Tone Dark
Tint
30 References · the papers behind the manual

Selected references and further reading.

Every citation in this manual links to its entry below. This list is curated, not exhaustive: it covers the work that most directly shaped the recommendations in each chapter. Where a paper appeared at a conference, the conference and year are given; arXiv preprints are noted as such with their identifier. Open access links are provided where available.

Inline citation format used in chapters: Author et al., Venue Year. Click any citation to jump to the matching entry on this page.

Foundational agent papers
  1. Yao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., & Cao, Y. (2023). ReAct: Synergizing Reasoning and Acting in Language Models. ICLR 2023. arXiv:2210.03629
  2. Shinn, N., Cassano, F., Berman, E., Gopinath, A., Narasimhan, K., & Yao, S. (2023). Reflexion: Language Agents with Verbal Reinforcement Learning. NeurIPS 2023. arXiv:2303.11366
  3. Schick, T., Dwivedi-Yu, J., Dessì, R., Raileanu, R., Lomeli, M., Zettlemoyer, L., Cancedda, N., & Scialom, T. (2023). Toolformer: Language Models Can Teach Themselves to Use Tools. NeurIPS 2023. arXiv:2302.04761
  4. Madaan, A., Tandon, N., Gupta, P., Hallinan, S., Gao, L., Wiegreffe, S., Alon, U., Dziri, N., Prabhumoye, S., Yang, Y., et al. (2023). Self-Refine: Iterative Refinement with Self-Feedback. NeurIPS 2023. arXiv:2303.17651
  5. Qin, Y., Liang, S., Ye, Y., Zhu, K., Yan, L., Lu, Y., Lin, Y., Cong, X., Tang, X., Qian, B., et al. (2023). ToolLLM: Facilitating Large Language Models to Master 16000+ Real-world APIs. arXiv preprint. arXiv:2307.16789
Multi-agent frameworks & orchestration
  1. Hong, S., Zhuge, M., Chen, J., Zheng, X., Cheng, Y., Zhang, C., et al. (2024). MetaGPT: Meta Programming for a Multi-Agent Collaborative Framework. ICLR 2024. arXiv:2308.00352
  2. Wu, Q., Bansal, G., Zhang, J., Wu, Y., Zhang, S., Zhu, E., Li, B., Jiang, L., Zhang, X., & Wang, C. (2023). AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation. arXiv preprint. arXiv:2308.08155
  3. Du, Y., Li, S., Torralba, A., Tenenbaum, J. B., & Mordatch, I. (2024). Improving Factuality and Reasoning in Language Models through Multiagent Debate. ICML 2024. arXiv:2305.14325
  4. Liu et al. (2025). Breaking Mental Set to Improve Reasoning through Diverse Multi-Agent Debate. ICLR 2025. ICLR 2025 slides
  5. Ye, R., Pang, S., Chai, Y., Chen, J., Yin, X., Zhang, Z., Lu, H., Liang, Y., Yan, Q., Wang, Y., Chen, S., & Shao, J. (2025). MAS-GPT: Training LLMs to Build LLM-based Multi-Agent Systems. arXiv preprint. arXiv:2503.03686
  6. Lin, X., Wang, J., Tian, Q., Yu, Y., Yang, Y., Cao, S., et al. (2025). Agentic Neural Networks: Self-Evolving Multi-Agent Systems via Textual Backpropagation. arXiv preprint. arXiv:2506.09046
  7. Federation of Agents authors (2025). Federation of Agents: A Semantics-Aware Communication Fabric for Large-Scale Agentic AI. arXiv preprint. arXiv:2509.20175
  8. Multi-agent outlook authors (2025). An Outlook on the Opportunities and Challenges of Multi-Agent AI Systems. arXiv preprint. arXiv:2505.18397
  9. Ozer, O., et al. (2025). MAR: Multi-Agent Reflexion Improves Reasoning Abilities in LLMs. arXiv preprint. arXiv:2512.20845
  10. Rizvi-Martel, M., Bhattamishra, S., Rathi, N., Rabusseau, G., & Hahn, M. (2026). Benefits and Limitations of Communication in Multi-Agent Reasoning. ICLR 2026. Mila announcement
