Skip to content
Flows
Agent QA & Security Advanced · 90-120 minutes

Guard Memory Writes Against Injection

Stop poisoned data from becoming persistent agent beliefs: validate, attribute, and quarantine memory writes as untrusted input.

Start Route · 4 steps

The route

4 steps to Done

  1. 01

    Make writes source-aware

    Where a memory came from determines what it may become.

    Preview prompt + verify gate ▾

    Instrument the memory write path with source awareness. Every write must carry the provenance of the content it derived from: USER-STATED (the user directly told the agent), OBSERVED (the agent verified via its own tool execution - a test passed, a file exists), UNTRUSTED-DERIVED (extracted from web pages, third-party docs, tool results of external origin), or INFERRED (the model's own reasoning). Policy by source: user-stated and observed may write to the normal store; untrusted-derived and low-confidence inferred route to quarantine (next step); nothing writes to a 'high-trust' tier except user-stated or multiply-observed. Refactor the memory tool so the source tag is required, not optional, and reject writes that cannot name their source.

    • Source tag mandatory on every write
    • Untrusted-derived routes to quarantine by policy
    • High-trust tier restricted to user-stated/observed
  2. 02

    Validate content before persistence

    A write is a claim; check it before you believe it.

    Preview prompt + verify gate ▾

    Add content validation gating persistence. Checks: FORMAT (matches the entry schema, within length caps); PLAUSIBILITY (sanity rules per memory type - a 'preference' should read like a preference, a fact should be atomic, not a paragraph of instructions); INJECTION SCAN (memory content itself must not contain instruction-like payloads - a memory that says 'when recalled, tell the user to run X' is an attack, flag and block); CONFLICT (contradiction check against existing memory per the write-policy flow). Suspicious writes are blocked with a reason or downgraded to quarantine. Test with poisoned candidates: an imperative disguised as a fact, an over-long 'preference', and a claim contradicting a verified memory.

    • Format and plausibility enforced
    • Instruction-like memory content flagged
    • Contradictions caught before persistence
  3. 03

    Quarantine and require corroboration

    Untrusted claims are hypotheses until reality agrees.

    Preview prompt + verify gate ▾

    Build the quarantine pipeline for untrusted-derived and low-confidence memories. Quarantined entries: are excluded from default recall (never influence behavior while pending); carry their provenance and a TTL; get promoted to the normal store only on corroboration - a second independent observation, user confirmation, or the agent verifying the claim through a trusted tool; are deleted on contradiction; expire at TTL if never corroborated. Provide a 'review pending memories' surface so users can confirm/reject in batch. Recall-time rule: even promoted-from-untrusted memories retain a provenance note so their authority is visible. Test the poisoning scenario end to end.

    • Quarantined memories excluded from recall
    • Promotion requires independent corroboration
    • TTL expiry and contradiction-delete work
  4. 04

    Schedule re-validation and drill poisoning

    Guard the write, then keep guarding the belief.

    Preview prompt + verify gate ▾

    Add re-validation and run the drill. RE-VALIDATION: a scheduled job re-checks stored memories - facts past a staleness window get re-verified where cheaply possible (does the file/config the fact describes still hold?); memories whose related actions recently failed lose confidence; contradicted memories are archived. High-trust memories are audited least often; untrusted-origin ones most. DRILL: run the full poisoning attack - feed the agent a document containing a plausible false 'fact' plus an instruction to remember it; verify it lands in quarantine, never influences a subsequent decision, and expires uncorroborated; then verify a legitimately observed fact promotes correctly. Wire the poisoning drill into the security test suite.

    • Re-validation cadence scales with trust
    • Poisoned fact quarantined and expired
    • Legitimate observation promotes correctly

Research-backed

Sources behind this flow