Prompt Injection Was Stateless. Memory Poisoning Is Persistence

For the last two years, AI security discussions have mostly been about stateless compromise. Can you jailbreak the model in one session? Can you inject hostile instructions into retrieved content? Can you get the assistant to reveal something, ignore a rule, or call the wrong tool right now? Those questions still matter. But they are starting to belong to an earlier phase of the problem. The interesting risk now is persistence. Not whether an attacker can manipulate an agent once. Whether they can manipulate what the agent remembers, and make that manipulation survive into future decisions.