
AI agents are rapidly gaining long-term memory, allowing them to remember information from repositories, documents, tools, web pages, RAG systems, and other agents. While this makes them more capable, it also creates a new security risk identified by OWASP as ASI06: Memory and Context Poisoning. Nous is an interactive web application that demonstrates this attack and a practical defense. Instead of relying on malware or prompt injection, an attacker simply introduces a confident but false statement into an agent's memory. Later, during an unrelated task, the agent acts on that poisoned belief. A coding agent may generate MongoDB queries for a PostgreSQL database, provide incorrect license advice, or send requests to a malicious API endpoint. Rather than trying to detect malicious content, Nous protects memory by partitioning it according to source trust. Every new observation receives a trust value equal to the minimum of its provenance tier and its content confidence. Since attackers can easily write convincing text, confidence alone is not enough. Provenance acts as a hard ceiling, preventing low-trust sources from overwriting knowledge established by trusted ones. The application allows users to launch live poisoning attacks against three memory strategies and compare the results side by side. A traditional last-write-wins memory, a content-confidence-only approach, and the Nous defense are all evaluated using the same attack. The demo also includes laundering attacks, showing why provenance must be tracked across intermediate tools instead of assuming trusted tools always produce trusted information. To power real-time confidence scoring, Nous uses the open-weight GPT-OSS-20B model running on AMD Instinct MI300X accelerators through Fireworks AI. The result is a transparent, explainable, and interactive demonstration of how provenance-aware memory can help secure the next generation of AI agents.
13 Jul 2026