  11. Lambda team (2026). Agents Arena: 103,000 battles across 31 scenarios in finance, healthcare, legal, and cybersecurity. ICLR 2026 Agents in the Wild Workshop. Lambda blog
  12. Becker, J. (2024). Multi-Agent Large Language Models for Conversational Task-Solving. arXiv preprint. arXiv:2410.22932
Protocols & interoperability
  1. Yang, Y., Chai, H., Song, Y., Qi, S., Wen, M., Li, N., Liao, J., Hu, H., Lin, J., Liu, G., et al. (2025). A Survey of Agent Interoperability Protocols: Model Context Protocol (MCP), Agent Communication Protocol (ACP), Agent-to-Agent Protocol (A2A), and Agent Network Protocol (ANP). arXiv preprint. arXiv:2505.02279
  2. Singh, A., Ehtesham, A., Kumar, S., & Khoei, T. T. (2025). Survey of LLM Agent Communication with MCP: A Software Design Pattern Centric Review. arXiv preprint. arXiv:2506.05364
  3. Hou, X., Zhao, Y., Wang, S., & Wang, H. (2025). Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions. arXiv preprint. arXiv:2503.23278
  4. MCP tool smells authors (2026). Model Context Protocol (MCP) Tool Descriptions Are Smelly! Towards Improving AI Agent Efficiency with Augmented MCP Tool Descriptions. arXiv preprint. arXiv:2602.14878
  5. Context-Aware MCP authors (2026). Enhancing Model Context Protocol (MCP) with Context-Aware Server Collaboration. arXiv preprint. arXiv:2601.11595
  6. Anthropic / Linux Foundation Agentic AI Foundation (Dec 2025). Donation of Model Context Protocol to AAIF. News announcement. Wikipedia summary
Memory & long-context reasoning
  1. Chhikara, A., et al. (2025). Mem0: Building Production-Ready AI Agents with Scalable Long-Term Memory. arXiv preprint. arXiv:2504.19413
  2. Rasmussen, P., et al. (2025). Zep: A Temporal Knowledge Graph Architecture for Agent Memory. arXiv preprint. arXiv:2501.13956
  3. Wang, Y., & Chen, P. (2025). MIRIX: Multi-Agent Memory System for LLM-Based Agents. arXiv preprint. arXiv:2507.07957
  4. LiCoMemory authors (2025). LiCoMemory: Lightweight and Cognitive Agentic Memory for Efficient Long-Term Reasoning. arXiv preprint. arXiv:2511.01448
  5. MemMachine authors (2026). MemMachine: A Ground-Truth-Preserving Memory System for Personalized AI Agents. arXiv preprint. arXiv:2604.04853
  6. Memory Agents authors (2026). Learning to Remember: End-to-End Training of Memory Agents for Long-Context Reasoning. arXiv preprint. arXiv:2602.18493
  7. Yao, R., Wang, X., Zhang, A., et al. (2025). Look Back to Reason Forward: Revisitable Memory for Long-Context LLM Agents. arXiv preprint. arXiv:2509.23040
  8. COSMIR authors (2025). COSMIR: Chain Orchestrated Structured Memory for Iterative Reasoning over Long Context. arXiv preprint. arXiv:2510.04568
  9. MemOCR authors (2026). MemOCR: Layout-Aware Visual Memory for Efficient Long-Horizon Reasoning. arXiv preprint. arXiv:2601.21468
  10. QwenLong-L1.5 team (2026). QwenLong-L1.5: Post-Training Recipe for Long-Context Reasoning and Memory Management. arXiv preprint. arXiv:2512.12967
  11. Hong, X., et al. (2025). Context Rot: How Increasing Input Tokens Impacts LLM Performance. Chroma research. Chroma research blog
  12. Srivastava, S., Bidhan, J., Yan, H., Dey, A., Kansal, T., Kath, P., Mansouri, S., Marvania, M., Simhadri, V. S., & Singh, G. (2026). Reasoning Under Constraint: How Batch Prompting Suppresses Overthinking in Reasoning Models. ICLR 2026. OpenReview · arXiv:2511.04108. Disclosure: co-authored by the manual's author (Singh) and reviewers (Srivastava, Dey).
