Microsoft frames AI memory as persistent attack surface

Microsoft’s blog is not an incident report or a new compliance requirement. It is a vendor explanation of why AI memory deserves more than a privacy toggle. In Microsoft’s framing, memory stores high-value user information and also influences agent reasoning and tool use, so the security problem is not just whether the memory contains sensitive data. It is whether poisoned memory can later cause the agent to do something the user did not ask for.

The example Microsoft gives is the right shape of the risk: a user opens a shared document with hidden attacker instructions, nothing obvious happens, and days later the assistant uses the stored context in a different interaction. That temporal gap is the point. Traditional prompt-injection defenses mostly assume the bad instruction and the bad action live close together. Persistent memory breaks that assumption.

Microsoft says its Microsoft 365 approach puts controls at memory creation, storage, retrieval, model interaction and user control. The concrete pieces named in the post include sanitization checks on write, Microsoft prompt-injection classifiers, Task Adherence checks for explicit memory writes, tenant-level policy for personalization, Data Subject Requests and tenant isolation. Those are real control surfaces, but they are still Microsoft-described controls inside Microsoft 365, not an external validation that memory poisoning is solved.

For practitioners, the Monday question is simpler: who is allowed to create, retain, retrieve and delete AI memory, and how will those events show up when counsel or incident response asks what happened? If memory can shape later tool calls, it belongs in the same governance conversation as identity, data access and auditability. Treating it as a convenience feature is how a durable state problem gets misfiled as user experience.