Post

Clearing Houses Will Win the Agent Era. They'll Also Be Its Biggest Breach

Clearing houses, the shared memory layer agents read and write, are the high ground of the agent era. They are also the softest thing in the stack. Why memory poisoning is the breach pattern this architecture invites, and the four properties that have to be designed in.

Clearing Houses Will Win the Agent Era. They'll Also Be Its Biggest Breach

There’s a line from Brian Gracely that I keep coming back to. “Systems of Record won the SaaS era,” he said. “Clearing Houses will win the Agents era.” It’s a good line, and I think the prediction is basically correct. So let me agree with it first, then add the part he left out: the thing that makes a clearing house valuable is the same thing that makes it the place your company gets breached.

%%{init: {"theme": "base", "themeVariables": {"primaryColor": "#e8f4fd", "primaryBorderColor": "#3182ce", "fontSize": "14px", "fontFamily": "system-ui, -apple-system, sans-serif"}}}%%
flowchart LR
    W["Any agent or source
with write access"] ==> CH["Clearing house
shared memory & context"] CH --> A1["Agent A"] CH --> A2["Agent B"] CH --> A3["Agent C"] classDef safe fill:#e8f4fd,stroke:#3182ce,color:#1a202c,stroke-width:1.5px classDef risk fill:#fde8e8,stroke:#e53e3e,color:#1a202c,stroke-width:1.5px class A1,A2,A3 safe class W,CH risk

Reads fan out. Writes are the way in. Everything downstream trusts what comes out.

First, what he’s actually saying

Let me translate, because “clearing house” sounds like banking jargon.

In the SaaS era, the companies that won owned the system of record. Salesforce owned the customer record. Workday owned the employee record. Whoever held the authoritative copy of the data held the power.

Gracely’s argument is that agents change the question. When you have lots of AI agents running around doing tasks, the valuable thing isn’t a static record anymore. It’s the shared middle layer that gives all those agents a common memory, a consistent view of what’s true, and a record of what’s been done. A clearing house, in his sense, is that shared brain in the middle. It’s where agents check in, leave notes for each other, and pick up context so they don’t each start from zero.

He’s saying that shared layer is the new high ground. I agree. And here’s the part the pitch doesn’t mention: that shared brain is the softest, least-defended thing in the entire setup.

The 48-hour question nobody can answer

On the same podcast, Gracely asked a question almost in passing. If an agent goes off and runs some task for 24 or 48 hours, “how do you have some sense of what they’re doing?”

He framed it as an observability nice-to-have. I’d flag it as something more serious, because I’ve watched security teams hit this wall. When an autonomous agent runs for two days, touches a dozen tools, reads and writes to shared memory, and then something turns out to be wrong, the first question anyone asks is: what did it actually do? In most setups today, the honest answer is that we don’t fully know.

That’s not a dashboard gap. That’s an incident-response gap. If you can’t reconstruct what an agent did, you can’t tell whether you had a glitch or a breach, you can’t tell what data moved, and you can’t tell your customers or your regulator anything credible.

The ability to answer “what happened” can’t be bolted on afterward. It’s designed into the clearing house from the start, or it doesn’t exist.

Why the shared memory is the target

The mechanism is worth understanding, because it’s sneakier than the attacks people usually picture.

Most people imagine AI attacks as someone typing a clever trick into a chatbot to get a bad answer right now: immediate, visible, one conversation. Poisoning a shared memory is the opposite. The attacker plants one bad piece of information into the central layer, and it sits there looking like trusted context. Hours or days later, a completely different agent reads it, believes it, and acts on it. The damage happens far from where it was planted, long after, through an agent that was never directly attacked.

%%{init: {"theme": "base", "themeVariables": {"primaryColor": "#e8f4fd", "primaryBorderColor": "#3182ce", "fontSize": "14px", "fontFamily": "system-ui, -apple-system, sans-serif"}}}%%
flowchart LR
    P["Hour 0
One false entry
written to memory"] --> D["Hours 0–48
Sits dormant, looks
like trusted context"] D --> R["Hour 48
A different agent
reads it"] R --> X["Hour 48+
Acts on it
never directly attacked"] classDef known fill:#e8f4fd,stroke:#3182ce,color:#1a202c,stroke-width:1.5px classDef threat fill:#0f172a,stroke:#0f172a,color:#fff,stroke-width:1.5px class P,D,R known class X threat

The delay and the distance are the point. Nothing about the acting agent looks compromised.

That’s also what makes the blast radius so different. With a single poisoned chat, you lose one conversation. With a poisoned clearing house, you lose every agent that trusts the shared memory.

The security world has given this its own slot in the rankings. The OWASP Top 10 for Agentic Applications 2026, announced in December 2025, lists Memory and Context Poisoning as ASI06, a named top-ten risk for exactly this class of system.

