An AI application has more moving parts than most engineers initially map: training data, the model itself, the system prompt, retrieved documents (RAG), tool/function definitions, the orchestration code, and the raw model output before it's rendered or acted on. Each one is a place an attacker can push on.
Poison the training data and you shape the model's behavior for every user, forever. Manipulate the prompt or retrieved context and you hijack a single session. Abuse a connected tool and you turn a chatbot into a foothold in your infrastructure. Attackers pick whichever stage is least defended — usually the one nobody thought to threat-model because it 'was just a chatbot.'