This work addresses the vulnerability of semantic, contextual, and short-term memory in multi-agent systems to memory poisoning attacks, which pose significant security risks during agent interactions. It presents the first systematic characterization of the attack surface inherent in multi-agent memory and introduces security-by-design principles tailored to interactive scenarios. To mitigate these threats, the paper proposes a defense framework that integrates cryptographic mechanisms with local private knowledge retrieval. By leveraging localized reasoning and privacy-preserving techniques, the framework effectively counters semantic memory poisoning attacks. This approach provides both theoretical foundations and a practical pathway toward realizing intrinsically secure multi-agent systems.

Memory poisoning attacks for Agentic AI and multi-agent systems (MAS) have recently caught attention. It is partially due to the fact that Large Language Models (LLMs) facilitate the construction and deployment of agents. Different memory systems are being used nowadays in this context, including semantic, episodic, and short-term memory. This distinction between the different types of memory systems focuses mostly on their duration but also on their origin and their localization. It ranges from the short-term memory originated at the user's end localized in the different agents to the long-term consolidated memory localized in well established knowledge databases. In this paper, we first present the main types of memory systems, we then discuss the feasibility of memory poisoning attacks in these different types of memory systems, and we propose mitigation strategies. We review the already existing security solutions to mitigate some of the alleged attacks, and we discuss adapted solutions based on cryptography. We propose to implement local inference based on private knowledge retrieval as an example of mitigation strategy for memory poisoning for semantic memory. We also emphasize actual risks in relation to interactions between agents, which can cause memory poisoning. These latter risks are not so much studied in the literature and are difficult to formalize and solve. Thus, we contribute to the construction of agents that are secure by design.