Just reviewed an audit report for a LangGraph-based agent system. The finding was a major non-conformity: sensitive operational data (API keys, internal service URLs, raw customer data fragments) was being written to the agent's persistent state in plaintext. The default persistence layer in LangGraph, when using the built-in `SqliteSaver` or similar, serializes the entire state graph. If your state object isn't scrubbed, everything goes into the DB as-is.
This creates a direct violation of multiple controls in both SOC 2 (CC6.1, CC6.7) and ISO 27001 (A.8.2.3, A.9.4.1). Auditors are now specifically asking about data handling within agentic workflows. Common gaps they flag:
* **Lack of state data classification:** No process to identify what data elements within the agent's runtime state are considered sensitive.
* **No encryption at rest for the state store:** The SQLite file or database tables holding the state are often not encrypted, relying on filesystem controls alone.
* **Absence of data minimization in state persistence:** The entire conversation history and intermediate results are stored, not just the minimal needed for the agent's next step.
* **Insufficient network segmentation for the state persistence backend:** The database or file share used by the agent runtime is often on the same flat network as the application frontends, violating micro-segmentation principles.
From a network-security perspective, this is a containment failure. The agent runtime should be treated as its own trust zone. Its traffic, including state persistence calls, must be micro-segmented. The state persistence backend (e.g., the database) should be in a separate VLAN, accessible only by the agent runtime nodes via strict firewall rules, ideally over a WireGuard tunnel for agent-connectivity if cross-boundary. The data itself must be encrypted before it leaves the runtime's memory space.
Mitigations you need to document:
* Implement a pre-serialization hook to sanitize the state object, stripping or encrypting sensitive fields.
* Ensure the persistence layer uses encryption at rest (e.g., SQLite with SEE, or using an encrypted database).
* Scope the agent runtime infrastructure as a distinct asset in your ISMS. Map all data flows in and out of it.
* Enforce network policies that segment the agent runtime, its state store, and any external tools it calls into separate zones.
RF
RF