EVIDENCE TRAIL
Session-scoped memory isolation
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. "Session isolation" appears verbatim in OWASP Agentic AI v1.1 both in the T1 mitigation table and in Playbook 2. OWASP Top 10 Agentic 2026 (ASI06) names "per-tenant namespaces." NIST SP 800-53 SC-4 is the foundational system-level control for preventing cross-user information transfer via shared resources.
Last cross-checked against upstream sources: · 8 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Agentic AI — Threats & Mitigations v1.1
Table §T1 Memory Poisoning — Mitigations column
"Implement memory content validation, session isolation, robust authentication mechanisms for memory access, anomaly detection systems, and regular memory sanitization routines."
Supports: Names "session isolation" verbatim as a required mitigation for T1 Memory Poisoning. Closest single upstream sentence to this control's title and mechanism.
Does not prove: Tabular entry only; does not specify implementation layer (storage vs retrieval vs write) or cross-tenant scope. Helmwart adds those three-layer implementation constraints.
OWASP Agentic AI — Threats & Mitigations v1.1
§Memory-Based Threats — Memory Poisoning — Description
"Memory Poisoning exploits AI agents' reliance on short-term and long-term memory, allowing attackers to corrupt stored information, bypass security checks, and manipulate decision-making. … The attack is possible via direct prompt injections for isolated memory or exploiting shared memory allowing users to affect other users."
Supports: Defines the "exploiting shared memory allowing users to affect other users" scenario that this control directly closes.
Does not prove: Threat description only; the shared-memory scenario is named but not given a numbered sub-threat in this version. The scenario ID "Shared Memory Poisoning" appears in v1.1 as Scenario 4.
OWASP Agentic AI — Threats & Mitigations v1.1
§Playbook 2: Preventing Memory Poisoning & AI Knowledge Corruption — Step 1: Secure AI Memory Access & Validation (Proactive)
"Segment memory access using session isolation, ensuring that AI does not carry over unintended knowledge across different user sessions."
Supports: Verbatim statement of the session-isolation pattern: per-session scoping to prevent cross-session knowledge carry-over. Direct upstream prescription for this control.
Does not prove: Playbook does not specify the storage primitives (namespaces, RLS policies) or mandate a default-deny posture on queries missing session-id. Helmwart adds those implementation constraints.
OWASP Top 10 for Agentic Applications 2026
§ASI06 Memory & Context Poisoning — Prevention and Mitigation Guidelines, items 3 and 7
"Memory segmentation: Isolate user sessions and domain contexts to prevent knowledge and sensitive data leakage. … Where you operate shared vector or memory stores, use per-tenant namespaces and trust scores for entries, decaying or expiring unverified memory over time and supporting rollback/quarantine for suspected poisoning."
Supports: Names "per-tenant namespaces" and session isolation explicitly as mitigations for the memory-poisoning threat, aligning with Helmwart's storage-layer namespace pattern.
Does not prove: Mitigation 7 bundles namespace isolation with trust-scoring and expiry; these are complementary controls, not identical to session isolation alone. Helmwart's m-session-isolation scopes to the isolation boundary only.
MITRE ATLAS AML.M0027 — Single-User AI Agent Permissions Configuration
AML.M0027 description
"When deploying an AI agent that acts as a representative of a user and performs actions on their behalf, it is important to implement robust policies and controls on permissions and lifecycle management of the agent. … The AI agent should not be granted permissions that the user would not be granted within the system or organization."
Supports: Establishes the per-user permission boundary that session isolation enforces at the memory layer: the agent's read/write scope is scoped to the single user it represents.
Does not prove: Framed around permissions/identity lifecycle, not memory namespace isolation specifically. Does not name session-id tagging or vector-store primitives.
MITRE ATLAS AML.M0032 — Segmentation of AI Agent Components
AML.M0032 description
"Define security boundaries around agentic tools and data sources with methods such as API access, container isolation, code execution sandboxing, and rate limiting of tool invocation. … This restricts untrusted processes or potential compromises from spreading throughout the system."
Supports: Names "security boundaries around … data sources" as the agentic segmentation pattern; session isolation is the memory-store application of this principle.
Does not prove: Examples given are tool/execution boundaries (containers, sandboxing), not memory-namespace isolation. Helmwart applies the general principle to per-session memory partitions.
NIST SP 800-53 Rev 5 — SC-4 Information in Shared System Resources
Control SC-4 — Statement and Discussion
"Prevent unauthorized and unintended information transfer via shared system resources. … Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles … from being available to current users or roles … that obtain access to shared system resources after those resources have been released back to the system."
Supports: Direct upstream control for the cross-session contamination scenario: SC-4 prevents information produced by one user from leaking to another user via shared resources. Session-scoped memory partitioning is the agentic implementation of SC-4.
Does not prove: SC-4 is a general OS/system control predating LLMs. Does not name vector databases, session-id tagging, or agent memory. Helmwart extends the principle to agent memory stores.
NIST SP 800-53 Rev 5 — SC-2 Separation of System and User Functionality
Control SC-2 — Statement
"Separate user functionality, including user interface services, from system management functionality."
Supports: Foundational separation principle: user contexts must not bleed into one another via shared system components. Session isolation applies this to shared agent memory.
Does not prove: SC-2 targets separation of user vs. system administration functions, not user-to-user isolation. SC-4 is the closer fit for the cross-session contamination scenario. SC-2 is corroborating context, not primary justification.