  13. Wu, D., et al. (2025). LongMemEval: Benchmarking Chat Assistants on Long-Term Interactive Memory. ICLR 2025. arXiv:2410.10813
Reflection & self-improvement
  1. MARS authors (2026). Learn Like Humans: Use Meta-cognitive Reflection for Efficient Self-Improvement. arXiv preprint. arXiv:2601.11974
  2. SAMULE authors (2025). SAMULE: Self-Learning Agents Enhanced by Multi-level Reflection. arXiv preprint. arXiv:2509.20562
  3. WebCoT authors (2025). WebCoT: Enhancing Web Agent Reasoning by Reconstructing Chain-of-Thought in Reflection, Branching, and Rollback. arXiv preprint. arXiv:2505.20013
  4. Agentic Critical Training authors (2026). Agentic Critical Training. arXiv preprint. arXiv:2603.08706
  5. ParamMem authors (2026). ParamMem: Augmenting Language Agents with Parametric Reflective Memory. arXiv preprint. arXiv:2602.23320
  6. Teaching Reasoning Models authors (2026). Teaching Large Reasoning Models Effective Reflection. arXiv preprint. arXiv:2601.12720
  7. Wu, C., et al. (2025). Meta-Policy Reflexion: Reusable Reflective Memory and Rule Admissibility for Resource-Efficient LLM Agent. arXiv preprint. arXiv:2509.03990
  8. Qin, C., et al. (2025). ILR: Interactive Learning for LLM Reasoning. arXiv preprint. arXiv:2509.26306
Evaluation & benchmarks
  1. Jimenez, C. E., Yang, J., Wettig, A., Yao, S., Pei, K., Press, O., & Narasimhan, K. (2024). SWE-bench: Can Language Models Resolve Real-World GitHub Issues? ICLR 2024. arXiv:2310.06770
  2. Xie, T., Zhang, D., Chen, J., Li, X., Zhao, S., Cao, R., et al. (2024). OSWorld: Benchmarking Multimodal Agents for Open-Ended Tasks in Real Computer Environments. NeurIPS 2024. arXiv:2404.07972
  3. Mialon, G., Fourrier, C., Swift, C., Wolf, T., LeCun, Y., & Scialom, T. (2023). GAIA: A Benchmark for General AI Assistants. ICLR 2024. arXiv:2311.12983
  4. Yao, S., Shinn, N., Razavi, P., & Narasimhan, K. (2024). TAU-bench: A Benchmark for Tool-Agent-User Interaction in Real-World Domains. arXiv preprint. arXiv:2406.12045
  5. Berkeley RDI (April 2026). How We Broke Top AI Agent Benchmarks. RDI Blog. Berkeley RDI blog
  6. OccuBench authors (2026). OccuBench: Evaluating AI Agents on Real-World Professional Tasks via Language World Models. arXiv preprint. arXiv:2604.10866
  7. Windows Agent Arena team (2024). Windows Agent Arena: Evaluating Multi-Modal OS Agents at Scale. arXiv preprint. arXiv:2409.08264
  8. Spheron team (2026). AI Agent Benchmarking Infrastructure on GPU Cloud: Run SWE-bench, GAIA, Terminal-Bench, and OSWorld at Scale. Spheron Blog. Spheron 2026 guide
  9. SWE-Context Bench authors (2026). SWE-Context Bench: A Benchmark for Context Learning in Coding. arXiv preprint. arXiv:2602.08316
Security & prompt injection
  1. Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., & Fritz, M. (2023). Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. AISec Workshop, CCS 2023. arXiv:2302.12173
  2. Lee, D. R., & Tiwari, M. (2024). Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems. arXiv preprint. arXiv:2410.07283
  3. Firewall benchmark authors (2025). Indirect Prompt Injections: Are Firewalls All You Need, or Stronger Benchmarks? arXiv preprint. arXiv:2510.05244
