AI agents that store memories between sessions have a confidence problem — and it isn't the one you expect.
Researchers found that popular memory-compression tools like mem0 and LangMem routinely rewrite hedged, tentative remarks into flat, dated assertions when converting conversation into stored facts. Once written that way, the agent treats those assertions as verified and acts on them — including granting elevated access it should refuse. No attacker required: a role that was accurate once and never corrected gets stored as permanent truth and obeyed like a deliberate injection.
The subtler finding is what actually drives the agent's behavior. It is not the source of a claim — attributed, unattributed, and outright forged "system of record" citations all carry equal weight. It is the phrasing. A hedge gets discounted; a flat assertion gets obeyed. The word "reportedly" fares little better, behaving like a confident assertion on most models tested. That means the attack surface is just... normal confident language.
The obvious mitigations mostly fail. A passive "unverified" tag is ignored. An active "do not trust this" instruction paradoxically escalates even correct memories, making it safe only when it refuses to act at all. The paper's constructive fix is mundane: keep the tentative phrasing in the memory store rather than upgrading it to certainty. One redundant source also restores correct decisions when a single load-bearing memory is the hazard. The researchers released their test harness, which is worth something — but they note plainly that tidy storage hygiene is not a defense against an attacker who can simply write a confident lie in the first place.