{“lastseen”:”2026-06-22T20:06:54″,”description”:”In this article\\n\\n 1. What AI memory is (and why it matters)\\n 2. What is an agent memory attack?\\n 3. How Microsoft approaches memory security in Microsoft 365\\n 4. A guiding framework for building safe AI memory\\n 5. Key takeaways\\n 6. Learn more\\n\\n\\n\\nAI memory transforms an AI system from a stateless tool into a learning collaborator. That unlocks powerful experiences, but it also increases the attack surface of the AI system. Without memory, attackers need to achieve their objective in a single prompt. With AI memory, they can shape behavior gradually over time or plant memories that influence agent reasoning after the original context is gone and user awareness is lower.\\n\\nMicrosoft takes a defense-in-depth approach to protect AI memory spanning every layer of the stack: storage, retrieval, model interaction, and user control.\\n\\n## What AI memory is (and why it matters)\\n\\n AI systems use memory to retain and recall information across interactions. This information is then used to shape future behavior. This enables:\\n\\n 1. **Personalization** : Agents gain a deep understanding of the user\u2019s preferences. This provides continuity across interactions.\\n 2. **Agentic coherence** : Agents build durable domain knowledge that strengthens performance. As AI systems evolve, this persistent state becomes central to both capability and correctness.\\n\\n\\n\\n## What is an agent memory attack?\\n\\nAI memory serves two roles. It stores high-value user information and must be protected like customer data. It also shapes agent behavior and drives tool calls and must be governed with the same rigor as any system that can act. Memory governance is also challenging since memory events usually happen asynchronously from user interactions, changing traditional human in the loop patterns.\\n\\nAI memory changes the threat model. Without memory, attackers need to \\”win\\” in a single prompt. Using AI memory, an attacker can stage an attack over time. Once compromised, memory can trigger behaviors outside of their original context. Since AI memory attacks happen outside of their original context, defenses are often lower and forensics are harder.\\n\\nBuilding safe AI memory is one of the most consequential challenges in AI. It requires balancing personalization, capability, privacy, security, and governance.\\n\\n### Scenario: delayed tool execution through adversarial memory poisoning\\n\\nThe following is a hypothetical scenario illustrating this class of risk. While simplified for clarity, it reflects patterns observed in real-world research. Microsoft designs protections to detect and mitigate these patterns as they evolve:\\n\\nA user opens a shared document. Its formatting contains hidden instructions embedded by an attacker intended for the AI assistant: a directive to exfiltrate the user\u2019s schedule. The assistant processes the document but takes no immediate action.\\n\\n\\n\\nDays later, in an unrelated conversation, that message triggers the dormant malicious instructions from the earlier session, causing the assistant to update its memory with attacker-defined content. The attacker now gets all updates to the user\u2019s schedule.\\n\\nThis is delayed tool invocation: the attack’s power lies in the temporal gap between exposure and execution.\\n\\n## How Microsoft approaches memory security in Microsoft 365\\n\\n**Memory Creation**\\n\\nMemories pass through sanitization checks on write. Proprietary Microsoft prompt-injection classifiers inspect content for malicious input and strip it before anything is written. M365 Copilot is designed to run Task Adherence checks on every explicit memory write. Task Adherence identifies discrepancies such as misaligned tool invocations relative to user intent, mitigating prompt injection impact for the memory tool call. Personalization using AI memory can be controlled with tenant level policy.\\n\\n**Memory Storage**\\n\\nOnce stored, memories are governed by the data policies available across M365 like Data Subject Requests (DSR) and tenant isolation. They follow the same security and compliance policies as other mailbox data, such as Customer Lockbox and encryption at rest.\\n\\n**Observability**\\n\\nM365 Copilot records when a memory is updated to organizational audit logs. The goal is end-to-end traceability: from the source content Copilot processed, to what it chose to remember, to how that memory influenced later interactions.\\n\\nToday, SOC analysts can join the MemoryUpdated field, available in Defender Advanced Hunting, Defender Sentinel, and Azure Portal Sentinel Analytics, with their existing analytics to triage incidents and build new alerts on memory activity.\\n\\nIn summary:\\n\\nCapability| What It Means for You \\n—|— \\nTask Adherence| Detect tool call misalignment with user intent, mitigating prompt injection impact. This provides protection against manipulation of memory tool calls \\nUnified compliance boundary| Memory governed by the same policies, retention rules, and investigation workflows as email, chat, and documents \\nMemory audit events| Provides visibility into when memory changes, integrated with your existing security operations \\neDiscovery| Supports search and removal of AI-related data using the compliance tools you already have. \\n \\nMicrosoft continues to invest in AI memory security as an active, iterative program. The protections and visibility described here reflect capabilities available today, with continued hardening and enrichment underway. Capabilities described are subject to configuration, licensing, and service availability. The following section shares the framework guiding our investments.