Researchers have a name for the class of attacks that corrupt what AI agents remember — and a new benchmark showing most defenses miss the harder variants.
The paper introduces MemPoison, a benchmark of 1,227 hand-validated cases testing how adversarial content can be smuggled into an LLM agent's persistent external memory, survive across conversation turns, and later warp the agent's behavior. The researchers tested seven open-weight and three closed-weight model families across four attack types and three memory substrates. They organized the threats into three tiers: direct single-record corruption (L1), multi-record corruption that becomes harmful only in combination (L2), and dormant attacks that activate only when a specific context triggers them (L3).
The finding that stings is structural. Write-time defenses — the kind that screen incoming memory records for suspicious content before storing them — hold up reasonably well against L1 attacks. Against L2 and L3, they largely fail. The reason: each individual record looks clean. Harm only emerges later, through joint retrieval or trigger conditions that the filter never saw coming. The researchers call these "structural blind spots" and demonstrate them through a technique they label mechanistic influence decomposition.
This matters because persistent memory is increasingly how AI agents maintain continuity across sessions — it is not a niche feature. If the defense layer sits only at write time, it is, in effect, checking luggage at the door while ignoring what gets assembled inside. The paper argues for adaptive, context-sensitive defenses that evaluate records at retrieval time and in combination, not just on arrival. Whether the labs building production agent systems are moving that direction is a separate question — and one the paper does not answer.