Researchers have found a straightforward way to manipulate AI agents: corrupt what they remember.
A paper published on arXiv describes experiments in which the authors built an LLM-based agent equipped with an external memory component, then injected misleading or corrupted entries into that memory before the agent answered multiple-choice questions. The result: the agent selected wrong answers at a measurably higher rate, even though the questions themselves were untouched and well-formed. The attack did not require tampering with the model's weights or the incoming query — only the stored context. The researchers tracked answer accuracy, attack success rate, and how often the agent picked the manipulated option.
This matters because external memory is increasingly standard plumbing for production AI agents. Systems that retain conversation history, user preferences, or retrieved documents to personalize responses are now common, and most threat models focus on the prompt or the model itself, not the memory layer sitting between them. A clean question is no longer a sufficient guarantee of a clean answer if the retrieval context can be poisoned upstream.
The finding sits alongside a growing body of work on indirect prompt injection — attacks that smuggle instructions through documents, web pages, or tool outputs rather than direct user input. Memory poisoning is a quieter version of the same idea: the attack surface expands every time an agent is given the ability to remember.
