Most security controls on LLM applications are designed to inspect what the user sends. Rate limiting, content moderation, input validation — all guard the front door. LLM08 doesn’t come through the front door.
The attack arrives as a normal-looking document in your knowledge base — possibly days or weeks before any user submits a query. By the time the AI gives a poisoned answer, the attacker may be long gone. The “malicious input” was never visible to any content filter.