An attack where malicious content is injected into an AI agent’s memory or context, causing it to alter its behaviour in subsequent tasks — potentially exfiltrating secrets, escalating privileges, or acting against its intended purpose.
Expanded Definition
Memory poisoning in agentic systems occurs when malicious or malformed content is inserted into an AI agent’s working memory, long-term memory, or conversation state so later decisions are steered by attacker-controlled context. In practice, this can affect tool selection, prompt interpretation, and policy compliance.
Definitions vary across vendors because some products separate “memory,” “context,” and “retrieval” while others blur them together. That distinction matters: a poisoned vector store, a compromised session cache, or a tampered message history can all produce similar outcomes even though the technical path differs. The OWASP Top 10 for Agentic Applications 2026 treats this as part of broader agent trust and input integrity risk, which is why incident response must consider both the memory layer and the agent runtime.
For NHI and IAM teams, the key question is not whether the agent “remembers” something, but whether that remembered content can influence an action that touches secrets, privileges, or external systems. The most common misapplication is treating memory poisoning as ordinary prompt injection, which occurs when defenders ignore persistent storage or retrieval pathways that survive the original session.
Examples and Use Cases
Implementing memory protections rigorously often introduces retention and usability constraints, requiring organisations to weigh richer personalization against tighter data controls and more frequent sanitisation.
- An internal support agent stores a fake “approved exception” in memory and later uses it to bypass normal approval routing when opening a ticket.
- A code-generation agent retrieves poisoned project notes and begins recommending commands that exfiltrate API keys from CI/CD variables.
- A procurement assistant caches a fabricated vendor identity and later grants the wrong workflow access because the memory entry looks trustworthy.
- A SOC triage agent learns a manipulated incident summary and suppresses alerts that should have triggered escalation, creating a delayed response window.
These scenarios become more dangerous when the agent also holds non-human identities, because a poisoned memory entry can alter how the agent uses service account tokens, API keys, or delegated permissions. The Ultimate Guide to NHIs is useful here because it frames identity lifecycle, visibility, and rotation as operational controls rather than abstract best practice. In parallel, the OWASP Top 10 for Agentic Applications 2026 helps teams separate memory integrity failures from broader prompt and tool abuse.
Why It Matters in NHI Security
Memory poisoning is an NHI security issue because the agent’s memory often becomes a hidden decision layer for privileged automation. If that layer is compromised, an attacker may not need to steal credentials directly; they can instead shape how the agent uses the credentials it already has. That makes memory hygiene part of access control, not just model safety.
NHIMG research shows that Ultimate Guide to NHIs reports 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why poisoned memory that manipulates those identities is so operationally dangerous. It also aligns with the governance concerns raised in the same guide around visibility, rotation, and offboarding. When memory poisoning meets overprivileged NHI access, the result is often lateral movement, secret exposure, or unauthorized task execution.
Practitioners should treat memory controls as part of the same trust boundary that governs secrets managers, vault access, and delegated tooling. Organisations typically encounter the consequences only after an agent has repeated a bad action, leaked a secret, or escalated access, at which point memory poisoning becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Covers agent input integrity and memory abuse as a primary attack path. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Maps to identity misuse when poisoned memory drives secret or token abuse. |
| NIST Zero Trust (SP 800-207) | SC-3 | Supports continuous trust evaluation when agent state may be manipulated. |
Validate stored context, constrain retrieval, and review agent memory writes before they affect tool use.
