Writing a memoir? Use this checklist to review your story, strengthen your writing, and make sure your memoir is ready for readers.

I’ve created a checklist for memoir writers to help you see if your story is on the right track. Mary Karr’s Memoir Checklist in The Art of Memoir inspired me. My version is more practical and especially useful for first-time memoir writers.

The Ultimate Checklist For Writing A Memoir

1. Are you writing a memoir or an autobiography? Remember that a memoir is not an autobiography. It is not about your entire life. Autobiographies are usually history textbooks about famous people. Read: What’s The Difference Between An Autobiography And A Memoir?
2. Should you rather be writing fiction? If you are not writing the truth about what happened, you should consider writing fiction. Read: 6 Differences Between A Novel & A Memoir
3. Have you done your research? Have you interviewed people and collected all the data you need? Have you made lists to help you jog your memory? Read: The 5 Top Tips For Turning Memories Into A Book
4. Has something changed? Why is this day different? We read memoirs to experience somebody else’s life vicariously. We read to experience an interesting or inspiring or frightening account of a life. So, ask yourself: What changed? What happened that put me on this path? This is usually where you start your memoir.
5. Are you empathetic and relatable? Readers need to feel for you. This does not mean that you need to hide the dark side of your character. It means that you need to show reasons why you behaved the way you did. Read: 5 Essential Tips For Writing A Memoir
6. Have you focused on one theme? Have you narrowed your focus for this project? ‘A memoir focuses on a time, or an event, or series of events, or a choice, that is tied together with a theme. It is not your entire life story.’ Read: Writing A Memoir? Narrow Your Focus and 12 Types Of Memoirs – Which One Is Yours?
7. Have you re-created your settings? Readers must be able to picture the setting as they read your story. The settings must be as real to them as they were to you. Read: How To Create Perfect Settings In Your Memoir
8. Are your descriptions specific? Be as specific as you can be. Include vegetation, time, seasons, and weather. Use street names and name places to make them come to life. Read: How To Create Perfect Settings In Your Memoir
9.  Have you used the five senses? Anton Chekhov said: ‘Don’t tell me the moon is shining; show me the glint of light on broken glass.’ Using the five senses helps you to show the story. If you do, the reader will be able to taste, smell, hear, touch, and see your story with you. Read: The Power Of The 5 Senses In Stories
10. Have you included dialogue? Dialogue helps you to show and not tell. It is an excellent way to write about real people in your story. Dialogue is part of life and the people in your life spoke. So, use it to to show conflict and to increase suspense in your memoir.
11. Have you written in first person present tense? This is really the best way to write a memoir. Because of the personal, confidential aspects of memoirs, it is preferable to write in first person. To create the immediacy of the experience, it is preferable to write in present tense. Read: Why First Person Present Tense Is Perfect For Your Memoir
12. Have you followed a timeline? Does your story make sense? Does it follow a logical sequence of events? Creating a timeline for your memoir may be one way of checking that this works.
13. Have you included scenes and sequels? You need 50-60 of these storytelling units in your book. Please read: Yes, You Do Need Scenes And Sequels In Memoirs
14. Have you included enough conflict? Don’t shy away from outer conflict by focusing on inner conflict. Make sure you have enough of both. Read: Mistakes Writers Make With Conflict In Memoirs
15. Have you learned something? People read memoirs to find out what you learned along the way – and how you coped. Have you been transformed in some way? Read: 7 Really Good Reasons To Write A Memoir
16. Have you been fair to others in your story? Other people should not be caricatures. They should be three-dimensional people. Read: 5 Ways To Write About Real People In Memoirs
17. Have you been true to yourself? Have you told your story as honestly as you could? Do you feel good about the way you have told it? This is the most important question in the memoirist’s checklist.

The Last Word

Even though you’re not writing fiction, you still need to use many fiction writing techniques to keep your readers turning the page. It can be hard to know if you have included everything you need. This checklist will help you assess your work and improve your story.

