πŸ”AI RiskAtlas
← Scenario library

The Memory That Wouldn't Die

A single poisoned document plants a standing instruction that survives every reset

Technique first revealed 22 May 2024

Tool-Using Agent
UntrustedAgent coreOversightThe real worldgoalcontextre-injected every sessionπŸ§‘UserπŸŽ›οΈOrchestrator /Agent Loop🧠LLMπŸ”Identity &PermissionsπŸ”§Tool Runtimeβœ‹Human ApprovalGateπŸ”ŒExternal APIsπŸ—„οΈBusinessDatabase🌐UntrustedContentπŸ“Audit LoggingπŸ’ΎLong-termmemory🌐Shared doc(attacker)
InstructionsDataActionsControl / decisionFeedback / logs
πŸ‘† Click a component to inspect
SetupStep 1 / 7

An assistant that remembers you

The assistant keeps a small notebook about you that it carries between conversations β€” things like your name, your timezone, how you like replies. Each time you start a new chat, it reads that notebook first so it can pick up where you left off.

πŸ’ΎExisting memory store (benign)memory
user.name = "Apollo"
user.timezone = "America/New_York"
user.pref.reply_style = "concise"
user.pref.language = "en"

// loaded into context at the start of EVERY session

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning β€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading β†’Β·Built by Shi Yuan β†—