The Problem: AI Agents Have Memory — And It Can Be Poisoned
Modern AI agents don't just respond to prompts — they remember. They store conversation history, learned preferences, retrieved facts, and task context in vector databases, episodic memory stores, and session buffers.
This creates a new attack surface that most security frameworks haven't addressed yet: agent memory poisoning.
An attacker who can write malicious content into an agent's memory store can:
- Hijack the agent's future behavior through stored instructions
- Exfiltrate sensitive data that the agent has processed
- Corrupt the agent's knowledge base with false information
- Bypass safety guardrails that only check the current prompt
Introducing OWASP Agent Memory Guard
OWASP Agent Memory Guard is an official OWASP incubator project that provides a security framework specifically designed to protect AI agent memory systems.
It addresses three core threat categories:
| Threat | Description |
|---|---|
| Memory Poisoning | Injecting malicious content into vector stores or episodic memory |
| Prompt Injection via Memory | Stored instructions that hijack agent behavior on retrieval |
| Memory Exfiltration | Unauthorized extraction of sensitive data from agent memory |
Key Features
- Drop-in middleware for LangChain, LlamaIndex, and custom pipelines
- Detection hooks that scan memory reads/writes for injection patterns
- Sanitization layer that neutralizes malicious content before storage
- Audit logging for memory operations — who wrote what, when
- OWASP-aligned — maps directly to OWASP Top 10 for LLM Applications
Quick Start
from agent_memory_guard import MemoryGuard
# Wrap your existing memory store
guard = MemoryGuard(memory_store=your_vector_store)
# All reads and writes are now protected
guard.add(user_input) # sanitized before storage
results = guard.query(query) # scanned on retrieval
Why This Matters Now
As AI agents are deployed in production — handling customer data, executing code, managing files — the security of their memory systems becomes critical infrastructure. A poisoned memory store is a persistent backdoor that survives prompt-level defenses.
OWASP Agent Memory Guard is the first dedicated framework to address this threat systematically.
Get Involved
- GitHub: https://github.com/OWASP/www-project-agent-memory-guard
- Star the repo to show support
- Open issues for use cases you'd like covered
- Contribute detection patterns for new attack vectors
This is an active OWASP project — your contributions directly shape the standard for AI agent memory security.
Top comments (0)