Session

Prevent Memory Poisoning: Agent Memory as an attack surface

Prompt injection dies with the session. A poisoned memory doesn't - it persists, and the consolidation step meant to clean your memory is what makes it dangerous.

When an injected claim passes through extraction and consolidation, it's merged with legitimate facts, promoted from episodic to semantic, and stripped of provenance. The system now serves it as trusted context- to any user, on any future task.

The more sophisticated the memory pipeline, the more effectively it launders the attack. OWASP formalized this as ASI06 in 2026; MINJA reports over 95% injection success against production agents; Agent Security Bench shows current defenses stopping barely 16%.

The talk is how you make memory poison-resistant without crippling it.
- Provenance on every write
- Trust-aware retrieval that weights sources
- A verify-before-promote gate
- Write-path sanitization that strips injected instructions before they're ever stored
- Behavioral drift detection
- And strict per-user scoping that kills the cross-user blast radius

You'll leave with a concrete checklist for hardening agent memory- which layers to add, in what order, and where each one still falls short

Memory is not just markdown files or vectors, memory is an infrastructure layer of an agent harness

Himanshu Sangshetti

AI Engineer @ Mem0

Pune, India

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top