3.15
.
Insecure Agent Memory and Vector Store Configuration
sail
3.15
Risk
Insecure Agent Memory and Vector Store Configuration
Description
Agent memory caches and vector stores are deployed with insecure defaults β public-by-default, unencrypted, or shared across multiple agents and tenants β creating a poisoning and exfiltration surface.
Example
A shared vector store backing five agents is created without per-agent partitioning, allowing one agent's poisoned context to influence the others (RAGPoison-class).
Assets Affected
Agent Memory / Cache
Dataset / RAG
AI Agent
Mitigation
- Encrypt memory and vector stores at rest
- partition stores per agent or tenant
- restrict access via scoped credentials
- validate inputs before commitment to memory
- periodic integrity checks of stored vectors.
Standards Mapping
- IISO: A.7.4, A.4.5
- OWASP agentic: ASI06
- OWASP LLM: LLM08:2025
- EU AI Act: Art. 15(5)
- DASF: Agents-Core 13.1
- AIUC-1: A005, B008