Clear the session, clear the threat. That assumption just failed. LangChain CVE-2025-68664 demonstrated how malicious instructions in LLM response fields persist through serialization cycles. One prompt injection in cached data becomes durable compromise. The instruction doesn't disappear when the session ends. It replays into every future context window. Anthropic detected a Chinese state campaign where AI executed 80-90% of operations. Not because the model was compromised. Because memory poisoning turned one successful injection into persistent instruction across sessions, users, and deployments. Security reviews focus on input validation per request. Session-level controls. Clear the context, move on. Incident response asks: "When did the breach start?" The answer is "unknown, could be any conversation that touched this agent's persistent state." Forensic timeline reconstruction fails because the attack vector is distributed across historical context. The security team sees prompt injection. The incident sees a supply chain problem in conversational memory. #AI