The scariest part isn't the poisoning itself -- it's that most RAG pipelines have zero integrity checks on ingested documents. You trust the retrieval layer like you'd trust a database, but it's really just a pile of text anyone upstream could have touched. Feels like SQL injection all over again, except the injection is semantic.