Top Tip: If you want to learn how to write a memoir, buy our Secrets of a Memoirist course.

by Amanda Patterson
© Amanda Patterson

If you liked this blogger’s writing, you may enjoy:

1. 40 Ways To Write About Empathy
2. How To Choose Your Genre
3. What Is An Analogy & How Do I Write One?
4. 10 Tips For Retelling A Classic Tale
5. Characterisation Exercise: Then & Now

If you want to read more about memoirs:

1. 5 Ways To Write About Real People In Memoirs
2. 5 Common Traits Of A Successful Memoir
3. 6 Differences Between A Novel & A Memoir
4. 12 Types Of Memoirs – Which One Is Yours?
5. 7 Tips From Journalists To Write A Better Memoir

Top Tip: Sign up for our free daily writing links

The post The Ultimate Checklist For Writing A Memoir appeared first on Writers Write.

This is a release candidate of Windows Package Manager v1.29. If you find any bugs or problems, please help us out by filing an issue.

New in v1.29

New Feature: Source Priority

With this feature, one can assign a numerical priority to sources when added or later through the source edit
command. Sources with higher priority are sorted first in the list of sources, which results in them getting put first
in the results if other things are equal.

Beyond the ability to slightly affect the result ordering, commands that primarily target available packages
(largely install) will now prefer to use a single result from a source with higher priority rather than prompting for
disambiguation from the user. Said another way, if multiple sources return results but only one of those sources has
the highest priority value (and it returned only one result) then that package will be used rather than giving a
"multiple packages were found" error. This has been applied to both winget CLI and PowerShell module commands.

REST result match criteria update

Along with the source priority change, the results from REST sources (like msstore) now attempt to correctly set the
match criteria that factor into the result ordering. This will prevent them from being sorted to the top automatically.

Minor Features

Preserve installer arguments across export and import

winget export now captures the --override and --custom arguments that were used when a package was originally installed and saves them into the export file. When subsequently running winget import, those values are automatically re-applied during installation — --override replaces all installer arguments and --custom appends extra switches — so packages can be reinstalled with the same customizations without any manual intervention. Both fields are optional and independent of each other; packages without stored installer arguments are unaffected.

--no-progress flag

Added a new --no-progress command-line flag that disables all progress reporting (progress bars and spinners). This flag is universally available on all commands and takes precedence over the visual.progressBar setting. Useful for automation scenarios or when running WinGet in environments where progress output is undesirable.

MCP upgrade support

The WinGet MCP server's existing tools have been extended with new parameters to support upgrade scenarios:

• find-winget-packages now accepts an upgradeable parameter (default: false). When set to true, it lists only installed packages that have available upgrades — equivalent to winget upgrade. The query parameter becomes optional in this mode, allowing it to filter results or be omitted to list all upgradeable packages. AI agents can use this to answer requests like "What apps can I update with WinGet?"
• install-winget-package now accepts an upgradeOnly parameter (default: false). When set to true, it only upgrades an already-installed package and returns a clear error if the package is not installed (pointing to install-winget-package without upgradeOnly instead). AI agents can use this to answer requests like "Update WinGetCreate" or, in combination with find-winget-packages with upgradeable=true, "Update all my apps."

Authenticated GitHub API requests in PowerShell module

The PowerShell module now automatically uses GH_TOKEN or GITHUB_TOKEN environment variables to authenticate GitHub API requests. This significantly increases the GitHub API rate limit, preventing failures in CI/CD pipelines. Use -Verbose to see which token is being used.

Default priority of installer types

Installer type selection no longer depends on the order defined on the manifest. Instead, preference is given in this order:

• MSIX
• MSI / Wix / Burn
• Nullsoft / Inno / EXE
• Portable

When a user configures installer type requirements or preferences, the order in which they are listed is now respected during installer selection.

Improved list output when redirected

• winget list (and similar table commands) no longer truncates output when stdout is redirected to a file or variable — column widths are now computed from the full result set.
• Spinner and progress bar output are suppressed when no console is attached, keeping redirected output clean.

Log file naming strategy

Added a user setting (logging.fileNameStrategy) for controlling the default naming strategy for installer log files. Supported values are manifest (default), timestamp, guid, and shortguid. Only applies to logs generated by installers if the installer itself supports the logging switch / parameter.

