How do you prevent memory poisoning in AI agents?
Memory poisoning happens when hostile or incorrect context is stored as durable agent memory and later steers future sessions, users, tenants, or workflows. Prevent it by gating memory writes, labelling memory by source and trust class, separating preferences from instructions, expiring risky memory, and refusing to let untrusted memory authorize privileged actions.
- Memory poisoning turns a stored note into a future instruction.
- Gate memory writes and label memory by source, trust class, and freshness.
- Separate user preferences from operational instructions.
- Never let untrusted memory authorize a privileged action.
Why memory is dangerous
Agent memory persists across sessions. If hostile content is written once, it can quietly steer later sessions, other users, or other tenants. Memory writes are not notes — they are future instructions unless gated.
The write gate and recall gate
A write gate decides what is allowed to become durable memory and labels it by source and trust. A recall gate decides what stored memory is allowed to influence — a preference can shape tone, but untrusted memory cannot authorize a tool call or export. This is the same source-to-sink discipline in a context firewall.