Zero Trust for Agent Memory

A decade ago, the industry made a fundamental shift: stop trusting internal network traffic. Zero trust changed how we think about perimeters. I think we need the same shift for agent memory. Right now, most AI agents trust their own memory implicitly. Whatever is stored in their vector databases, RAG indexes, conversation logs, it's treated as ground truth. The agent retrieves it, reasons with it, and acts on it without questioning where it came from or whether it's been tampered with. The Cloud Security Alliance just published research on LPCI (Logic-Layer Prompt Control Injection), a vulnerability class that targets exactly this. Attackers encode payloads into agent memory stores. These payloads sit dormant until a specific condition triggers them, across sessions, across users. In testing across ChatGPT, Claude, Gemini, and Llama, success rates hit 43–49%. This isn't prompt injection. Your input/output filters won't catch it. It lives in the reasoning layer. And it's already happening. The Microsoft Defender Security Research Team documented AI Recommendation Poisoning in the wild, 50+ unique manipulation prompts from 31 companies across 14 industries, embedded through "Summarize with AI" buttons that persist into agent memory. One click changes how the agent responds forever. These weren't hackers. These were companies gaming AI recommendations for profit. OWASP now lists Memory & Context Poisoning (ASI06) as a top agentic risk. Separate research shows 80–95% success rates for memory poisoning when agent memory is automatically referenced before generating responses. The honest observation is simple: every stored context record should be treated as untrusted input, scored, validated, and verified before the agent reasons with it. We did this for network traffic. Now we need to do it for the things our agents remember.