G360 Technologies
The Enterprise AI Brief | Issue 10

When Long-Term Agent Memory Crosses Trust Boundaries

June 18, 2026

A Familiar Assistant, a Different Context

An AI assistant helps a security team summarize incident reports during an investigation. Weeks later, the same assistant helps with a procurement review. The original investigation is over, the participants have changed, and the task is unrelated. Yet information extracted from that earlier work remains in long-term memory and may be retrieved because it appears relevant to the new request.

The problem begins when relevance becomes a substitute for permission.

A cluster of research papers and technical disclosures released between June 10 and June 17, 2026 focused on a common issue in agentic AI systems: information written into long-term memory can influence future tasks after the conditions that originally justified its collection or use have changed. Recent work on multi-session memory poisoning, memory lifecycle security, purpose-bound memory mediation, and memory retrieval all converged on the same question: what happens when information survives its original context?

The concern is not that agents remember information. Long-term memory is increasingly necessary for personalization, task continuity, and multi-step workflows. The concern is that memory often persists longer than the authorization, purpose, or operational context that originally justified it.

Most of the reviewed research does not describe widespread real-world compromise. Instead, it identifies a growing class of failures in which information, instructions, assumptions, or summaries cross from one context into another without a fresh decision about whether they should still be used.

How Memory Becomes a Persistent Control Channel

Information can enter memory through ordinary conversations, retrieved documents, emails, tool outputs, background monitoring processes, webpages, message objects, or agent-generated summaries. In many cases, the source material is untrusted even though the component responsible for storing memory is trusted.

Once stored, information is typically converted into summaries, embeddings, profile entries, event records, vector-database entries, or shared agent state. The storage format itself is not the primary issue. The more important question is whether information about ownership, purpose, authorization scope, provenance, and freshness survives alongside the memory.

The trust boundary appears during retrieval.

Many memory systems retrieve information primarily through semantic similarity. If a stored memory looks relevant to the current task, it may be inserted into the model's context window, planning workflow, or tool-execution process. Researchers describe this as an admissibility problem. Relevance can indicate usefulness, but it does not establish that a memory is authorized, appropriate, or safe to use in the current context.

Once retrieved, the memory often enters the model's reasoning process as trusted background context. The user, task, recipient, authorization scope, and operational purpose associated with the original memory may no longer be visible. Information that was valid in one context can begin influencing decisions in another.

This is what transforms memory from a convenience feature into a security concern.

Prompt injection has traditionally been viewed as a session-level problem. Long-term memory can turn a temporary exposure into a durable influence channel. A malicious instruction embedded in an email, webpage, tool response, or summary can survive the original interaction and reappear later when retrieval mechanisms determine that it is relevant. This is the same general pattern OWASP codified as ASI06, Memory and Context Poisoning, in its December 2025 Top 10 for Agentic Applications.

Several recent studies demonstrated variations of this pattern. In Trojan Hippo, researchers reported a payload that remained dormant through 100 benign sessions before activating when a matching trigger appeared. Other work showed background activity being promoted into long-term memory and later influencing behavior in unrelated tasks. Research on memory retrieval found examples of cross-domain leakage, policy bypass, and task corruption caused by memories that were semantically relevant but contextually inappropriate.

The experiments differ in methodology and should not be interpreted as measures of real-world prevalence. They do, however, point to the same underlying failure mode: information collected under one set of assumptions can continue influencing future decisions after those assumptions have changed.

Implications for Enterprises

This issue becomes more significant when memory is combined with privileged tools and sensitive enterprise data.

Customer-support agents routinely ingest attacker-controlled messages while maintaining long-lived customer histories. A malicious instruction that survives beyond the original interaction could influence future responses, retrieval decisions, or automated actions.

Security copilots face a different version of the problem. They combine incident notes, threat intelligence, analyst observations, investigation histories, and operational workflows. Information that was appropriate for one investigation may become inappropriate when surfaced during another. The risk is not only disclosure but also the possibility that old context influences analysis, prioritization, or automated actions in ways that are difficult to detect.

The research also suggests that memory governance requires visibility into both memory creation and memory retrieval. Logging memory writes alone is insufficient. Investigators may need records showing how memories were created, why they were retrieved, what authorization context existed at retrieval time, and how retrieved memories influenced downstream model behavior.

In practice, memory increasingly resembles a data-governance and access-control problem rather than a model-performance feature.

Risks and Open Questions

Several important questions remain unresolved.

Most of the supporting evidence comes from preprints, workshop papers, laboratory evaluations, and proof-of-concept disclosures rather than large-scale production studies. Public evidence of widespread exploitation remains limited.

Researchers also highlight unresolved questions around memory revocation and memory lineage. It remains unclear how ownership, purpose restrictions, and authorization metadata can survive summarization, embedding, abstraction, caching, and agent-to-agent sharing. The challenge becomes even more complex when a memory has already produced derivative summaries, plans, embeddings, or downstream state.

The reviewed sources also did not identify a documented tenant-to-tenant memory leakage incident, despite concerns that similar mechanisms could affect multi-tenant systems.

For now, the strongest conclusion is narrower. Long-term memory introduces a new trust boundary inside agentic systems. The security failure occurs not simply when an agent stores information, but when information written under one set of assumptions is later retrieved and treated as trustworthy in a different context without re-evaluating purpose, authorization, and admissibility.

Further Reading

  • SMSR: Certified Defence Against Runtime Memory Poisoning in Persistent LLM Agent Systems
  • Memory as a Service (MaaS): Purpose-Bound Memory Mediation for Cooperative Agents
  • A Survey on Long-Term Memory Security in LLM Agents
  • Beyond Similarity: Trustworthy Memory Search for Personal AI Agents
  • PersistBench: When Should Long-Term Memories Be Forgotten by LLMs?
  • Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration
  • Mind Your HEARTBEAT! Claw Background Execution Inherently Enables Silent Memory Pollution
  • OWASP Top 10 for Agentic Applications
← Back to Newsletter