- Willison says context is not free, so you must offload state.
- Offloading state means you are building a memory store (often a vector store, sometimes a hybrid store, sometimes a relational database with embeddings and metadata).
- That store becomes both the agent’s brain and the attacker’s prize.
Most teams are currently bolting memory onto agents the way early web apps bolted SQL onto forms: quickly, optimistically, and with roughly the same level of input sanitization (not much). That is why I keep insisting memory is just another database problem. Databases have decades of scar tissue, such as least privilege, row-level access controls, auditing, encryption, retention policies, backup and restore, data provenance, and governance.
Agents need the same scar tissue.
Also, remember that memory is not just “What did we talk about last time?” It is identity, permissions, workflow state, tool traces, and a durable record of what the system did and why. As I noted recently, if you can’t replay the memory state to debug why your agent hallucinated, you don’t have a system; you have a casino.