Sortable list output

winget list now supports sorting results via --sort <field> (repeatable for multi-field sorting), --ascending/--descending direction flags, and a persistent output.sortOrder setting. Available sort fields: name, id, version, source, available, relevance. By default, results are sorted alphabetically by name when no query is present; use --sort relevance to preserve the previous source-determined ordering.

Bug Fixes

• winget export now works when the destination path is a hidden file
• Fixed the useLatest property in the DSC v3 Microsoft.WinGet/Package resource schema to emit a boolean default (false) instead of the incorrect string "false".
• SignFile in WinGetSourceCreator now supports an optional RFC 3161 timestamp server via the new TimestampServer property on the Signature model. When set, signtool.exe is called with /tr <url> /td sha256, embedding a countersignature timestamp so that signed packages remain valid after the signing certificate expires.
• File and directory paths passed to signtool.exe and makeappx.exe are now quoted, fixing failures when paths contain spaces.
• DSC export now correctly exports WinGet Admin Settings
• winget validate now performs case-insensitive comparison for file extensions where applicable
• winget source reset now properly resets default sources instead of removing them
• DSC v3 Microsoft.WinGet/Package resource now honors the installMode property to use silent or interactive installer switches as specified

What's Changed

• Make list details stable by @JohnMcPMS in #6020
• Move to IReference rather than custom enum for optional bool by @JohnMcPMS in #6022
• Apply latest loc patch by @florelis in #6023
• Bump version to 1.29 by @florelis in #6019
• Remove 'listDetails' from release notes for 1.29 by @florelis in #6026
• Update doc as WinGet is not in preview by @Gijsreyn in #5850
• Replaced "(C)" with "©" in the main menu. by @DandelionSprout in #5845
• Source priority by @JohnMcPMS in #6029
• Update json vcpkg by @JohnMcPMS in #6039
• Coalesce comments from loc suggestions by @JohnMcPMS in #6033
• Update Roadmap Milestones doc by @Kissaki in #5824
• Add copilot instructions by @JohnMcPMS in #6048
• Add --no-progress option by @JohnMcPMS in #6049
• Remove Crescendo PowerShell by @JohnMcPMS in #6056
• Fix casing of WinGet by @JohnMcPMS in #6059
• Added more info for "Installer Types" values in Settings.md. by @DandelionSprout in #6067
• Diagnostics update and stable DSC for tests by @JohnMcPMS in #6084
• feat: authenticate GitHub API requests using GH_TOKEN/GITHUB_TOKEN by @wmmc88 in #6071
• Tool to investigate SQLite compression by @JohnMcPMS in #6074
• Add dependencies only option by @JohnMcPMS in #6069
• docs: fix multiple documentation issues (#5296, #5921, #5108, #4372, #5867) by @GrantMeStrength in #6110
• Revert help link in DscCommand by @JohnMcPMS in #6111
• Update Moq, curl, and c-ares by @Trenly in #6112
• Add Timeserver Support for SourceCreator and support spaces in paths and file names by @Trenly in #6113
• Report skipped upgrades when install technology differs (upgrade --all) by @AMDphreak in #6096
• [AI Generated] Ensure correct DSC export of admin settings by @Trenly in #6109
• Update default for useLatest by @Trenly in #6114
• Add Update commands for MCP by @Trenly in #6117
• Preserve overrides with export and import by @Trenly in #6118
• Quote winget server path before calling CreateProcess by @yao-msft in #6122
• Update to spell check v26 by @Trenly in #6128
• Add issue types to issue templates by @denelon in #6139
• Improve MOTW error handling in download flow by @Trenly in #6127
• Allow exporting to hidden files by @Trenly in #5795
