For the last two years, AI security discussions have mostly been about stateless compromise . Can you jailbreak the model in one session? Can you inject hostile instructions into retrieved content? Can you get the assistant to reveal something, ignore a rule, or call the wrong tool right now? Those questions still matter. But they are starting to belong to an earlier phase of the problem. The more interesting risk now is persistence. Not whether an attacker can manipulate an agent once. Whether they can manipulate what the agent remembers , and make that manipulation survive into future decisions. That is the shift memory poisoning introduces. Prompt injection was stateless. Memory poisoning is persistence. And persistence changes the security model completely. Why this feels different from classic prompt injection Traditional prompt injection is dangerous, but it is often temporally bounded. A malicious instruction lands in a document, email, web page, support ticket, or retrieved chunk.…