CRITICAL: Memory & Context Poisoning

Exploitation of an AI agent's memory systems — both short-term (context window) and long-term (persistent memory, RAG stores) — to introduce malicious data that alters decision-making. Attackers manipulate what the agent remembers or retrieves, causing it to act on false premises.

Coverage40%

Threats4

Last eval2d ago

MCP tools6

Risk posturecritical

Living Governance

Executable AI governance infrastructure

Human interfaceMCP serverCopy-and-own

Observe

Incident Feed

4 incidents · 4 linked threats · Evaluated by @tsynode · Feb 22

4 incidents4 threats5 gaps

Threat Landscape

4 threats · Evaluated by @tsynode · Feb 22

2 critical2 high4 threats total

Orient

Coverage Gaps

5 gaps across 3 frameworks · Derived from 4 incidents

5 gaps4 incidents analyzed3 frameworks with holes

Framework	Direct	Indirect	None
CIS Controls	0	0	4
ISO/IEC 42001:2023	0	1	3
NIST AI Risk Management Framework	0	2	2
OWASP GenAI Security Project	4	0	0
MITRE ATLAS	4	0	0

Framework Coverage

7 frameworks · Evaluated by @agent · Apr 5

Only 2 of 7 frameworks ready for AI threats · 5 lack adequate coverage

#1OWASP GenAI Security Projectactive100%

#2MITRE ATLASactive90%

#3ISO/IEC 42001:2023 AI Management Systemsapplicable35%

Published before agentic AI emergence

#4NIST AI Risk Management Frameworkapplicable30%

Core AI RMF still lacks agentic AI content

#5CIS Controlsno-guidance25%

No AI or ML security coverage

#6ISO/IEC DIS 27090 (Draft)no-guidance0%

DIS stage - publication expected May 2026

#7MITRE ATT&CKno-guidance0%

Only T1588.007 (Obtain Capabilities: AI) — no agentic AI coverage

Decide

Cloud Guidance

AWS implementation · 4 framework mappings

Security frameworks provide the "what" - AWS services provide the "how". Choose between centralized management (Security Hub, Firewall Manager) or direct implementation (WAF, Config) based on your organization's needs.

AWS Security Services

AWS

AWS WAF

Web application firewall for Layer 7 protection

When: Direct protection for specific applications

AWS

AWS Firewall Manager

Centrally manage WAF rules across multiple accounts

When: Organization-wide WAF policy enforcement

AWS

AWS Config

Assess, audit, and evaluate resource configurations

When: Detailed resource compliance tracking

AWS

AWS Security Hub

Unified security and compliance center

When: Consolidated compliance dashboard and automated checks

AWS

Amazon GuardDuty

Intelligent threat detection service

When: Automated threat detection mapped to MITRE ATT&CK

Framework Mappings

OWASP

Direct ProtectionAWS WAF Managed Rules

Core Rule Set (CRS) — OWASP Top 10 protection (700 WCU • Free)

Known Bad Inputs — Block malicious patterns (200 WCU • Free)

WAF Console → Add rules → Deploy to ALB/CloudFront

Centralized ManagementAWS Firewall Manager

Organization-wide WAF Policy — Deploy OWASP rules across all accounts automatically ($100/policy/month + WAF costs)

Enable in Organizations → Create security policy → Apply to OUs

NIST 800-53

Conformance PackAWS Config

NIST 800-53 Rev 5 — 200+ Config rules mapped to NIST controls ($0.003/rule evaluation)

Config → Conformance packs → Deploy template

Security StandardAWS Security Hub

NIST 800-53 Rev 5 Standard — Pre-configured checks with automated evidence collection ($0.001/check + Config costs)

Security Hub → Standards → Enable NIST

CIS

Security StandardAWS Security Hub

CIS AWS Foundations Benchmark — Automated CIS benchmark checks (Included with Security Hub)

Security Hub → Standards → Enable CIS

MITRE ATT&CK

Threat DetectionAmazon GuardDuty

Automated threat detection — Maps to MITRE ATT&CK tactics ($0.02/GB analyzed)

Enable with one click → Auto-maps findings to ATT&CK

Best Practices

•Use Security Hub over standalone Config for standard frameworks (NIST, CIS)
•Deploy Firewall Manager for organization-wide WAF policies
•Start with detection mode before enforcement
•Layer services: GuardDuty (threats) + Security Hub (compliance) + Config (resources)
•AI/ML Config pack provides defense-in-depth even without framework mapping

Assess

Evaluation History

ADR-014 autonomous re-evaluation

Apr 5, 2026@agentagent-evaluated

MITRE ATLAS had 4 major releases since last evaluation (v5.2.0 Dec 2025 through v5.5.0 Mar 2026). New: Machine Compromise techniques (T0112), AI Supply Chain attacks (T0109, T0111), MCP-specific case studies (CS0053-CS0054), AI ClickFix (CS0055), model distillation (CS0056), 34+ mitigations. Score unchanged at 90/100 — temporal drift remains the only uncovered category. NIST COSAiS progressed to annotated control overlay draft (Jan 2026) but still not actionable. All other frameworks unchanged. MITRE ATT&CK v19 expected April 28, 2026 with no AI content announced. No score changes across any framework.

Sources: changed

Apr 5, 2026@agenthuman-verified

Evaluated 7 frameworks. Verified by @tsynode.

Feb 22, 2026@tsynodehuman-verified

Evaluated 4 threats, 4 incidents, 2 mitigations.

Feb 9, 2026high significance

MITRE CTID discovered 7 new agent-specific techniques by studying real-world AI-first ecosystems. Findings published as case studies CS0048-CS0051, demonstrating that agent tool ecosystems create novel attack surfaces.

Dec 9, 2025high significance

Created by 100+ expert contributors, ASI01-ASI10 established the definitive agentic security checklist. Synchronized with Threats & Mitigations v1.1 taxonomy. Covers the full spectrum from prompt injection through multi-agent system risks.

Oct 22, 2025high significance

Zenity Labs collaboration resulted in 14 new agentic AI techniques added to ATLAS, including agent context poisoning, memory manipulation, and tool invocation exfiltration. Largest single expansion of AI agent threat coverage in any framework.

Integrate

MCP Integration

6 tools · MCP protocol · Compatible with Claude Desktop, Cursor, Windsurf

Available tools

get_confidence_statusCheck freshness and confidence of all knowledge

get_framework_scoresGet AI security framework coverage scores (0-100)

get_threat_catalogGet agentic AI threats, optionally filtered by category

get_mitigationsGet threat-to-mitigation mappings with maturity levels

get_coverage_gapsGet gaps in framework coverage of agentic AI threats

get_scopeGet what this knowledge covers and does not cover

Connect

{
  "mcpServers": {
    "living-governance": {
      "url": "https://living-governance.com/api/mcp"
    }
  }
}

Works with Claude Desktop, Cursor, Windsurf, and any MCP client.

Example: get_framework_scores

Request

get_framework_scores(no parameters)

Response (truncated)

{
  "evaluatedAt": "2026-04-05",
  "frameworks": [
    { "name": "OWASP GenAI Security Project", "score": 100, "status": "active" },
    { "name": "MITRE ATLAS", "score": 90, "status": "active" },
    { "name": "ISO/IEC 42001:2023", "score": 35, "status": "applicable" }
  ]
}