• Add thread globals for downloader thread by @Trenly in #6141
• Dynamically select drive for test by @Trenly in #6129
• Change how Truncation works by @Trenly in #6142
• Admin setting and group policy for configuration processor path argument by @JohnMcPMS in #6119
• Add comments to loc strings by @florelis in #6150
• Move XML ref ahead by @JohnMcPMS in #6154
• Add policy for notifying authors of Localization Restriction by @Trenly in #6156
• Dont log failures to get font title info by @dkbennett in #6163
• [ListCommand] Fix --source filter not restricting list output to specified source by @Madhusudhan-MSFT in #6159
• Improved manifest validations for MSI and Windows Feature names by @JohnMcPMS in #6170
• Mitigate packaged preindexed source open lock convoy by @mamoreau-devolutions in #6172
• Optimize packaged temp ACL handling without weakening ACL repairs by @mamoreau-devolutions in #6171
• Add telemetry event for index updates by @JohnMcPMS in #6175
• Make extension comparison case insensitive by @Trenly in #6182
• [Settings, ListCommand] Add sort types, settings infrastructure, and CLI arguments for output ordering by @Madhusudhan-MSFT in #6177
• Add setting for installer log file names by @Trenly in #5802
• Add JSON validation output and interop presentation model by @JohnMcPMS in #6183
• Add default installer precedence if not defined by user by @Trenly in #6123
• Standardize PR template with emoji sections and issue types by @denelon in #6207
• Add Copilot instructions for writing specifications by @denelon in #6205
• Fix policy bot bugs and expand label coverage by @denelon in #6202
• Report DSC execution diagnostics on a timer by @JohnMcPMS in #6196
• Store provisioning mitigation by @JohnMcPMS in #6194
• Add execution level to telemetry summary and logs by @JohnMcPMS in #6195
• Implement sort logic for winget list output
  by @Madhusudhan-MSFT in #6191
• VS Code WinGet log viewer tool by @JohnMcPMS in #6149
• Bump fast-uri from 3.1.0 to 3.1.2 in /tools/WinGetLogViewer by @dependabot[bot] in #6223
• Update configure export --all for recent DSC changes by @JohnMcPMS in #6222
• Mitigate stack overflow issue by @JohnMcPMS in #6224
• Reset default sources without dropping them by @Trenly in #6187
• Enable transitive pinning for central package management by @florelis in #6225
• Configuration processor auditing improvements by @JohnMcPMS in #6193
• Update rest source and wingetutil interop to include 1.28 manifest by @yao-msft in #6234
• Move pre-check errors to post-check by @JohnMcPMS in #6236
• In-proc certificate pinning validation override by @JohnMcPMS in #6233
• Change symlink verification to avoid redirection guard policy by @JohnMcPMS in #6239
• Bump uuid and @azure/msal-node in /tools/WinGetLogViewer by @dependabot[bot] in #6241
• Bump qs from 6.15.1 to 6.15.2 in /tools/WinGetLogViewer by @dependabot[bot] in #6246
• Ensure portable command alias does not escape directory by @florelis in #6251
• Make sfs-client a vcpkg port by @florelis in #6243
• Bump tmp from 0.2.5 to 0.2.7 in /tools/WinGetLogViewer by @dependabot[bot] in #6252
• Honor DSCv3 package installMode for silent and interactive by @Trenly in #6249
• Fix triage label getting removed by @Trenly in #6254
• lowercase ARM64 for vcpkg by @JohnMcPMS in #6256
• Apply latest loc patch by @florelis in #6262

New Contributors

• @DandelionSprout made their first contribution in #5845
• @Kissaki made their first contribution in #5824
• @wmmc88 made their first contribution in #6071
• @GrantMeStrength made their first contribution in #6110
• @AMDphreak made their first contribution in #6096
• @mamoreau-devolutions made their first contribution in #6172

