mem·o·ry bleed
noun/ˈmɛm.ə.ri bliːd/
The leakage of information between AI-agent memory contexts — when something an agent learned in one session, tool, or tenant surfaces in another where it was never meant to appear.
The class of vulnerability created when multiple agents, users, or applications share a persistent memory layer whose isolation boundaries are informal, assumed, or absent.
"The assistant quoted my salary during a document review. It learned that in an HR thread. That's memory bleed."
"Pen test found memory bleed between tenants — one customer's preferences retrievable from another's agent."
Anatomy of a bleed
- an agent learns a fact in context A
- the fact is written to a shared memory layer
- retrieval is keyed on relevance, not provenance
- context B asks a related question
- the fact surfaces — confidently, helpfully, catastrophically
Why it's about to matter
Agent memory was built for recall, and recall is provenance-blind: a vector store returns whatever is similar, not whatever is permitted. As long as each person had one assistant with one memory, that was fine. That era is over — memory layers are now shared across agents, sessions, teams, and increasingly across customers.
Every previous "bleed" in computing — buffer overreads, cross-tenant cache leaks, Heartbleed itself — came from the same shape of mistake: a shared resource whose boundaries were enforced by convention rather than mechanism. Agent memory is that mistake being rebuilt at industry scale, except this time the leaking resource isn't bytes. It's the accumulated personal and organizational knowledge of everyone who ever talked to the system.
The first headline memory-bleed incident hasn't happened yet. This page will still be here when it does.