Summary
OWASP recently published the Top 10 for Agentic Applications, which includes ASI06: Memory Poisoning — a threat category specific to AI agents that persist memory across sessions.
As Semantic Kernel adds more persistent memory and agent loop capabilities, it would be valuable to have a built-in or recommended defense layer for this attack surface.
The threat
When an agent stores information in memory (conversation history, retrieved facts, tool outputs, scratchpads), a malicious actor can craft inputs that get stored as "trusted" memories. Those poisoned memories then influence the agent's future behavior — causing it to leak data, take unauthorized actions, or be persistently manipulated across sessions.
This is distinct from prompt injection (which targets user input at the front of the loop) — memory poisoning targets the memory store itself.
Proposed integration
The OWASP reference implementation for ASI06 is agent-memory-guard (MIT/Apache-2.0 licensed, pure Python, zero external dependencies):
pip install agent-memory-guard
It provides:
- Runtime memory validation (prompt injection, secret leakage, protected-key tampering)
-
- Cryptographic integrity verification (SHA-256 baselines)
-
-
- Declarative YAML policy engine
-
-
-
- Point-in-time snapshots and rollback
-
-
-
-
- Drop-in middleware for common memory backends
Suggested integration points for Semantic Kernel:
- A
MemoryGuard-wrapped ISemanticTextMemory adapter
-
- Optional middleware hook in the kernel's memory pipeline
-
- Documentation guidance on memory security best practices per OWASP ASI06
References
Summary
OWASP recently published the Top 10 for Agentic Applications, which includes ASI06: Memory Poisoning — a threat category specific to AI agents that persist memory across sessions.
As Semantic Kernel adds more persistent memory and agent loop capabilities, it would be valuable to have a built-in or recommended defense layer for this attack surface.
The threat
When an agent stores information in memory (conversation history, retrieved facts, tool outputs, scratchpads), a malicious actor can craft inputs that get stored as "trusted" memories. Those poisoned memories then influence the agent's future behavior — causing it to leak data, take unauthorized actions, or be persistently manipulated across sessions.
This is distinct from prompt injection (which targets user input at the front of the loop) — memory poisoning targets the memory store itself.
Proposed integration
The OWASP reference implementation for ASI06 is agent-memory-guard (MIT/Apache-2.0 licensed, pure Python, zero external dependencies):
It provides:
Suggested integration points for Semantic Kernel:
MemoryGuard-wrappedISemanticTextMemoryadapterReferences