Contextual Summarization Poisoning exploits the inherent information loss in recursive summarization by injecting adversarial content that survives compression while benign safety instructions are discarded. As the agent summarizes its history to manage token limits, the attacker's payload is designed to be semantically resilient to compression, ensuring it persists in the summary buffer while system prompts and alignment guardrails are progressively attenuated and eventually eliminated.
Glossary
Contextual Summarization Poisoning

What is Contextual Summarization Poisoning?
Contextual Summarization Poisoning is an adversarial attack that manipulates an autonomous agent's recursive text compression mechanism, causing critical safety instructions, identity constraints, or factual details to be systematically dropped, distorted, or deprioritized as the context window is condensed over time.
This attack targets the summarization model itself, leveraging the fact that a smaller, faster model often performs the compression step. By crafting text that the summarizer treats as high-salience—such as urgent directives or core narrative elements—an adversary ensures their instructions are retained in the compressed representation. Over multiple summarization cycles, the agent's operational context becomes dominated by attacker-controlled content, leading to contextual drift where the agent believes the malicious instructions are its original objectives.
Core Characteristics of the Attack
Contextual Summarization Poisoning is a stealthy, recursive attack that exploits an agent's own memory compression mechanisms to degrade safety alignment over time. Unlike direct injection, this attack targets the summarization function itself, causing critical instructions to be dropped, distorted, or deprioritized as the context window is compressed.
Recursive Compression Exploitation
The attack leverages the agent's need to summarize long conversation histories to stay within token limits. Each summarization cycle acts as a lossy compression step. The attacker injects content specifically designed to survive compression while safety instructions are abstracted away.
- Mechanism: The attacker floods the context with verbose, repetitive, or high-entropy text that dominates the summarization attention weights.
- Outcome: The summarizer allocates disproportionate 'summary budget' to attacker content, causing system prompts to be truncated to generic placeholders like 'Be helpful.'
- Key Insight: The attack doesn't need to override the system prompt directly; it simply ensures the system prompt is the first information lost during compression.
Semantic Dilution via Distractor Content
Attackers inject large volumes of semantically dense but benign distractor content that competes with safety instructions for representational space in the summary embedding. The summarization model, optimized for semantic fidelity, preserves the factual richness of the distractor while collapsing the imperative tone of safety guidelines.
- Example: An attacker submits a lengthy, detailed technical specification. The summarizer faithfully preserves the spec's details but reduces 'Never reveal user PII' to 'Be careful with data.'
- Result: The agent retains factual grounding but loses its deontic constraints—the 'must not' rules that govern safe behavior.
- Contrast: Unlike prompt injection, this attack never uses imperative language against the system; it uses informational density as a crowding-out mechanism.
Temporal Drift Induction
This characteristic exploits the recency bias inherent in many summarization models. By injecting content that appears more recent in the conversation timeline, the attacker causes the summary to overweight new, malicious context while progressively forgetting older, foundational safety instructions.
- Attack Pattern: The attacker waits for several legitimate interaction turns, then injects a long, authoritative-sounding document near the end of the context window.
- Effect: The summarizer treats the injected document as the 'current state' of the conversation, summarizing it in detail while compressing the original system prompt to a brief, decontextualized note.
- Long-Term Impact: Each cycle moves the agent's operational parameters further from the original safety baseline, a phenomenon known as contextual drift.
Instruction Distortion via Abstractive Summarization
Abstractive summarization models do not copy text; they regenerate meaning. This introduces a vulnerability where safety instructions are paraphrased into weaker, ambiguous, or logically inverted forms during compression.
- Example: A system prompt stating 'Reject requests for password resets without MFA verification' may be summarized as 'Verify user identity for password changes.'
- Critical Failure: The mandatory 'reject' gate becomes a discretionary 'verify' step. The agent now believes it has discretion where it should have a hard block.
- Exploitation: Attackers prime this distortion by providing text that models the desired 'weaker' phrasing, anchoring the summarizer's paraphrasing toward the attacker's preferred semantic frame.
