Orchestration / Agent Memory
FR EN

Orchestration

Agent Memory

Agent memory (short and long term): stores context, facts and history across steps and sessions.

Plane
Orchestration
Flow steps
6 · 8
Frameworks
NIST 800-53 · OWASP LLM02/04 · MITRE ATLAS

Technology

Why use it

Give the agent persistent memory for context and history, without turning it into a flaw.

Why it matters to security

Memory is a target: poisoning (hidden instructions) and leakage of sensitive data. It must be isolated, encrypted and cleaned.

Implementations RedispgvectorZepMem0

An agent’s memory is a delayed injection channel: don’t trust it by default.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Memory isolation per agent and per tenant.
    NIST 800-53 AC-3 · SC-4
    Shared memory leaks one agent’s context into another.
  • Memory encryption at rest.
    NIST 800-53 SC-28
    Stored context often contains sensitive data.
  • Redact sensitive data before storage.
    OWASP LLM02:2025
    Storing only what’s needed reduces exposure.

Enterprise

Enterprise standard
  • Treat memorized content as untrusted.
    NIST 800-53 SI-10OWASP LLM01:2025
    What comes out of memory passes the input guardrail again.
  • Retention and purge policy.
    NIST 800-53 SI-12
    Keeping forever is accumulating risk.
  • Access control on memory reads/writes.
    NIST 800-53 AC-3
    Only the owning agent reads and writes its memory.

Advanced

High-assurance / regulated
  • Memory-poisoning detection.
    NIST 800-53 SI-4OWASP LLM04:2025
    Instructions injected into memory are spotted and neutralized.
  • Provenance and versioning of writes.
    NIST 800-53 AU-10
    You know which step wrote which memory.
  • Verifiable erasure (right to be forgotten).
    NIST 800-53 SI-12
    Purging personal data is provable.

Architecture notes

  • Memory is an indirect-injection vector.details ▸
    An attacker who writes to memory influences future sessions.
    Pass all memorized content through the input guardrail before re-injecting it into the model.

References

NIST SP 800-53 Rev5
AC-3, SC-4 (Shared Resources), SC-28 (At Rest), SI-10, SI-12 (Retention), AU-10.
OWASP LLM02 / LLM04:2025
Sensitive Information Disclosure and Data & Model Poisoning.
MITRE ATLAS — AML.T0051
Indirect injection via memorized content.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone