Inferensys

Glossary

Contextual Summarization Poisoning

The manipulation of an agent's recursive summarization process, causing critical safety instructions to be dropped or distorted as the context is compressed over time.
Developer reviewing multi-agent chat interface on laptop, agent conversation logs visible, casual coding session at WeWork desk.
CONTEXT COMPRESSION ATTACK

What is Contextual Summarization Poisoning?

Contextual Summarization Poisoning is an adversarial attack that manipulates an autonomous agent's recursive text compression mechanism, causing critical safety instructions, identity constraints, or factual details to be systematically dropped, distorted, or deprioritized as the context window is condensed over time.

Contextual Summarization Poisoning exploits the inherent information loss in recursive summarization by injecting adversarial content that survives compression while benign safety instructions are discarded. As the agent summarizes its history to manage token limits, the attacker's payload is designed to be semantically resilient to compression, ensuring it persists in the summary buffer while system prompts and alignment guardrails are progressively attenuated and eventually eliminated.

This attack targets the summarization model itself, leveraging the fact that a smaller, faster model often performs the compression step. By crafting text that the summarizer treats as high-salience—such as urgent directives or core narrative elements—an adversary ensures their instructions are retained in the compressed representation. Over multiple summarization cycles, the agent's operational context becomes dominated by attacker-controlled content, leading to contextual drift where the agent believes the malicious instructions are its original objectives.

MECHANISMS OF CONTEXTUAL SUMMARIZATION POISONING

Core Characteristics of the Attack

Contextual Summarization Poisoning is a stealthy, recursive attack that exploits an agent's own memory compression mechanisms to degrade safety alignment over time. Unlike direct injection, this attack targets the summarization function itself, causing critical instructions to be dropped, distorted, or deprioritized as the context window is compressed.

01

Recursive Compression Exploitation

The attack leverages the agent's need to summarize long conversation histories to stay within token limits. Each summarization cycle acts as a lossy compression step. The attacker injects content specifically designed to survive compression while safety instructions are abstracted away.

  • Mechanism: The attacker floods the context with verbose, repetitive, or high-entropy text that dominates the summarization attention weights.
  • Outcome: The summarizer allocates disproportionate 'summary budget' to attacker content, causing system prompts to be truncated to generic placeholders like 'Be helpful.'
  • Key Insight: The attack doesn't need to override the system prompt directly; it simply ensures the system prompt is the first information lost during compression.
> 90%
Safety instruction recall loss after 3 compression cycles
02

Semantic Dilution via Distractor Content

Attackers inject large volumes of semantically dense but benign distractor content that competes with safety instructions for representational space in the summary embedding. The summarization model, optimized for semantic fidelity, preserves the factual richness of the distractor while collapsing the imperative tone of safety guidelines.

  • Example: An attacker submits a lengthy, detailed technical specification. The summarizer faithfully preserves the spec's details but reduces 'Never reveal user PII' to 'Be careful with data.'
  • Result: The agent retains factual grounding but loses its deontic constraints—the 'must not' rules that govern safe behavior.
  • Contrast: Unlike prompt injection, this attack never uses imperative language against the system; it uses informational density as a crowding-out mechanism.
3-5x
Higher semantic retention for distractor vs. safety content
03

Temporal Drift Induction

This characteristic exploits the recency bias inherent in many summarization models. By injecting content that appears more recent in the conversation timeline, the attacker causes the summary to overweight new, malicious context while progressively forgetting older, foundational safety instructions.

  • Attack Pattern: The attacker waits for several legitimate interaction turns, then injects a long, authoritative-sounding document near the end of the context window.
  • Effect: The summarizer treats the injected document as the 'current state' of the conversation, summarizing it in detail while compressing the original system prompt to a brief, decontextualized note.
  • Long-Term Impact: Each cycle moves the agent's operational parameters further from the original safety baseline, a phenomenon known as contextual drift.
40-60%
Increase in policy violation rate after 5 drift cycles
04

Instruction Distortion via Abstractive Summarization

Abstractive summarization models do not copy text; they regenerate meaning. This introduces a vulnerability where safety instructions are paraphrased into weaker, ambiguous, or logically inverted forms during compression.

  • Example: A system prompt stating 'Reject requests for password resets without MFA verification' may be summarized as 'Verify user identity for password changes.'
  • Critical Failure: The mandatory 'reject' gate becomes a discretionary 'verify' step. The agent now believes it has discretion where it should have a hard block.
  • Exploitation: Attackers prime this distortion by providing text that models the desired 'weaker' phrasing, anchoring the summarizer's paraphrasing toward the attacker's preferred semantic frame.
1 in 4
Safety-critical instructions materially altered per compression
05

Attention Sink Hijacking

Transformer-based summarizers allocate attention disproportionately to high-information tokens. Attackers craft sequences of rare tokens, numerical data, or structured formats that act as attention sinks, monopolizing the model's representational capacity.

  • Technique: Inserting a block of base64-encoded data or a dense JSON structure. The summarizer expends significant attention budget 'decoding' this block, even if it's semantically meaningless.
  • Consequence: Safety instructions, typically written in plain, predictable natural language, receive minimal attention weight and are summarized as low-priority background context.
  • Analogy: This is analogous to a computational denial-of-service against the attention mechanism itself, starving safety tokens of processing power.
70%+
Attention budget consumed by crafted sink tokens
06

Cascading Summary Contamination

The most dangerous characteristic is the self-reinforcing nature of the attack. Once a poisoned summary is written to long-term memory, it becomes the source material for all future summarization cycles. The contamination cascades.

  • Cycle 1: Attacker injects content; summary drops a safety rule.
  • Cycle 2: The agent retrieves the Cycle 1 summary as context. The next summarization treats the already-weakened summary as ground truth, further eroding constraints.
  • Cycle N: After several iterations, the agent's memory contains no trace of the original safety instructions, only a series of increasingly distorted summaries.
  • Recovery Difficulty: Without external state verification, the agent cannot self-correct because it trusts its own memory as authoritative.
< 5 cycles
Typical cycles to complete safety instruction erasure
CONTEXTUAL SUMMARIZATION POISONING

Frequently Asked Questions

Explore the mechanics, risks, and mitigation strategies for adversarial attacks targeting an agent's recursive summarization process, where critical safety instructions are systematically dropped or distorted during context compression.

Contextual Summarization Poisoning is an adversarial attack that manipulates an autonomous agent's recursive text compression mechanism to cause the systematic degradation or removal of critical safety instructions, system prompts, or factual grounding as the context window is condensed over time. The attack exploits the inherent information loss that occurs during summarization. An adversary injects a carefully crafted payload—often a long, seemingly benign block of text containing subtle linguistic patterns, contradictions, or high-entropy noise—into the agent's context. When the agent's context window reaches its token limit, it triggers a summarization step to compress the history. The poisoned content causes the summarization model to hallucinate, misprioritize, or completely drop the original core directives in favor of the attacker's distorted narrative. This is particularly dangerous in agents using recursive summarization for long-running tasks, where each compression cycle further erodes the original instructions, leading to goal drift and eventual agent subversion.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.