Cross-Conversation Contamination

Stateless inference provides strong conversation isolation — each API call is independent. But persistent features (ChatGPT Memory, Claude Memory, Anthropic user preferences, shared MCP server state, connector integrations) create cross-session data channels that break this isolation. The architectural gap: session isolation was a security property of stateless inference that was silently degraded when persistence features were added.

• Cross-session behavioral delta: Monitor for changes in model behavior (refusal rate, content type) that correlate with recent memory writes
• Memory content auditing: Periodic automated review of stored memories for instruction-like content
• MCP state integrity monitoring: Hash and verify MCP tool descriptions and stored state between sessions
• Anomalous memory write detection: Alert on memories written via indirect channels (URL fetching, tool output processing) rather than direct user request

Cross-conversation contamination is the persistence layer for any transient attack. Chains from T4-AT-002 (Memory Instruction Injection) as the mechanism for making injected instructions durable.