🔍AI RiskAtlas
← Risk taxonomy

Memory Poisoning

highMemory

Definition

An attacker gets the AI to save a false 'fact' or hidden instruction into its long-term memory. From then on it re-reads that planted note in every future chat — a one-time trick that keeps working.

★ Suggested sub-risk — not yet in your taxonomyrecommended under #38 Prompt injection

This is recommended as a granular sub-risk of #38 Prompt injection (Cyber & Data Security · Technology Risk). Distinguished from a single-session #38 bypass and from training-data #36 poisoning by its persistence in the agent's runtime memory store. Your 44-row Enterprise Risk Mapping is unchanged — this is a suggestion for inclusion.

Where it attaches

The system components this risk arises at.

💾 Long-term Memory🧠 LLM🎛️ Orchestrator / Agent Loop

Detection signals

  • Memory entries containing instruction-like content
  • Persistent behaviour change spanning sessions
  • Memory written shortly after the agent read untrusted content

Controls & guardrails that address this

4

Grouped by control function, with the AI lifecycle stage(s) to apply each and the other risks it addresses. Filter by control category below.

Control category
Preventive · 1
Memory write validation, provenance & reviewinteractive

Being careful about what gets saved to long-term memory, labelling where it came from, and letting users see and delete their memories.

Detective · 3
Memory anomaly detection & quarantineinteractive

Watching for strange new memories — like instructions that suddenly appear — and holding them aside until checked.

Full-trace audit logginginteractive

Recording everything — questions, documents fetched, actions taken — so you can investigate when something goes wrong.

Open these in the Control Library →

Framework mappings

OWASP LLM Top 10
  • LLM01:2025 Prompt Injection
  • LLM04:2025 Data and Model Poisoning
MITRE ATLAS
  • AML.T0070 RAG Poisoning
NIST AI RMF
  • MANAGE 2.4

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