Full Changelog: v1.28.240...v1.29.250

[1.8.0] - 2026-06-04

Added

• agent-framework-core: Add MCP-based skills discovery (McpSkillsSource) (#6169)
• agent-framework-core: Progressive tool exposure via FunctionInvocationContext (#6233)
• agent-framework-core: Add background agent support to harness agent (#6155)
• agent-framework-core: Add AgentFileStore and FileAccessProvider for file access operations (#6099)
• agent-framework-core: Coalesce code interpreter history chunks (#5801)
• agent-framework-core: Run sync tools off the event loop (#5773)
• agent-framework-bedrock: Implement native structured output support via Converse API (#6052)
• agent-framework-foundry: Add Foundry Adaptive Evals integration for rubric-generation (#6101)
• agent-framework-foundry: Add timeout parameter to FoundryAgent to fix ConnectTimeout on multi-turn conversations (#6263)
• agent-framework-mistral: Add Mistral AI embedding client package (#5480)
• agent-framework-a2a: Expose supported_protocol_bindings as configurable parameter (#6098)
• agent-framework-a2a: Set message_id on AgentResponseUpdate for message-bearing paths (#6163)
• agent-framework-foundry-hosting: Persist hosted MCP call/results as canonical mcp_call output (#6070)

Changed

• agent-framework-github-copilot: [BREAKING] Upgrade github-copilot-sdk to v1.0.0 (stable) (#6292)
• agent-framework-core: [BREAKING — experimental] Refactor Skill API to async resource and script lookup (#6135)
• agent-framework-github-copilot: Promote to release candidate (1.0.0rc1)
• agent-framework-declarative: Promote to release candidate (1.0.0rc1) (#6256)

Fixed

• agent-framework-core: Fix compaction message-id collisions and tool-loop summary persistence (#6299)
• agent-framework-core: Fix observability unsafe serialization of function-call arguments containing dataclass/framework objects (#6026)
• agent-framework-core: Consolidate MCP reliability fixes (#6145)
• agent-framework-core: Backfill chat span request model if unknown and response model is available (#6160)
• agent-framework-anthropic: Skip orphan anthropic thinking signatures (#5784)
• agent-framework-foundry: Fix FoundryAgent stripping model from PromptAgent requests (#5526)
• agent-framework-foundry-hosting: Fix toolbox consent flow in hosted agent (#6249)
• agent-framework-foundry-hosting: Drop hosted MCP calls when reasoning is stripped (#6210)
• agent-framework-openai: Fix OTLP HTTP base-endpoint losing /v1/{signal} auto-append (#5913)
• agent-framework-openai: Drop hosted MCP calls when reasoning is stripped (#6210)
• agent-framework-orchestrations: Fix spurious Magentic custom manager warning (#6261)
• agent-framework-azurefunctions: Fix integration test worker crashes on Py3.13 (#4260)

Valve now says that the delayed Steam Machine PC and Steam Frame VR headset are set to launch sometime this summer. In a Thursday blog post detailing its Verified programs for both pieces of hardware, Valve concludes by saying that "We're excited for players to try your titles on the new Steam hardware once they launch this summer."

When the company originally announced the Machine and Frame alongside its new Steam Controller late last year, it said that it would start shipping the new gadgets in early 2026. But in February, the company announced that the ongoing memory and storage crunch had forced it to revisit its pricing and shipping pl …

Read the full story at The Verge.

When the Microsoft AI Red Team published the Taxonomy of Failure Modes in Agentic AI Systems in April 2025, the goal was a shared vocabulary for a threat landscape that did not fit existing frameworks. The v1.0 taxonomy was largely forward-looking, built on practitioner interviews, cross-company threat modeling, and our own early operational experience. It identified novel failure modes unique to agentic systems (agent compromise, injection, impersonation, flow manipulation) alongside existing failure modes materially amplified in agentic contexts (memory poisoning, cross-domain prompt injection, human-in-the-loop bypass). 

Twelve months later, the evidence base has shifted enough to warrant a v2.0. The update adds seven new failure mode categories, expands the mitigations section, and grounds the framework in 12 months of red team engagements against deployed agentic systems.

Why the Taxonomy Needed Updating

Four developments drove the revision. 

Open-source agentic frameworks went mainstream faster than the security community was ready for. OpenClaw, launched in January 2026, accumulated over 336,000 GitHub stars and spawned more than 2,100 agents within 48 hours of release. A security audit conducted shortly after launch identified 512 vulnerabilities including CVE-2026-25253, a one-click RCE via WebSocket hijacking. Over 1,800 exposed instances were leaking API keys and credentials within the first week, and 336 malicious plugins were found in the skills marketplace, including credential stealers masquerading as trading bots. 

