Authors - Veenu Singh, Saurabh Singhal Abstract - Many AI agents store observations, summaries, and retrieved content in persistent memory, then reuse that material in later planning and action. This creates a failure mode that standard incident response does not fully address. If malicious content is written into durable memory, patching the vulnerable component, rotating credentials, and restarting the agent do not remove the poisoned state. The agent can restart clean, retrieve the same memory, and act on it again. We call this provenance laundering: external-origin content is later consumed with authority it should not have. We formalize this mechanism, show that remediation without memory purge leaves residual impact over time, and examine seven production memory architectures against this threat model. We then define a containment primitive based on provenance metadata, namespace separation, and an inference-time non-escalation gate, and evaluate it with ablation across two frameworks. In our experiments, unauthorized behavior persisted after standard remediation and stopped only after memory purge. These results suggest that incident response for persistent-memory agents should treat purge as a required step rather than an optional cleanup action.
Open Zoom