[arXiv]score: 0.25

Most LLM Agent Memory Defenses Fail Against Delayed-Trigger RAG Injection Attacks

June 23, 2026

Across 5,040 runs on nine open-source models, input-level and retrieval-level defenses including Minimizer, Sanitizer, RAG Sanitizer, and RAG LLM Judge all achieve 88–89% attack success rate — statistically indistinguishable from the undefended baseline of 88.6%. Only architectural-layer defenses showed meaningful reduction.

HOW THIS AFFECTS YOU

●

builderIf you're deploying stateful LLM agents with RAG-backed memory, this result means prompt filtering and retrieval sanitization provide near-zero protection against delayed-trigger injection — architectural defenses are required.

●

researcherThe systematic 5,040-run evaluation across four architectural layers establishes a rigorous baseline for comparing future defenses against persistent memory attacks.

●

policyThe near-total failure of surface-level defenses across nine models is a concrete finding for anyone writing security requirements or compliance standards for agentic AI systems.

read original ↗arxiv.org

← back to feed