The broader trend line isn’t comforting either. Through 2029, more than half of successful attacks on AI agents are expected to come from access-control weaknesses (Gartner, 2025), the “who is allowed to write to this” gaps that a shared memory layer lives and dies on. Meanwhile 88% of organizations already report a confirmed or suspected AI agent incident in the past year (Gravitee, 2026). We’re building the shared brain faster than we’re learning to defend it.

Trust is the feature and the vulnerability

The uncomfortable truth is that the whole value proposition rests on trust. Agents have to trust the shared memory, or it’s useless. The entire point is that an agent can read context it didn’t generate and rely on it.

But “rely on context you didn’t generate and can’t verify” is also a one-sentence definition of the vulnerability. You cannot have the benefit without the exposure. The more agents lean on the shared layer, the more valuable it is, and the more catastrophic it is when someone slips something false into it.

Which is why clearing-house security isn’t a feature you add later. It’s a property you either designed in or you didn’t.

How to build one you can actually defend

If clearing houses really are the high ground of the agent era, the teams that win won’t be the ones that build them. They’ll be the ones that build them so they survive contact with an attacker. Four principles I’d hold any design to:

  • Provenance on every entry. For each piece of stored context, know where it came from and which agent or source put it there. Memory with no origin is memory you can’t trust and can’t clean.
  • Tight control on writes. Reading from the shared layer can be broad. Writing to it should not be. Almost all of the risk is on the write side, because that’s how poison gets in. Treat write access as a privilege, not a default.
  • A tamper-evident trail. Keep a record of changes to the shared memory that an attacker can’t quietly edit, so you can tell when something was altered and by whom.
  • Replay for forensics. Build it so you can reconstruct what an agent saw and did across a long run. This is what finally answers Gracely’s 48-hour question.

Each one exists to answer a question you will be asked, out loud, on the worst day of your quarter:

%%{init: {"theme": "base", "themeVariables": {"primaryColor": "#e8f4fd", "primaryBorderColor": "#3182ce", "fontSize": "14px", "fontFamily": "system-ui, -apple-system, sans-serif"}}}%%
flowchart LR
    P["Provenance"] --> Q1["Where did this
context come from?"] W["Write control"] --> Q2["Who was allowed
to put it there?"] T["Tamper-evident trail"] --> Q3["Was it changed
after the fact?"] R["Replay"] --> Q4["What did the agent
see and do?"] classDef ctrl fill:#e8f4fd,stroke:#3182ce,color:#1a202c,stroke-width:1.5px classDef q fill:#0f172a,stroke:#0f172a,color:#fff,stroke-width:1.5px class P,W,T,R ctrl class Q1,Q2,Q3,Q4 q

Without the left column, the answer to every question on the right is a shrug.

The takeaway

Gracely is right that clearing houses will win the agent era. I’d just finish the sentence. The shared memory that makes them valuable is the same shared memory that makes them the prime target, and the long autonomous runs that make agents powerful are the same runs nobody can currently audit.

Memory poisoning isn’t a fringe risk. It’s the breach pattern this architecture is built to invite, which is why it has its own line in the OWASP top ten. If you want to see how far a single poisoned entry travels once agents start handing work to each other, I walked that chain end to end in Deleting the Malicious MCP Server Doesn’t Save You.

So build the clearing house. Just build it like someone is going to try to poison it, because they are.

And if you’d rather see a memory-poisoning attack unfold step by step than take my word for it, I built an open, self-hostable playground for exactly that. Watch one land in the trace and you won’t look at shared agent memory the same way again.


References

  • OWASP Top 10 for Agentic Applications 2026 (ASI06 Memory and Context Poisoning), announced December 9 2025 by the OWASP GenAI Security Project / Agentic Security Initiative
  • Gartner: through 2029, >50% of successful attacks on AI agents will exploit access-control issues (2025); Gravitee 2026: 88% of organizations reported a confirmed or suspected AI agent incident; both via practical-devsecops.com
  • Podcast source: The Enterprise AI Show, “Do CIOs need to create an Enterprise AI Harness?” (June 12 2026), Brian Gracely: “Systems of Record won the SaaS era, Clearing Houses will win the Agents era,” and the 24-to-48-hour agent visibility question
The Security Lab Newsletter

This post is the article. The newsletter is the lab.

Subscribers get what doesn't fit in a post: the full attack code with annotated results, the measurement methodology behind the numbers, and the week's thread — where I work through a technique or incident across several days of testing rather than a single draft. The RAG poisoning work, the MCP CVE analysis, the red-teaming patterns — all of it started as a newsletter thread before it became a post. One email per week. No sponsored content. Unsubscribe any time.

Join the lab — it's free

Already subscribed? Browse the back-issues →

This post is licensed under CC BY 4.0 by the author.