Context Corruption: Why Your AI Agent Forgets What You Told It
TL;DR
Context corruption is the gradual decay of LLM performance as context grows. At 10,000 tokens, the model tracks 100 million token relationships. At 100,000 tokens, it’s 10 billion. The result: hallucinations, forgotten instructions, and inconsistent behavior. The good news: Context Engineering makes this manageable.
The Problem: More Context, Less Intelligence
You know the scenario: A complex coding session with Claude. The first hours run perfectly. Then errors creep in. The model “forgets” architectural decisions. Hallucinates APIs. Reverts to patterns you corrected hours ago.
This isn’t a bug. It’s context rot - an architectural reality of modern LLMs.
The Math Behind It
Transformer architectures create pairwise relationships between all tokens. Complexity grows quadratically:
| Tokens | Relationships to Track |
|---|---|
| 1,000 | 1 million |
| 10,000 | 100 million |
| 100,000 | 10 billion |
Every additional piece of information competes for the same limited attention. The model loses the ability to connect early instructions with later context.
The Three Faces of Context Corruption
1. Context Rot (Performance Degradation)
The most common case: Gradual quality decline over long sessions.
Symptoms:
- Forgotten system prompts
- Inconsistent code patterns
- Repetition of already-corrected errors
- Hallucinated functions and APIs
A study by Chroma found that even trivial tasks like “repeat this string” fail with filled context windows.
2. Context Contamination (Unintentional Corruption)
Information from completed tasks bleeds into new ones:
Practical example: A developer noticed that after several code updates with immediate deployment, Claude began automatically associating every code update with deployment - even experimental, incomplete code.
The model learned an association that was never explicitly taught.
3. Context Poisoning (Malicious Corruption)
The security angle: Injected instructions in external content.
Attack vectors:
- Hidden text in web pages (white text, micro fonts)
- Manipulated MCP tool descriptions
- Poisoned RAG knowledge bases
Real-world incident: The Perplexity Comet attack - attackers hid invisible text in Reddit posts that leaked user OTPs when the AI summarized the content.
Anthropic’s Research: 250 Documents Are Enough
A concerning finding from Anthropic’s collaboration with the UK AI Security Institute:
Just 250 malicious documents in pretraining are enough to install backdoors in LLMs from 600M to 13B parameters.
The assumption that larger models need proportionally more poisoned data is false. The security perimeter doesn’t end at the model - it encompasses everything that flows into context.
Mitigation: Context Engineering in Practice
1. Context Editing (Anthropic’s Approach)
Automatically remove stale tool calls and results:
// Pseudocode for context pruning
function pruneStaleContext(messages: Message[], tokenLimit: number) {
const staleToolCalls = messages.filter(
m => m.type === 'tool_result' && isStale(m, Date.now())
);
return messages.filter(m => !staleToolCalls.includes(m));
}
Result: 84% reduced token consumption in 100-turn evaluations.
2. External Memory
Important information belongs in persistent storage, not context:
# project-memory.md
## Architecture Decisions
- We use Zod for schema validation
- API responses are always camelCase
- Tests: Vitest, not Jest
## Current Bugs
- Auth token doesn't refresh (Issue #42)
Claude can read this file on demand instead of holding everything in context.
3. Just-in-Time Retrieval
Instead of loading everything upfront: Keep references, fetch on demand.
❌ Bad:
"Here's the complete content of all 50 files..."
✅ Good:
"The relevant files are:
- src/auth/token.ts (Token management)
- src/api/client.ts (API client)
Read them when you need them."
4. Explicit Session Resets
Long-running sessions accumulate context garbage. The /clear command in Claude Code exists for good reason.
Best practice: Communicate explicitly on task switches:
---
NEW TASK: Feature X
Previous context (bug fixing) is no longer relevant.
---
5. Multi-Agent Architecture
Specialized sub-agents with clean contexts. Only condensed results flow back.
# Lead agent receives:
"Sub-agent (Code Review) reports:
- 3 security issues found
- All in src/auth/*.ts
- Details in review-report.md"
# Not:
[50,000 tokens of review protocol]
The Cost of Context Mismanagement
| Problem | Impact |
|---|---|
| Overfilled context | Slower responses, higher API costs |
| Forgotten instructions | Inconsistent output, rework |
| Hallucinations | Bugs in production, debugging time |
| Security gaps | Prompt injection, data leaks |
OWASP 2025: Prompt injection is the #1 vulnerability in LLM applications - found in 73% of production deployments.
Practical Playbook
Before Long Sessions
- Create CLAUDE.md - Stable project info outside context
- Define memory files - What needs to persist?
- Clear exit criteria - When is a task done?
During the Session
- Mark task boundaries - Communicate explicit transitions
- Compact regularly - Remove old tool results
- Validate assumptions - “Do you still understand we use Zod?”
When Problems Arise
- Reset session -
/clearand restart - Externalize state - Document in files
- Debug, don’t fight - Fresh context is cheaper than frustration
The Mindset Shift
Old: Fill the context until it overflows. New: Treat context as a scarce resource.
Every unnecessary token actively degrades performance. The art lies not in adding, but in omitting.
Conclusion
Context corruption isn’t a question of if, but when. Transformer architectures have fundamental limits, and longer context windows only delay the problem.
The solution lies in context engineering:
- Externalize what needs to persist
- Prune what’s no longer relevant
- Structure what the agent needs
Treat context like RAM - valuable, limited, and reserved for what matters.
Further Reading
