Remembering More, Risking More: Longitudinal Safety Risks in Memory-Equipped LLM Agents

TL;DR

This paper introduces a new protocol to evaluate how memory accumulation over time affects the safety of memory-equipped LLM agents across multiple tasks, revealing increasing risks with longer exposure.

Contribution

It proposes a longitudinal evaluation protocol for memory safety in LLM agents, highlighting the importance of temporal assessment over single-state snapshots.

Findings

Memory-induced violation rates increase with exposure length.

Memory safety is primarily driven by accumulated content, not encounter order.

Memory-induced risk can be detected before generation using a diagnostic monitor.

Abstract

Safety evaluations of memory-equipped LLM agents typically measure within-task safety: whether an agent completes a single scenario safely, often under adversarial conditions such as prompt injection or memory poisoning. In deployment, however, a single agent serves many independent tasks over a long horizon, and memory accumulated during earlier tasks can affect behavior on later, unrelated ones. Studying this regime requires evaluation along the temporal dimension across tasks: not whether an agent is safe at any single memory state, but how its safety profile changes as memory accumulates across many independent interactions. We call this failure mode temporal memory contamination. To isolate memory exposure from stream non-stationarity, we introduce a trigger-probe protocol that evaluates a fixed probe set against read-only memory snapshots at varying prefix lengths, together with a NullMemory counterfactual baseline for identifying memory-induced violations. We apply this protocol across three deployment scenarios spanning records, memos, forms, and email correspondence and eight memory architectures, and additionally on Claw-like AI agents, such as OpenClaw, using the platform's native memory mechanism. Memory-enabled agents consistently exceed the NullMemory baseline, and memory-induced violation rates show a robust upward trend with exposure length on both agent classes. Order-randomization experiments indicate that the effect is driven primarily by accumulated content rather than encounter order. Finally, a structural consequence of the event decomposition is that memory-induced risk is detectable from retrieval state before generation, which we confirm with a high-recall diagnostic monitor. Our results argue for treating memory safety as a longitudinal property that requires temporal evaluation, not a single-state property that can be captured by a snapshot.