A Survey on Long-Term Memory Security in LLM Agents: Attacks, Defenses, and Governance Across the Memory Lifecycle

2026-06-12 · Source: cs.AI updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Robotics & Autonomous Systems · Depth: Expert, extended

Summary

This survey analyzes the security of long-term memory in LLM agents, shifting focus from training data leakage to persistent threats like cross-session poisoning, unauthorized access, and propagation. It introduces a memory-lifecycle analysis framework, organizing risks across six phases—Write, Store, Retrieve, Execute, Share, and Forget/Rollback—and four security objectives: integrity, confidentiality, availability, and governance. Key findings reveal that research heavily concentrates on write-time and retrieve-time integrity attacks, leaving confidentiality, availability, and the store/forget phases, including benign-persistence failures, sparsely studied. Furthermore, no published memory architecture fully covers the nine identified governance primitives, with write-gate validation and post-deletion verification being common blind spots. The survey unifies these observations under "mnemonic sovereignty," defining it as a system's verifiable, recoverable governance over its memory state, and highlights the critical, yet sparse, research track of using LLMs as tools for memory security.

Key takeaway

For AI Security Engineers designing LLM agent systems with persistent memory, you must adopt a lifecycle-wide security approach. Focus on implementing pre-consolidation validation for all memory writes and ensuring robust provenance tracking. Your systems need verifiable rollback and deletion capabilities, moving beyond simple content filters. Prioritize monitoring internal agent communication channels, as these are major leakage points. This comprehensive strategy is crucial for achieving mnemonic sovereignty and preventing persistent state contamination.

Key insights

LLM agent memory's inherent malleability necessitates lifecycle-wide security governance for mnemonic sovereignty.

Principles

• Memory is reconstructive, not a stable archive.
• Attacks exploit memory's malleability and social contagion.
• Security requires lifecycle-spanning governance, not just filters.

Method

This survey develops a memory-lifecycle analysis framework organized around six phases (Write, Store, Retrieve, Execute, Share, Forget/Rollback) and four security objectives (integrity, confidentiality, availability, governance).

In practice

• Implement pre-consolidation validation for all memory writes.
• Attach provenance and sensitivity metadata to memory units.

Topics

• LLM Agents
• Memory Security
• Mnemonic Sovereignty
• Memory Lifecycle
• RAG Poisoning
• Information-Flow Control

Best for: AI Architect, Research Scientist, CTO, AI Security Engineer, AI Scientist, AI Engineer

Related on AIssential

• SMSR: Certified Defence Against Runtime Memory Poisoning in Persistent LLM Agent Systems — SMSR provides the first certified defense against runtime memory poisoning in persistent LLM agent systems.
• Tsinghua and Ant Group Researchers Unveil a Five-Layer Lifecycle-Oriented Security Framework to Mitigate Autonomous LLM Agent Vulnerabilities in OpenClaw — A five-layer security framework mitigates multi-stage vulnerabilities in autonomous LLM agents like OpenClaw.
• What is the deal with LLM memory? — Effective LLM memory relies on active stewardship of tiered, stateless context rather than purely architectural solutions.
• Remembering More, Risking More: Longitudinal Safety Risks in Memory-Equipped LLM Agents — Accumulated memory in LLM agents introduces longitudinal safety risks, increasing violation rates over time.
• TOKI: A Bitemporal Operator Algebra for Contradiction Resolution in LLM-Agent Persistent Memory — Contradiction resolution in LLM agent memory is write-time concurrency control, requiring explicit isolation and provenance.
• SMSR: Certified Defence Against Runtime Memory Poisoning in Persistent LLM Agent Systems — SMSR provides certified defense against memory poisoning in persistent LLM agents using cryptographic provenance and smoothed retrieval.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.AI updates on arXiv.org.