The MCP ecosystem matured — and accumulated vulnerabilities at scale. The Model Context Protocol became the de facto standard for connecting models to external tools. In 2025, 99 CVEs were published for MCP-related software, and tool poisoning moved from theoretical risk to live attack surface. 

Computer-use agents moved from research to production. Agents that observe and interact with graphical interfaces introduce attack surfaces with no analogue in earlier AI security work, and expose previously human-targeted attack patterns to LLMs. The original taxonomy lacked dedicated coverage for this capability class; operational experience made clear it requires its own category. 

Twelve months of red team operations provided empirical grounding. The v1.0 taxonomy was forward-looking. The v2.0 update is grounded in patterns observed across real engagements with findings that confirmed some predictions, falsified others, and surfaced failure modes that were not anticipated. 

Seven new failure modes

1. Agentic Supply Chain Compromise. Agentic systems consume plugin registries, MCP servers, prompt templates, and third-party tool integrations, each a new supply chain ingestion point. Unlike traditional supply chain compromise, which delivers malicious code, a compromised agentic supply chain component injects natural-language instructions that alter agent behavior without touching any binary. This is a novel failure mode: the attack surface did not exist before agents began consuming natural-language tool definitions from third-party registries. 

2. Goal Hijacking. The original taxonomy covered agent compromise but did not sufficiently distinguish the mechanism of compromise from the strategic objective of redirecting the agent’s goal state. Goal hijacking captures a specific pattern, when adversarial instructions that appear aligned with legitimate task completion silently redirecting the agent’s terminal goal, without fully compromising the underlying agent. 

3. Inter-Agent Trust Escalation. Multi-agent architectures involve delegation chains where orchestrators pass tasks to other agents. This entry addresses privilege escalation that becomes possible when a compromised agent asserts false identity or inflates claimed permissions to an orchestrator that does not independently verify them. The pattern mirrors confused deputy problems in traditional software, but the confusion is induced through natural language rather than system calls. 

4. Computer Use Agent (CUA) Visual Attack. Agents operating through graphical interfaces can be manipulated through visual content that appears innocuous to humans but carries adversarial instructions for the agent. Attack patterns include hidden text rendered at non-human-readable scale, UI elements positioned outside the visible viewport, and images embedding prompt injection in content the agent is instructed to interpret. This failure mode has no meaningful precedent in v1.0. 

5. Session Context Contamination. Agentic sessions often span extended, multi-step interactions with context accumulating from prior steps. Session context contamination occurs when an adversary introduces data early in a session that biases the agent’s reasoning in subsequent steps, without triggering safety controls at any individual step. 

6. MCP / Plugin Abuse. The original taxonomy’s coverage of function compromise predated standardization around MCP and plugin protocols. This entry captures attack surfaces specific to those protocols: tool description poisoning, server-side instruction injection, cross-server instruction override (a malicious server overriding behavior of trusted servers), and abuse of protocol-level trust assumptions. 

7. Capability / Architecture Disclosure. This failure mode occurs when an agent reveals internal implementation details such as tool names and schemas, system-prompt structure, memory interfaces, or consent/HitL trigger logic, either on direct request or via paths such as XPIA. In single-turn chat, prompt leakage is mostly reputational. In agentic systems, it exposes operational primitives and turns black-box probing into a white-box exploit path. 

Operational findings: What red teaming showed

Twelve months of engagements against deployed agentic systems produced several consistent patterns. 

HitL bypass was the most consistently exploited failure mode, at very high frequency. Red teamers achieved bypass through consent fatigue, manipulation of probabilistic invocation, and incremental escalation chains where no individual step clearly warranted review but the compound outcome did. Most significantly, several engagements demonstrated zero-click end-to-end chains starting from an external input with no human interaction beyond the initial agent invocation, achieving high-impact outcomes such as exfiltration or lateral movement. 

