Long-Lived Agent Security Checklist
22 audit checks for persistent autonomous agents covering memory poisoning, temporal privilege re-entry, identity drift, delegated authority, scheduler abuse, and forensic durability.
🚨 Long-Lived Agent Threat Landscape
Persistent agents accumulate state, authority, and context over time. The core risk is not one bad prompt, but a tainted write that survives until a later privileged read.
• Temporal attack chains a low-trust write today can trigger a high-trust action days later
• Persistent memory summaries, notes, queues, caches, and files all become attack surfaces
• Standing authority scheduled jobs and recurring approvals create latent execution power
• Identity drift agents can slowly inherit broader roles, repos, channels, or operational assumptions
• Delegated autonomy subagents and background workers amplify blast radius if authority is copied transitively
• Forensics decay compressed context and mutable logs often erase the sequence needed for incident reconstruction
CATEGORIES
Persistent State Inventory
CriticalAll durable accumulators are enumerated, including memory stores, summaries, notes, task queues, caches, files, transcripts, and external tickets
Write-Retrieve-Execute Mapping
CriticalThe audit maps whether a low-trust write can later be retrieved in a higher-trust decision context
Trust Labels Survive Persistence
CriticalTrust level and source provenance persist with stored memories, summaries, and artifacts
Memory Poisoning Resistance
CriticalExternal inputs cannot silently create durable instructions, behavioral rules, or operator preferences
Summary Integrity Checks
HighCompressed summaries and rollover context are reviewable, attributable, and protected against instruction laundering
Shared State Isolation
HighShared files, vector stores, task boards, and cross-agent scratchpads are isolated by tenant, project, and role
Forgetting and Rollback Controls
MediumOperators can delete, revert, or quarantine poisoned state with clear scope and verification
Runtime Identity Pinning
CriticalThe agent remains pinned to the correct user, workspace, repository, account, and delivery channel across long runs
Standing Approval Review
CriticalPersistent approvals are minimized, scoped, and visible to the operator
Credential Freshness Boundaries
HighScheduled or resumed runs do not inherit stale tokens, wallets, or cloud credentials beyond their intended window
Destination Identity Validation
HighMessages, commits, PRs, ticket updates, and webhook deliveries validate the intended destination at execution time
Delegated Authority Attenuation
CriticalChild agents, workers, and helper automations receive less authority than the parent by default
Scheduled Trigger Governance
HighCron jobs, webhook triggers, and event-driven runs are inventoried, reviewed, and bounded by task-specific policy
Re-Authorization on Synthesis
HighCombined outputs from multiple workers require fresh validation before high-impact execution
Queue and Backlog Poisoning Controls
HighTask queues and pending work items cannot be poisoned into privileged execution paths
High-Risk Tool Rechecks
CriticalShell, wallet, deployment, publishing, and external write actions re-validate context and approval immediately before execution
Economic Abuse Controls
MediumRunaway loops, repeated retries, and expensive model routing are detected and capped
Network Egress Boundaries
HighLong-lived agents cannot freely exfiltrate accumulated memory, logs, or secrets over normal outbound channels
Tamper-Evident Action History
HighCommands, approvals, memory writes, delegation events, and external actions are durably logged
Compression and Retention Policy
MediumThe system retains enough pre-compression evidence to support incident review
Containment Controls
MediumOperators can pause schedules, revoke delegated workers, quarantine state, and rotate credentials quickly
Owner-Harm Scenarios Tested
CriticalThe audit tests whether the agent can betray its operator through covert memory exfiltration, destructive action, or unauthorized external execution
Need a long-lived agent security audit?
Zealynx audits persistent agent systems with a temporal lens: what gets written, what survives, what is later trusted, and what authority that trust can unlock.