Personal AI agents with long-term memory have a serious security problem that nobody built a fix for yet.
Researchers have documented an attack method called GhostWriter that targets the memory subsystems of tool-using AI agents — the kind that read your email, manage your calendar, and push code on your behalf. The attack works in two phases: first, an adversary slips a hidden payload to the agent through an untrusted source it interacts with; then, that poisoned memory gets retrieved and acted on later. In testing against current state-of-the-art agents, GhostWriter achieved injection rates of roughly 98% and activation rates of around 60% — meaning a successfully planted memory had a better-than-even chance of influencing the agent's behavior.
The attack is possible because long-term memory in AI agents was designed for utility, not security. Agents that sit at the intersection of conversation and action-planning handle sensitive data while routinely ingesting content from sources they have no reason to trust — a combination that creates an unguarded attack surface. If your agent reads a malicious email and writes a false memory, it may act on that memory the next time a related task comes up, with no prompt to warn you.
The same paper proposes a mitigation called AM-Sentry, which applies a memory-saving policy and a retrieval screen to filter suspicious writes and reads; the researchers say it substantially cuts GhostWriter's success rate without breaking agent usefulness. That's a promising early response, but it also underscores the pattern that has defined AI deployment so far: capabilities ship first, security models catch up later — if they catch up at all.