Poisoned retrieval makes the AI say what the attacker wants — false project status, incorrect guidance, manipulated summaries delivered to decision-makers.

Vectors holding sensitive documents can be queried to surface private content across user boundaries, or the vectors themselves decoded to reconstruct source text.

In multi-user or multi-org deployments, embeddings from one group bleed into responses for another — leaking confidential business data across organizational boundaries.

Once a poisoned embedding is in the store, it continues influencing responses even after the source document is deleted — until the knowledge base is fully reindexed.