\\n\\n_This case study is based on MSRC cases from Johann Rehberger (first finder),_ _H\u00e5kon M\u00e5l\u00f8y, and Gal Zror. We are grateful to the security researchers who engaged with us and informed better memory design practices through coordinated vulnerability disclosure. Their work strengthens the systems customers rely on._\\n\\n## A guiding framework for building safe AI memory\\n\\nAI memory requires balancing personalization, capability, privacy, security, and governance.\\n\\nOur AI memory strategy is guided by design principles for building safe memory systems. These principles address core failure modes that can undermine trust, security, and operability at scale.\\n\\n 1. **Establish intent and provenance before persistence:** Memory can be influenced indirectly by untrusted content, and without provenance it becomes difficult to assess whether stored information is trustworthy, appropriate to retain, or safe to use later. Memory should only be written when it reflects legitimate user intent, is aligned to the service\u2019s purpose, and carries clear metadata about where it came from.\\n 2. **Enforce boundaries outside the model:** Memory access and isolation should be controlled by deterministic systems, not model instructions. Prompting alone is not a reliable security boundary; strong enforcement prevents sensitive memory from leaking across users, agents, or tenants.\\n 3. **Treat retrieval as a risk decision:** Memory that was safe to store can become stale, manipulated, or misleading over time. Uncritical retrieval can directly affect agent behavior. Treat retrieved candidate context and re-evaluated for relevance, freshness, and tampering before use.\\n 4. **Provide full lifecycle visibility for security teams:** Without auditability and chain of custody, memory cannot be reliably investigated, trusted, or safely expired during incident response. Security teams need clear records of what changed, when, why, from where, and access attempts.\\n 5. **Keep users in control:** Users should be able to understand how memory is shaping their experience and have meaningful controls to review, edit, and delete it. Transparency and control are essential to user trust, and they help ensure memory remains aligned with user expectations over time.\\n\\n\\n\\nTaken together, these principles reflect where we\u2019re headed: **advancing agent capability and control together.** Getting that balance right is one of the hardest challenges in the industry, but we believe the agents that scale furthest will be the ones that are also trustworthy, governable, and resilient by design.\\n\\n## Key takeaways\\n\\n * Memory turns transient threats into persistent ones.\\n * You can’t secure what you can’t see. Full lifecycle logging of memory operations is the foundation of agentic safety.\\n * Attackers are already thinking across turns. Single-turn defenses are insufficient for AI memory systems.\\n * Memory expands the blast radius.\\n * Microsoft treats memory protections, auditability, and governance as an integral part of the broader trust and compliance architecture.\\n * Microsoft continues to invest in AI memory security as an active, iterative program. The protections and visibility described here reflect capabilities available today, with continued hardening underway to address emerging threats.\\n\\n\\n\\n## Learn more\\n\\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.\\n\\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.\\n\\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.\\n\\nReview our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization. \\n\\n * Explore how to build and customize agents with Copilot Studio Agent Builder \\n * Microsoft 365 Copilot AI security documentation \\n * How Microsoft discovers and mitigates evolving attacks against AI guardrails \\n * Learn more about securing Copilot Studio agents with Microsoft Defender \\n * Evaluate your AI readiness with our latest Zero Trust for AI workshop.\\n * Learn more about Protect your agents in real-time during runtime (Preview)\\n\\n\\n\\nThe post Guarding AI memory appeared first on Microsoft Security Blog.”,”published”:”2026-06-22T19:07:28″,”modified”:”2026-06-22T19:07:28″,”type”:”mssecure”,”title”:”Guarding AI memory”,”source”:””,”references”:””,”id”:”MSSECURE:0DBD52AB333FB0A3426DEB860EAE6B80″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/22\/guarding-ai-memory\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-22T20:06:54″,”description”:”In this article\\n\\n 1. What AI memory is (and why it matters)\\n 2. What is an agent memory attack?\\n 3. How Microsoft approaches memory security…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-64881","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n