | NHI-06 | Persistent agent state can drive unauthorized NHI actions. |
| NIST CSF 2.0 | PR.DS-5 | Covers integrity of data at rest, including agent memory stores. |
Protect memory stores with integrity controls, retention rules, and monitoring.
