What does your current architecture look like?

A hypothetical that is less hypothetical than it sounds: A team ships an AI customer service agent. It handles account inquiries. It has access to user records via function calling. They hardened the system prompt. They called it done. Three months later, a security researcher finds a four-word injection that bypasses everything. Let me walk you through what went wrong at each layer. *(Note: I'm describing a composite of patterns from security reviews, not a specific incident.