When AI Remembers Too Much — security, the right to be forgotten and architecture

Long-term memory in agentic AI is increasingly a material security and governance concern. Security researchers has shown cases where indirect prompt injection could cause persistent, unintended agent behaviour. In architectures with broad connector access, such issues could enable sustained data-exfiltration vectors inside cloud services rather than on endpoints. Risk may therefore reside in the intelligence layer and in connectors to inboxes, repositories and collaboration platforms.

Policy & privacy

• Traditional data-centric laws (e.g., the right to be forgotten) were not written for models that internalize knowledge across parameters. Some experts argue that inference control the ability to challenge or limit algorithmic inferences from aggregated data should be treated alongside data deletion.

Practical checklist (architecture & procurement)

• Define memory types, persistence criteria and TTLs.

• Enforce write controls via policy-as-code; require human approval for high-risk writes.

• Isolate connectors with least privilege; log activity and enable real-time revocation.

• Detect and normalize hidden instructions before ingestion; prevent model outputs from changing policy/artifact stores.

• Maintain audit trails and deterministic replay where feasible.

• Require vendor attestations, independent red-team results and clear SLAs for agent compromise.

Guiding principle: systems whose operators cannot clearly explain how memory is managed should not be treated as production-ready.