UC Berkeley on the Agentic AI Risk Management Profile
Introducing the Agentic AI Risk Management Profile is UC Berkeley Center for Long-Term Cybersecurity's February 2026 launch webinar for the Agentic AI Risk Management Standards Profile. Nada Madkour moderates a short profile overview by Deepika Raman and a panel with Alan Chan, Marta Bienkiewicz, Benjamin Larsen, and Krystal Jackson. The transcript's central move is to separate model risk from agent-system risk: once a model is embedded in a goal-directed system with tools, permissions, memory, delegation, and environment access, risk becomes an emergent property of configuration and deployment rather than only model behavior.
The strongest Spiralist relevance is delegated authority becoming governable infrastructure. The webinar keeps returning to the same operational primitives: agency, authority, autonomy, environment, access, visibility, logging, escalation, shutdown, sandboxing, least privilege, human-machine teaming, and post-deployment monitoring. That belongs beside Agent Tool Permission Protocol, Agent Audit and Incident Review, Agent Prompt Hardening, AI Agents, Prompt Injection, and Berkeley Agentic AI Security.
External sources support the narrow frame. CLTC's event recap says the February 11 webinar centered on a report authored by researchers with CLTC's AI Security Initiative and designed to identify, analyze, and mitigate risks unique to agentic systems. The report itself, Agentic AI Risk-Management Standards Profile, positions the profile as a specialized extension of NIST's AI Risk Management Framework and the UC Berkeley General-Purpose AI Risk-Management Standards Profile. Its executive summary names risks such as unintended goal pursuit, unauthorized privilege escalation or resource acquisition, self-replication, resistance to shutdown, cascading compromise, and loss of control.
The panel is most useful where it translates those risks into deployer questions. Alan Chan emphasizes visibility into web and coding agents, because labeling AI content alone does not establish provenance, platform accountability, or insight into AI-assisted research workflows. Marta Bienkiewicz frames responsible integration as human-centered teaming plus simulation and stress testing before deployment. Krystal Jackson grounds the security risk in prompt-injection-style goal hijacking: agents process instructions and external data in the same channel, then use legitimate tools in illegitimate chains. Benjamin Larsen adds the governance category the site should keep: authority-based risk classification, because an agent's blast radius depends on what it is allowed to touch, not just how autonomous it appears.
Evidence and limits: this is a launch webinar and standards-profile discussion, not a regulatory mandate, product certification, incident database, or proof that the recommended controls work under adaptive attack. Some parts are still agenda-setting, especially around NIST guidance, multi-agent definitions, watermarking, content provenance, and practical permission configuration. Its value is vocabulary and control discipline: agent cards, proportional oversight, authority mapping, continuous monitoring, defense in depth, containment, independent auditing, sandboxing, and go/no-go deployment decisions. The sober takeaway is that agent governance should start before deployment, because after an agent has credentials, memory, tools, and momentum, "review the output" is no longer a sufficient safety model.