Your agent can leak data it was never asked to share

Two leaks, one agent. Memorized training data can surface in an output, and live context can bleed into a tool argument. Neither needs an attacker to be malicious. Both need a control.

B

Balagei G Nagarajan

4 MIN READ


An agent with two leaking pipes, one labeled memorized training data and one labeled live context bleeding into a tool call
Alignment reduces the rate, it does not remove the capability.
— from “Your agent can leak data it was never asked to share”

Key facts.

  • "Extracting Training Data from Large Language Models" (Carlini et al., arXiv 2012.07805, USENIX Security 2021) showed black-box extraction of verbatim training sequences from GPT-2, including names, addresses, and phone numbers. source
  • "Scalable Extraction of Training Data from (Production) Language Models" (Nasr et al., arXiv 2311.17035, November 2023) used a divergence attack to extract memorized data from aligned ChatGPT at about 150x the normal rate. source
  • OWASP's LLM02:2025 Sensitive Information Disclosure covers PII, credentials, and proprietary data surfacing in outputs; LLM07 System Prompt Leakage covers hidden instructions and secrets being extracted. source
  • In agentic systems, sensitive context from inputs, retrieved documents, or memory can pass into a tool's arguments, so a leak becomes an action (an API call carrying data it should not). source

How does an agent leak without anyone attacking it?

The memorization path is a property of the model. During training the model absorbs its data, and rare or duplicated text gets memorized closely enough to reproduce. Under the right prompt, including ordinary ones, it surfaces. The Carlini work proved the principle on GPT-2, and the Nasr work proved it still holds on an aligned production model, which is the uncomfortable part. Alignment reduces the rate, it does not remove the capability.

The context-bleed path is a property of the agent. A production agent holds a lot in context: the system prompt, the user's input, documents pulled by retrieval, and memory from prior turns. When it plans a tool call, any of that can end up in the arguments. An agent that queries a database might place a piece of PII into the query. An agent that calls an external API might include a snippet of a confidential document. No one asked it to leak. The data was simply in reach, and the agent reached for it. The blast radius is larger than a chat leak because the tool call is an action with real effects.

Sankey diagram showing data sources (training data, system prompt, retrieved docs, memory) flowing into outputs and tool arguments

What actually stops both leaks?

Different controls, because they are different problems. For memorization, you cannot un-train the model, so you filter and monitor outputs for sensitive patterns and avoid putting secrets where a model could memorize them. For context bleed, you scope what the agent can place into a tool call, validate tool arguments against what the task needs, and keep untrusted or sensitive context out of reach of tools that send data outward. Least privilege on tools limits how far any leaked value can travel, and an audit trail shows you when it happened.

Leak pathWhere it livesWhat controls it
Memorized training dataThe model's parametersOutput filtering, monitoring, no secrets in training
Context bleed to outputThe agent's contextOutput validation, sensitive-data detection
Context bleed to tool callThe agent's tool argumentsArgument validation, least-privilege tools

This is a pattern-level problem, which is why a Pattern Intelligence Layer is where it gets solved. Reliability and security at the pattern level mean outputs and tool arguments are checked for sensitive data around every run, tools are scoped so a leaked value cannot travel far, and the data flow is traced so a leak is visible rather than silent. The model will keep some memorization and the agent will keep a rich context. The pattern is what keeps either from quietly becoming a breach, and it holds when you change the model.

Frequently asked questions

Does a newer, aligned model fix memorization?
It reduces it, not eliminates it. The divergence attack pulled memorized data from aligned production ChatGPT. Treat output filtering as a standing control, not a temporary patch.

Which leak is more dangerous in an agent?
Context bleed into a tool call, usually. It turns a leak into an action with side effects and a larger blast radius than a chat response. Validate tool arguments and scope tools tightly.

We do not train models. Are we safe from the memorization path?
Partly. You inherit the base model's memorization, so you still filter outputs. But your bigger exposure is context bleed from your own prompts, documents, and memory, which is fully yours to control.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.