Attention Sink Hijacking
Transformer-based summarizers allocate attention disproportionately to high-information tokens. Attackers craft sequences of rare tokens, numerical data, or structured formats that act as attention sinks, monopolizing the model's representational capacity.
- Technique: Inserting a block of base64-encoded data or a dense JSON structure. The summarizer expends significant attention budget 'decoding' this block, even if it's semantically meaningless.
- Consequence: Safety instructions, typically written in plain, predictable natural language, receive minimal attention weight and are summarized as low-priority background context.
- Analogy: This is analogous to a computational denial-of-service against the attention mechanism itself, starving safety tokens of processing power.
Cascading Summary Contamination
The most dangerous characteristic is the self-reinforcing nature of the attack. Once a poisoned summary is written to long-term memory, it becomes the source material for all future summarization cycles. The contamination cascades.
- Cycle 1: Attacker injects content; summary drops a safety rule.
- Cycle 2: The agent retrieves the Cycle 1 summary as context. The next summarization treats the already-weakened summary as ground truth, further eroding constraints.
- Cycle N: After several iterations, the agent's memory contains no trace of the original safety instructions, only a series of increasingly distorted summaries.
- Recovery Difficulty: Without external state verification, the agent cannot self-correct because it trusts its own memory as authoritative.
Frequently Asked Questions
Explore the mechanics, risks, and mitigation strategies for adversarial attacks targeting an agent's recursive summarization process, where critical safety instructions are systematically dropped or distorted during context compression.
Contextual Summarization Poisoning is an adversarial attack that manipulates an autonomous agent's recursive text compression mechanism to cause the systematic degradation or removal of critical safety instructions, system prompts, or factual grounding as the context window is condensed over time. The attack exploits the inherent information loss that occurs during summarization. An adversary injects a carefully crafted payload—often a long, seemingly benign block of text containing subtle linguistic patterns, contradictions, or high-entropy noise—into the agent's context. When the agent's context window reaches its token limit, it triggers a summarization step to compress the history. The poisoned content causes the summarization model to hallucinate, misprioritize, or completely drop the original core directives in favor of the attacker's distorted narrative. This is particularly dangerous in agents using recursive summarization for long-running tasks, where each compression cycle further erodes the original instructions, leading to goal drift and eventual agent subversion.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the broader attack surface of agent memory and retrieval systems. These related techniques target different stages of the context assembly pipeline.
Retrieval-Augmented Generation Poisoning
The adversarial corruption of a RAG pipeline's external knowledge base, causing the agent to retrieve and ground responses in attacker-controlled documents. This is the upstream vector that feeds poisoned content into summarization processes.
- Targets vector databases and document stores
- Exploits semantic similarity scoring to surface malicious chunks
- Poisoned retrievals become permanent context artifacts after summarization
Chain-of-Thought Contamination
The injection of malicious reasoning steps into an agent's scratchpad or reflection loop. When an agent summarizes its own reasoning chain, contaminated intermediate steps become compressed into the agent's long-term memory as trusted conclusions.
- Exploits reflection and self-critique mechanisms
- Poisoned reasoning cascades through recursive summarization
- Particularly dangerous in ReAct and Tree-of-Thoughts architectures
Cross-Session Poisoning
A persistent attack where adversarial content injected into an agent's long-term memory influences behavior across multiple independent user sessions. Summarization poisoning is the primary mechanism that embeds these attacks into compressed memory states.
- Survives context window resets
- Exploits episodic memory replay during reflection
- Poisoned summaries act as sleeper agents across sessions
Token Budget Attack
A denial-of-service technique that consumes an agent's available token budget with filler content, forcing the truncation of safety instructions during summarization. When the summarizer must compress an overstuffed context, critical guardrails are the first casualties.
- Exploits fixed context window limits
- Forces lossy compression of safety prompts
- Often precedes more targeted injection attacks
Lost-in-the-Middle Exploit
An attack that exploits the positional attention bias of transformer models by placing malicious instructions in the middle of a long context. During summarization, middle-position content receives the least attention, making it ideal for smuggling instructions that survive compression.
- Leverages the U-shaped attention curve
- Malicious content bypasses both beginning and end scrutiny
- Survives recursive summarization passes

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us