Habler walks through MemoryTrap, a disclosed and remediated method to compromise Claude Code’s memory, showing how a single poisoned memory object can spread across sessions, users, and subagents. He explains why AI memory needs the same governance as secrets and identities, and what organizations must rebuild to contain trust propagation between agents before contamination becomes invisible. Memory has a completely new meaning in agentic systems. It is a persistent retrieval and instruction layer. It stores preferences, earlier context, summaries, workflow patterns, and learned behavior that can be used in future sessions. That matters because when memory is reused between tasks, sessions, or users, it becomes an important part of the system’s decision context. The risk is not that an attacker will corrupt memory in the classic sense. The concern is that an attacker will alter what the model later recognizes as legitimate context. In this way, agent memory resembles a persistent control surface rather than a momentary state. That’s the frame I’d like security leaders to adopt.

Full interview : Idan Habler, AI Security Researcher at Cisco says agentic memory as an attack surface is most potent threat for enterprises.