Security Considerations

Scope: This document covers security considerations related to Oracle AI Agent Memory Python SDK. It applies to applications using either the active-memory features of the SDK or the store layer only.

Why it matters: Oracle AI Agent Memory can persist thread content and memory records in Oracle Database and, when LLM-backed features are enabled, send content to configured model endpoints for summarization, memory extraction, or embeddings. Secure deployment therefore depends on careful handling of application data, retrieval scope, database access, external model endpoints, and retention policies.

Considerations regarding LLM-backed memory processing

Oracle AI Agent Memory supports active-memory features such as thread summarization and automatic memory extraction. When these features are enabled, the SDK may send recent messages, thread summaries, retrieved memories, or search text to the configured LLM or embedding endpoint.

Important: Only send content to Oracle AI Agent Memory that is appropriate for the configured model endpoint and your deployment policies. If active-memory is enabled for data that appears to include secrets, credentials, or unnecessary sensitive data, minimize or redact that content before messages enter the memory pipeline. Treat extracted memories, summaries, context cards, and other model-derived text as untrusted output that must be reviewed and handled safely by the integrating application.

Warning: Model-derived text can become persistent memory state. When automatic extraction, summarization, or context-card features are enabled, a summary, extracted memory, or retrieved record may be inserted by the SDK into later prompts, such as memory-extraction, summarization, context-card, or agent prompts, before the application can review that specific intermediate value. Treat this as normal untrusted LLM data flow: review and validate the outputs your application consumes, and do not let memory-derived content authorize privileged actions or bypass policy.

Follow these recommendations when using active-memory features:

Considerations regarding persistence and data minimization

Oracle AI Agent Memory is designed to persist messages, memories, metadata, and embeddings in Oracle Database when the DB-backed store is used. This allows durable retrieval and cross-session memory, but it also means the application should plan what data is appropriate to retain.

The following guidance helps keep deployments aligned with secure data-handling practices:

Considerations regarding retrieval scope and access control

Oracle AI Agent Memory uses caller-provided user_id, agent_id, and thread_id values to scope retrieval. This is a powerful filtering model, but it should not be the only control your application relies on when deciding how retrieved content is used or shown.

By default, thread-scoped retrieval uses exact matching for user_id and agent_id and a broader match for thread_id so relevant results can span past threads for the same user-agent pair. Top-level OracleAgentMemory.search() and search_async() calls also require explicit user scoping and exact user matching. They reject omitted user scope and exact_user_match=False so the public client API does not accidentally search across multiple users. Passing user_id=None is allowed only with exact user matching and targets only unscoped records.

Use the following practices when designing retrieval:

Considerations regarding application integration and caller trust

Oracle AI Agent Memory is meant to be called by the integrating application or other trusted backend code, not directly by end users. It is not an end-user-facing security boundary, and it does not perform end-user authentication or authorization on its own. The package trusts the caller to provide the correct user_id, agent_id, thread_id, and retrieval scope for each operation.

Important: The integrating application is responsible for authenticating the end user, authorizing access, and deriving the correct user_id and scope before it calls Oracle AI Agent Memory APIs. A caller-supplied user_id is a scoping value, not proof of identity.

Use the following practices when integrating the SDK into an agentic application:

Considerations regarding logging and diagnostics

Oracle AI Agent Memory uses standard Python logging and does not configure application log handlers or log levels for the integrating application. Applications can enable the oracleagentmemory logger and route SDK logs through their existing logging configuration.

Use the following practices when consuming SDK logs:

Considerations regarding database access, schema management, and secrets

Oracle AI Agent Memory uses a caller-provided Oracle Database connection or pool. The package does not create or manage database credentials itself. It also does not create, negotiate, or upgrade database network encryption on behalf of the caller.

Important: Production code should pass a TLS-enabled Oracle Database connection or pool into Oracle AI Agent Memory. The SDK uses the caller-provided connection or pool as-is and does not upgrade a plaintext DSN. Do not use plaintext database connections across untrusted, shared, or external networks. When using python-oracledb, follow the official section Securely Encrypting Network Traffic to Oracle Database and configure TLS or another approved encrypted transport as part of connection or pool creation.

Important: Never embed API keys, passwords, or other secrets directly in application code, checked-in configuration, or exported artifacts. Always use secure injection mechanisms and follow the principle of least privilege for credential access.

The following deployment practices are recommended:

Considerations regarding network communication and external endpoints

Oracle AI Agent Memory can communicate with external services when the deployment configures remote LLM or embedding providers. The SDK forwards prompts and request parameters through the configured client path, but the surrounding application and deployment remain responsible for securing these connections.

We recommend the following:

Considerations regarding resource-exhaustion vectors

Memory workflows can increase database usage, embedding traffic, and LLM token consumption over time. This is true both for malicious over-use and for innocent implementation mistakes such as oversized messages or overly broad retrieval patterns.

Use these controls as part of your production hardening: