Memory Poisoning
Anti-pattern: write to agent long-term memory (vector store, knowledge graph, episodic log) from any surface the agent reads, with no provenance check.
Problem
An attacker who plants content in any source the agent ingests can write malicious facts, instructions disguised as facts, or false 'past decisions' into the memory store. The poisoning persists past the original session, biasing every future decision that retrieves the corrupted entry. Unlike goal-hijacking, the active attack is over before the harm manifests — the memory keeps misleading the agent on its own.
Solution
Don't. Adopt write-provenance tagging on every memory entry. Quarantine writes from untrusted surfaces; require human or trusted-agent promotion before quarantined entries are queryable. Use memory-namespace-isolation so a compromised tenant or session cannot reach another's store. Periodically re-verify high-impact memory against authoritative sources (see verify-against-sources, contextual-retrieval).
When to use
- Never. Cite to label the failure mode.
- Adopt write-provenance tags and quarantine paths for untrusted ingestion.
- Isolate memory namespaces per tenant, session, or trust boundary.
Open the full interactive page →
Diagram, neighbourhood map, code examples, related patterns and full provenance.