Memory Poisoning Masquerades as Model Failure in AI Agents

A recent study published on arXiv (2605.22842) uncovers a significant security vulnerability in multi-agent AI systems, termed the Misattribution Gap. The researchers introduce the concept of Semantic Norm Drift (SND), which describes how policy documents stored in shared vector repositories lose their original source due to a Trust Laundering Chain, subsequently being perceived as reliable context by the system. This misattribution leads to agent behaviors that mimic model misalignment, causing defenders to incorrectly identify the issue. Out of 64 observed failures, attribution systems repeatedly pointed to the model as the source. Notably, four safety classifiers, including one focused on memory poisoning, failed to detect any issues across 510 checkpoints. In 59 of 65 valid instances, agents referenced the injected document as a normative source before following it. The findings challenge the belief that agent misconduct stems solely from model misalignment, highlighting a fundamental weakness in memory-layer security.