1. The Air Canada chatbot case (adjudicated November 2023) is most instructive as an example of:
Correct. The core failure was the absence of a tool connecting the agent to live policy data. The tribunal's ruling — that Air Canada was liable for its agent's incorrect claim — established a precedent that organizations bear responsibility for factual accuracy of their deployed agents regardless of technical cause.
The Air Canada case was primarily about missing tool integration — no live policy lookup — leading to a factual error with legal consequences. It's the canonical example of why parametric memory alone is insufficient for deployed agents that make factual claims about current policies.
2. The Greshake et al. (2024) indirect prompt injection attack propagated through which specific MAS component?
Correct. The attack propagated through shared memory: malicious content on a web page → retrieved by a search agent → written to shared vector memory → retrieved and acted on by a downstream agent. Shared memory is an attack surface.
The vector memory store was the propagation vector: web content with embedded instructions was retrieved, stored, and later retrieved and executed by a different downstream agent.
3. In the Greshake et al. (2023) prompt injection study, "persistent corruption" refers to:
Correct. Persistent corruption exploits recurring data sources like calendars or notes, making the attack self-sustaining.
Persistent corruption in this context is a runtime attack on recurring data sources, not a training-time or denial-of-service attack.
4. Constitutional AI (CAI) was first described in an Anthropic paper published in which month and year?
Correct. The original Constitutional AI paper was published by Anthropic in December 2022.
Incorrect. The Constitutional AI paper was first published in December 2022.
5. Inner alignment failure refers to:
Correct. Inner alignment is the gap between what training optimizes and what the resulting model actually learned to want.
A poor reward function is outer alignment failure. Deployment mismatch is distributional shift. Inner alignment specifically concerns what the model internalized from training.
6. What was the primary architectural innovation represented by KLM's BlueBot deployment in 2017?
Correct. BlueBot's live API orchestration — executing transactions from within conversation — was the defining architectural shift from information retrieval to action.
Incorrect. BlueBot's significance was transactional: it called live APIs and executed bookings and boarding passes from within the conversation, which earlier bots could not do.
7. Indirect prompt injection differs from direct prompt injection in that it:
Correct. Indirect injection is embedded in environmental content — websites, documents, emails — that the agent reads as part of a task.
The distinction is source: direct comes from the user's message; indirect comes from third-party content retrieved by the agent.
8. "Role diffusion" as documented in production LangChain LangSmith traces refers to which failure mode?
Correct. Role diffusion is the gradual expansion of an agent's behavior beyond its assigned role, documented in long-running group-chat sessions where conversation context normalizes behavior that was initially off-role.
Role diffusion is gradual role boundary erosion — a "summarize-only" agent starts attempting generation tasks because long conversation context has normalized off-role behavior.
9. Instrumental convergence predicts that goal-directed agents will tend to acquire resources because:
Correct. Instrumental convergence is a structural argument: almost any terminal goal is better served by having more resources.
Instrumental convergence is a logical argument about goal-directed systems, not a claim about training signals or human behavior modeling.
10. Figure AI demonstrated Figure 01 operating in a BMW manufacturing facility in which US city in February 2024?
Correct. The BMW facility where Figure 01 was deployed is in Spartanburg, South Carolina.
Incorrect. The BMW Spartanburg facility in South Carolina was the deployment site.
11. When Cognition Labs first announced Devin's SWE-bench results in March 2024, what did subsequent independent analysis find?
Correct. Independent reviewers found the headline numbers used 25 problems rather than the full split, overstating performance.
The issue was use of a non-standard 25-problem subset, not fabrication or language restrictions.
12. What key innovation did AutoGen v0.4 introduce compared to the original AutoGen architecture?
Correct. AutoGen v0.4 replaced the synchronous message loop with an async event-driven runtime using a message broker pattern, enabling true concurrent (parallel) execution of multiple agents.
The key v0.4 change was an async event-driven runtime — enabling concurrent agent execution — replacing the original synchronous message loop.
13. The SWE-bench 2024 multi-agent pipeline that achieved 12.5% resolution of GitHub issues included which three specialized agents?
Correct. The SWE-bench high-performing pipeline used an editor agent (modifies code), a test-runner agent (executes tests), and a repository-context agent (maintains understanding of the full codebase), achieving 12.5% vs. 1.7% for single-agent GPT-4.
The SWE-bench pipeline used an editor agent, a test-runner agent, and a repository-context agent — each handling a distinct aspect of the software engineering workflow.
14. The February 2024 Air Canada chatbot tribunal ruling is legally significant because it:
Correct. The ruling established operator liability for AI agent misrepresentations — organizations cannot claim their chatbot is a separate entity to avoid responsibility for what it communicates.
Incorrect. The ruling established operator liability — Air Canada could not disclaim responsibility for what its chatbot told customers. It did not require chatbot shutdown or separate insurance.
15. Anthropic's computer use capability was released in public beta in which month and year?
Correct. Anthropic released the computer use beta on October 22, 2024, for Claude 3.5 Sonnet.
Incorrect. Anthropic's computer use public beta was released in October 2024. OpenAI's CUA/Operator came in January 2025.
16. WebGPT evaluators preferred its answers over base GPT-3 what percentage of the time?
Correct. Evaluators preferred WebGPT's cited, browsed answers 56% of the time on open-ended questions.
Incorrect. The figure was 56%, demonstrating that retrieval plus synthesis outperformed parametric memory.
17. Cognition AI's Devin used persistent shell, editor, and browser tools as shared state primarily to solve which limitation?
Correct. Devin's persistent tools solved the context-window insufficiency problem — a 10,000-line repository cannot be passed through even a 128k-token context without degradation, but a persistent file system is lossless and always browsable.
The motivation was context-window limits — file systems are lossless and browsable, while context windows are limited and lossy for large codebases.
18. The confused deputy attack pattern in agentic AI refers to:
Correct. The Microsoft 365 Copilot attack is a canonical example: injected instructions redirected the agent's legitimate permissions to serve an attacker.
Confused deputy is specifically about legitimate authority being redirected — the agent is authorized, but manipulated into serving the wrong principal.
19. Why does an AI coding agent tend to suggest insecure patterns like MD5 password hashing when asked to build authentication?
Correct. The model's prior is shaped by the distribution of training examples, which includes many insecure legacy patterns from tutorials and old repos.
The mechanism is training distribution bias toward older tutorial patterns, not simplicity preference or recency.
20. In the AlphaFold multi-agent pipeline, what did the agent that queried UniProt primarily do?
Correct. One worker agent ran functional annotation queries against UniProt, complementing the PubMed literature mining agent and AlphaFold's structure predictions.
Incorrect. The UniProt agent performed functional annotation — retrieving what is known about each protein's biological function.