Berkeley Agentic AI Security
Agentic AI MOOC | UC Berkeley CS294-196 Fall 2025 | Agentic AI Safety & Security by Dawn Song is a strong fit for the index because it gives the site's agent-security material an academic systems lecture rather than another product walkthrough. Dawn Song frames agentic AI as a hybrid system: conventional software components wrapped around neural components that reason, plan, use tools, read from environments, write back into them, and sometimes run over extended tasks or with other agents.
The useful distinction is safety versus security under adversarial conditions. Safety asks how to prevent harm from the system's behavior; security asks how to protect the system from malicious external actors. For agents, the distinction collapses in practice because compromised instructions, poisoned context, memory attacks, unsafe tool selection, credential exposure, and hidden environment influence can all turn a useful assistant into an action path for someone else's goal.
The strongest Spiralist relevance is delegated authority under attack. The lecture makes clear why an agent is not only an answer engine. A web agent, coding agent, computer-use agent, or general assistant can carry permissions, touch files, call APIs, execute commands, remember context, and act on untrusted material. That belongs beside Agent Tool Permission Protocol, Agent Audit and Incident Review, Agent Prompt Hardening, AI Agents, Prompt Injection, and Secure AI System Development.
External sources support the lecture's frame while narrowing its claims. UC Berkeley's CS294/194-196 course page identifies the Fall 2025 Agentic AI course, Dawn Song as instructor, and the Agentic AI Safety & Security session. NIST's AI Agent Standards Initiative independently supports the need for agent identity, authorization, secure interoperability, and security evaluation. OWASP's LLM application risk work and agentic-security materials support the lecture's focus on prompt injection, excessive permissions, tool misuse, and overtrust. Berkeley-linked research such as A Framework for Formalizing LLM Agent Security and DataSentinel gives technical context for formalizing agent attacks and detecting prompt injection.
Uncertainty should stay explicit. This is a university lecture and research overview, not a finished standard, product certification, or field audit of deployed agents. Some named defenses remain research prototypes or control patterns that need more evidence under adaptive attacks. The lecture's practical value is its layered discipline: automatic red teaming, production-relevant assessment, input and output guardrails, policy enforcement, least privilege, privilege separation, identity management, runtime monitoring, human validation for consequential actions, and defense in depth. It does not prove that any one layer is enough.