Subscribe to the Non-Human & AI Identity Journal
Home FAQ What do security teams get wrong about memory…

What do security teams get wrong about memory in agent systems?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026

Security teams often treat memory as if a vector store were enough. In practice, memory includes working state, durable state, and policy-relevant context, each with different access, retention, and audit needs. If those are collapsed into one mechanism, the system becomes hard to govern, hard to troubleshoot, and hard to prove after the fact.

Why This Matters for Security Teams

Memory is where an agent system quietly accumulates operational truth: instructions, short-term context, long-lived preferences, tool outcomes, and sometimes sensitive tokens or personal data. Security teams get into trouble when they secure the model but ignore the memory layer, or when they assume all stored context is low-risk because it is “just metadata.” That view misses how memory shapes future behavior, auditability, and blast radius.

This matters because memory often becomes the hidden control plane for agent decisions. If the agent can retrieve prior user requests, prior tool outputs, or policy exceptions, then stale, poisoned, or overexposed memory can turn a safe workflow into a repeatable failure. Guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both point to the same issue: context integrity is a security property, not just a product feature. In practice, many security teams encounter memory abuse only after an agent has already repeated the wrong action from a prior interaction, rather than through intentional governance.

How It Works in Practice

Operationally, memory in agent systems usually spans three layers. Working state is the transient context needed to complete the current task. Durable state is stored memory meant to persist across sessions, such as preferences, case notes, or task history. Policy-relevant context is any retrieved information that affects authorisation, routing, or output constraints. These layers need different retention, access, and review rules, even when they are implemented in the same application stack.

Security teams should treat memory as governed data flow, not a single bucket. That means defining what can be written, who can read it, when it expires, and how it is validated before reuse. It also means separating user convenience features from security-critical context. For example, a chatbot remembering a writing style is not the same as an agent remembering an approval exception or a token-bearing tool response. NHIMG’s research on agentic risk patterns, including the OWASP NHI Top 10, shows why persisted context can become an identity and access problem when it is tied to tool use, delegated action, or secrets handling.

  • Classify memory by function before you choose a storage mechanism.
  • Keep secrets, credentials, and tool tokens out of general conversational memory.
  • Apply retrieval filters so only policy-approved context can influence execution.
  • Log memory writes, reads, and deletes with enough detail to reconstruct decisions later.
  • Test whether retrieved context can be poisoned, replayed, or made stale.

Current guidance suggests pairing this with adversarial testing from the MITRE ATLAS adversarial AI threat matrix and, where agents hold or broker credentials, tighter NHI controls and secret lifecycle discipline. These controls tend to break down when memory is embedded in loosely governed plugins, shared caches, or external vector stores because provenance and deletion guarantees become difficult to enforce.

Common Variations and Edge Cases

Tighter memory controls often increase latency, operational overhead, and developer friction, so organisations have to balance resilience against convenience. That tradeoff matters most when agents are expected to personalise responses, remember workflows, or coordinate across multiple tools without human review.

There is no universal standard for how much memory an agent should retain, so the practical answer depends on risk. Best practice is evolving toward memory minimisation, scoped persistence, and explicit separation between user experience memory and security-relevant state. For regulated or high-impact use cases, the safest pattern is to store the minimum needed, make retrieval explainable, and delete aggressively when context is no longer needed. This is especially important in agentic systems that handle credentials, customer data, or actions with real-world side effects.

Edge cases show up in shared assistants, multi-tenant platforms, and workflows that blend RAG with long-term memory. A vector store can support retrieval, but it does not by itself provide governance, lineage, or revocation. If the same memory layer is reused across tenants or across trust boundaries, one poisoned record can influence multiple sessions. When memory is tied to identity, access decisions, or delegated execution, teams should map it to the same controls they would use for privileged workflow state, not to lightweight product analytics.

For deeper context on how agent incidents emerge in the wild, NHIMG’s reporting on CoPhish OAuth Token Theft via Copilot Studio and the Gemini AI Breach — Google Calendar Prompt Injection shows how quickly stored context can become an attack path when governance is bolted on after deployment.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, MITRE ATLAS and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Memory safety and context integrityAgent memory can be poisoned, replayed, or overexposed across sessions.
NIST AI RMFAI RMF governance covers lifecycle risk for persistent agent context.
MITRE ATLASData PoisoningPersistent memory can be manipulated like adversarial training or inference data.
NIST CSF 2.0PR.DS-1Memory stores sensitive data that needs governance across storage and transfer.
OWASP Non-Human Identity Top 10Agent memory often stores or influences credentials and delegated access.

Classify memory, restrict retrieval, and test for prompt and context abuse before production.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org