XPIA and memory poisoning were observed at high frequency and frequently combined. Cross-domain prompt injection delivered via external content remained the most reliable initial access vector. Memory poisoning via XPIA, where injected instructions seed the agent’s persistent memory for later retrieval, requires only a single successful injection, which the agent then propagates across subsequent sessions. 

Session context contamination and incremental escalation were highly effective and difficult to detect. Neither the contaminating input nor any individual escalation step is clearly anomalous in isolation. Detection requires behavioral analysis across the full session, something most systems did not have. 

Capability disclosure was a key enabler of follow-on attack paths. In many of our highest-impact attack chains, execution was predicated on extracting specific architecture or capability details from the system. This often required only asking the system directly, but it consistently exposed inconsistencies in guardrails and opened attack paths that would otherwise have required external reconnaissance. 

New mitigations

Supply chain security for agentic components. Treat every external component an agent can consume as part of the software supply chain. SBOM generation for agent deployments inclusive of tool dependencies; signature and provenance verification for MCP servers and plugins before installation; registry scanning for hidden instructions in tool descriptions; version pinning with change monitoring for all external tool definitions. 

Zero-trust inter-agent architecture. For high-risk scenarios, agent identity should be cryptographically established, not assumed from position in a workflow. Every inter-agent message should carry a verifiable identity claim. Orchestrators should not grant elevated permissions to sub-agents based on self-asserted role. 

Consent architecture hardening. HitL controls must resist the specific patterns observed in red team operations: compound action decomposition before approval presentation, semantic summarization of agent-constructed descriptions to prevent description laundering, tiered approval requirements that scale with action reversibility and blast radius, deterministic HitL invocation, and anomaly detection on approval request frequency and pattern. 

Adversarial session hardening. Mitigating session context contamination requires treating the agent’s accumulated context as a security-relevant data structure. Controls include context provenance tracking, structured separation between trusted system context and untrusted retrieved content, session integrity monitoring for anomalous accumulation patterns, and bounded session contexts that limit how much external content can influence a session’s reasoning. 

What to do this quarter

If you operate or defend an agentic system, the v2.0 additions translate to four concrete actions: 

• Inventory your supply chain. Generate an SBOM for every deployed agent that includes plugins, MCP servers, prompt templates, and tool descriptions alongside code dependencies. Pin versions; treat natural-language tool descriptions as code. 

• Verify agent identity cryptographically, not positionally. Issue attestable credentials at provisioning. Reject self-asserted role claims at orchestrator handoffs. 

• Add the seven new categories to your red-team coverage matrix. Treat CUA visual attacks, session context contamination, capability disclosure, and goal hijacking as mandatory test classes for any agent that touches production data or external surfaces. 

• Audit human-in-the-loop UX as a security control. Decompose compound actions, summarize approval prompts from the underlying tool calls (not from the agent’s own description), tier approvals by reversibility, and monitor approval frequency for consent-fatigue exploitation signals. 

If you are building agentic systems, the updated taxonomy is a threat modeling tool, not a compliance checklist. Take each failure mode category and ask whether it can occur in your system, under what conditions, and whether you have a control that would detect or prevent it. 

For red teamers: the seven new categories should be mandatory coverage areas. Zero-click HitL bypass chains, inter-agent trust escalation, and session context contamination will not be surfaced by model-level evaluation alone. They require system-level testing and multi-step attack chains evaluated across complete task flows. 

For security engineers: supply chain and zero-trust mitigations are architectural decisions, and difficult to retrofit. Building SBOM generation, tool provenance verification, and inter-agent authentication into your architecture from the start costs substantially less than adding them after deployment. 

The taxonomy is a living document. The failure modes added in v2.0 are the ones that twelve months of operational data made compelling enough to include. As agentic systems acquire new capabilities — persistent cross-session memory at scale, autonomous agent spawning, physical environment interaction — the failure mode surface will continue to expand. We will continue to update the taxonomy as the evidence base develops. 

The updated whitepaper is available now. We welcome engagement from practitioners whose operational experience identifies failure modes or attack patterns not yet reflected in the taxonomy. 

The post Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us  appeared first on Microsoft Security Blog.