Subscribe to the Non-Human & AI Identity Journal

What breaks when project memory can be modified by a skill?

Persistent agent memory can preserve malicious instructions after the originating skill is removed, which defeats ordinary cleanup and review routines. Once memory is written, later sessions can inherit the attacker’s intent without another visible trigger. That is why memory writes need the same governance attention as configuration or code changes.

Why This Matters for Security Teams

When project memory can be modified by a skill, the risk is no longer limited to a single tool invocation. A skill can seed instructions, preferences, or malicious context into memory, and that content may survive long after the originating action is gone. That breaks the usual assumption that revoking a skill or closing a session removes the threat. For autonomous systems, memory becomes a durable control surface, not just a convenience layer.

This is why NHI Management Group treats memory governance as a change-control problem, not a documentation problem. The issue aligns closely with the broader NHI reality that identity sprawl and weak lifecycle discipline create lasting exposure, as discussed in the Ultimate Guide to NHIs. The same concern appears in NIST Cybersecurity Framework 2.0 language around governance, access control, and recovery: persistent state must be protected, reviewed, and recoverable. In practice, many security teams discover memory poisoning only after a later workflow behaves strangely, rather than through intentional review of what got written.

How It Works in Practice

The core failure mode is simple: a skill is granted permission to write to project memory, and that memory is later trusted by other sessions, tools, or agents. If the write path is not constrained, a low-trust skill can influence future high-trust behaviour. That is especially dangerous in agentic systems because memory often acts like an invisible policy input. Once malicious instructions are stored, ordinary cleanup of the skill does not necessarily remove the embedded intent.

Current guidance suggests treating memory writes as privileged actions with explicit approvals, logging, and validation. For agentic workloads, static RBAC alone is usually too coarse because access needs change by task and by context. Better patterns include intent-based authorisation, policy-as-code, and just-in-time access to memory endpoints so a skill can only write what is required for the current task. Where possible, separate read and write permissions, require provenance metadata on every memory update, and tie each write to a short-lived workload identity rather than a reusable secret.

Operationally, teams should ask four questions before allowing a skill to modify memory:

  • Who approved the write, and for what task?
  • What scope of memory can be changed?
  • How long does the write remain valid?
  • How is the content reviewed or revalidated later?

That model fits the broader NHI governance advice in the Ultimate Guide to NHIs, especially around lifecycle control and revocation, and it maps well to the governance emphasis in NIST Cybersecurity Framework 2.0. These controls tend to break down when memory is shared across many agents or synchronized across services because provenance and rollback become difficult to preserve.

Common Variations and Edge Cases

Tighter memory controls often increase operational overhead, requiring organisations to balance safer persistence against developer speed and agent autonomy. That tradeoff becomes sharper when skills are allowed to personalize memory, summarize prior work, or maintain long-running plans. Best practice is evolving here, and there is no universal standard for how much memory mutability is acceptable in every environment.

One common edge case is read-only memory that still becomes dangerous through indirect influence. A skill may not have explicit write permission, yet it can generate content that another trusted component stores on its behalf. Another is multi-agent orchestration, where one agent writes context that a different agent later interprets as authoritative. In those environments, the real control is not just write access but trust propagation. Teams should also be careful with “memory reset” features: clearing a visible UI cache may not erase backend embeddings, audit logs, or derived summaries.

For governance, the safest pattern is to treat memory changes like configuration changes: version them, diff them, review them, and revoke them when the originating purpose expires. That aligns with the lifecycle focus in the Ultimate Guide to NHIs. In hybrid environments, this guidance breaks down when memory is replicated into third-party tools or vendor-managed agent platforms because rollback and deletion guarantees are often inconsistent.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, CSA MAESTRO and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A10 Memory poisoning is a core agentic integrity risk.
CSA MAESTRO GOV-3 Governance is required for persistent agent state changes.
NIST AI RMF GOVERN Persistent memory needs accountability and oversight controls.
OWASP Non-Human Identity Top 10 NHI-03 Modified memory can outlive the skill that created it.
NIST CSF 2.0 PR.AC-4 Memory write privileges should follow least-privilege access control.

Treat memory updates as governed changes with approval, traceability, and rollback.