Risk
Agent Memory and Context Poisoning
Description
Adversarial inputs commit malicious content into agent memory, vector stores, or context window โ evicting safety instructions or persisting across sessions.
Example
An attacker plants instructions in a shared memory store; subsequent agent sessions inherit the poisoned context and act on the attacker's directives across multiple users.
Assets Affected
Agent Memory / Cache
Dataset / RAG
AI Agent
Mitigation
- Validate inputs before commitment to memory
- partition memory per agent and per tenant
- integrity-check stored vectors
- limit context size
- monitor for cross-session anomalies.
Standards Mapping
- ISO: A.7.4
- OWASP agentic: ASI06
- OWASP LLM: LLM01:2025, LLM08:2025
- EU AI Act: Art. 15(5)
- DASF: Agents-Core 13.1, Agents-MCP Server 13.24
- AIUC-1: A005, B001