Data Operations

The Data Operations layer covers every data surface that the agent reads, writes, or shares at runtime. This excludes training data (that is L1); it covers the live data plane that shapes each inference. In agentic systems this includes vector stores, prompt templates, retrieval pipelines, shared memory, tool output caches, and any corpus that the agent can query or update during a task. Because agents often share data stores across tasks and across peer agents, a compromise in this layer can propagate laterally in ways that are structurally impossible in single-request LLM applications.

What lives here

• Vector store indexes used for retrieval-augmented generation (Pinecone, Weaviate, pgvector, Chroma)
• Retrieval pipelines: chunking logic, embedding generation, similarity scoring, re-ranking
• Shared short-term and long-term memory: conversation history, task state, cross-session stores
• Prompt templates, system-prompt files, and instruction corpora managed outside the model
• Tool output caches and intermediate result stores read by downstream agents
• Structured knowledge bases queried at inference time (SQL, graph databases, document stores)
• Data ingestion and validation logic that controls what enters any of the above
• Data classification tags and access control metadata attached to stored records

In a multi-agent deployment, these surfaces are often shared. A vector store that one agent writes to is frequently the retrieval source for another. The MAESTRO guide (Cloud Security Alliance, Ken Huang, 2025) calls out this shared-write / shared-read topology as the primary reason data-plane threats have elevated severity in MAS compared to single-agent settings.

Concrete example: A legal-research system uses a LlamaIndex pipeline where an ingestion agent chunks and embeds client documents into a shared Weaviate instance, and a separate summarisation agent retrieves from the same store. A malicious PDF submitted by an external party can inject adversarial text at chunk boundaries that is semantically close to legitimate case law. Once embedded, it surfaces in every subsequent query that touches the same namespace, affecting the summaries the second agent produces for all users.

Threats that target this layer

• T1 Memory Poisoning: adversarial content written into a shared memory or vector store (via direct injection such as a malicious document in the RAG corpus, or via an agent that retrieves and re-stores tampered content) corrupts the context that subsequent agents or tasks read. Unlike a single-session attack, a poisoned vector store persists across restarts.
• T12 Agent Communication Poisoning: when inter-agent messages are buffered, logged, or cached in a shared store before delivery, an attacker who can write to that store controls the messages. This blurs the line between data-layer and communication-layer attacks.
• T5 Cascading Hallucination Attacks: retrieval pipelines that return low-quality, outdated, or adversarially seeded chunks amplify hallucination rates. A compromised retrieval corpus turns the model’s tendency to confabulate from a probabilistic nuisance into a reliable attack vector.
• T17 Supply Chain Compromise: third-party data connectors, embedding pipelines, and corpus update jobs are software with their own dependencies. A compromised data pipeline silently alters what enters the vector store without touching the model or the application code.

Mitigations anchored here

• memory content validation: validate retrieved content against an expected schema and provenance record before injecting it into the agent’s context window. Rejects chunks whose embedding source, update timestamp, or access label does not match declared policy.
• memory anomaly detection: monitor vector store reads and writes for statistical deviation from a baseline. Sudden retrieval of previously-unseen clusters, or write patterns inconsistent with normal ingestion, surface poisoning attempts before downstream inference occurs.
• memory-poisoning defence: hardened ingestion pipeline: content hashing on write, ACL enforcement on read, anomaly detection on retrieval distribution, and rate limiting on bulk write paths. Combines preventive and detective controls for the full store lifecycle.
• permission-aware vector retrieval: per-namespace and per-document access control on the vector store, enforced at query time. Prevents one tenant’s data from entering another tenant’s context, and prevents agents from reading records outside their declared scope.
• output provenance tracking: attach retrieval provenance metadata to every chunk returned, so downstream agents and audit logs can trace which store, which document, and which version of a document contributed to a given response.
• data classification: classify records at ingestion time by sensitivity level and attach immutable labels. Classification gates which agents may read a record and what retention and DLP rules apply.

How L2 relates to its neighbours

L2 sits directly above L1 Foundation Models. The distinction is temporal: L1 concerns data baked into weights at training time; L2 concerns data read at inference time. A threat that corrupts training data targets L1; a threat that corrupts a retrieval corpus targets L2. Both ultimately affect model output, but the mitigations differ: you cannot patch a poisoned embedding store by retraining the model.

The immediate layer above L2 is L3 Agent Frameworks, which consumes the data that L2 produces. The agent framework decides what retrieval queries to issue, how to incorporate retrieved chunks into the prompt, and what to write back to shared memory. Data quality at L2 is a precondition for safe reasoning at L3. A retrieval pipeline that returns attacker-controlled content defeats whatever prompt-injection defences the framework layer applies.

L2 is the layer where the boundary between “the model” and “the data” is most easily collapsed. Treating retrieval, memory, and data ingestion as trusted by default is the most common architectural error in agentic deployments, and the one MAESTRO’s Data Operations layer exists to surface.