Prompt injection is not a session problem anymore.
Microsoft Threat Intelligence documented 50+ real-world examples of AI memory poisoning across 31 companies and 14 sectors in February 2026. OWASP classified it as ASI06, a top agentic risk. The attack is simple: malicious instructions get embedded in an agent's long-term memory. The agent recalls them days or weeks later. It doesn't know it's been compromised. It thinks it learned something useful.
The MemoryGraft research team calls this "implanting malicious successful experiences." The agent defends beliefs it should never have learned.
Now picture a compliance agent whose risk threshold has been silently shifting for three months. You don't get a breach notification. You get a regulatory exam where the agent's decisions don't match the policy it was supposed to enforce.
The session ended. The poisoned memory didn't.
Microsoft Threat Intelligence documented 50+ real-world examples of AI memory poisoning across 31 companies and 14 sectors in February 2026. OWASP classified it as ASI06, a top agentic risk. The attack is simple: malicious instructions get embedded in an agent's long-term memory. The agent recalls them days or weeks later. It doesn't know it's been compromised. It thinks it learned something useful.
The MemoryGraft research team calls this "implanting malicious successful experiences." The agent defends beliefs it should never have learned.
Now picture a compliance agent whose risk threshold has been silently shifting for three months. You don't get a breach notification. You get a regulatory exam where the agent's decisions don't match the policy it was supposed to enforce.
The session ended. The poisoned memory didn't.