  4. Brittle agents authors (2026). Your Agent is More Brittle Than You Think: Uncovering Indirect Injection Vulnerabilities in Agentic LLMs. arXiv preprint. arXiv:2604.03870
  5. Prompt Injection Review authors (2026). Prompt Injection Attacks in Large Language Models and AI Agent Systems: A Comprehensive Review. MDPI Information. MDPI 17(1):54
  6. OWASP (2025). OWASP Top 10 for LLM Applications 2025. OWASP. owasp.org
  7. Lakera (2025). Indirect Prompt Injection: The Hidden Threat Breaking Modern AI Systems. Lakera blog. lakera.ai
  8. CrowdStrike (2025). Indirect Prompt Injection Attacks: Hidden AI Risks. CrowdStrike blog. crowdstrike.com
  9. Help Net Security / Google (April 2026). Indirect Prompt Injection is Taking Hold in the Wild. Help Net Security. helpnetsecurity.com
Agent security frontier (2025–26 attacks and standards)
  1. Rehberger, J. (September 2025). Cross-Agent Privilege Escalation: When Agents Free Each Other. Embrace The Red (security research blog); also disclosed as CVE-2025-53773 with co-discoverer Markus Vervier. embracethered.com
  2. Palo Alto Networks Unit 42 (October 2025). When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems. Unit 42 threat research. unit42.paloaltonetworks.com
  3. OWASP GenAI Security Project (Sotiropoulos, J., Katz, K., Del Rosario, R. F., et al.) (December 2025). OWASP Top 10 for Agentic Applications 2026. OWASP Foundation; ASI01-ASI10 risk categories with the introduction of "least agency" as a guiding principle. genai.owasp.org
  4. Cloud Security Alliance (March 2026). Control the Chain, Secure the System: Fixing AI Agent Delegation. CSA blog; introduces the four foundations: scope attenuation, token-level lineage verification, persistent context alignment, out-of-band human approval. cloudsecurityalliance.org
  5. Helixar Labs (2026). Human Delegation Provenance Protocol (HDP). IETF Internet-Draft draft-helixar-hdp-agentic-delegation-00; companion paper at arXiv:2604.04522. Ed25519-signed append-only delegation chains with offline verification. datatracker.ietf.org · arXiv:2604.04522
  6. Prakash, et al. (March 2026). Agent Identity Protocol (AIP): Verifiable Delegation for AI Agent Systems. IETF Internet-Draft draft-prakash-aip-00; companion paper at arXiv:2603.24775. Introduces Invocation-Bound Capability Tokens (IBCTs) in JWT and Biscuit/Datalog flavors. ietf.org · arXiv:2603.24775
  7. Debenedetti, E., Shumailov, I., Fan, T., Hayes, J., Carlini, N., Fabian, D., Kern, C., Shi, C., Terzis, A., Tramèr, F. (March 2025). Defeating Prompt Injections by Design. arXiv preprint. Introduces CaMeL: a Privileged + Quarantined LLM split with capability metadata enforced by a custom Python interpreter. Solves 67 to 77 percent of AgentDojo with provable security against the prompt injection class. arXiv:2503.18813
  8. Debenedetti, E., Zhang, J., Balunović, M., Beurer-Kellner, L., Fischer, M., Tramèr, F. (June 2024). AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents. NeurIPS 2024. 97 realistic tasks and 629 security tests across Workspace, Banking, Travel, and Slack environments. The de facto evaluation harness for prompt injection defenses. arXiv:2406.13352
  9. Chen, Z., Xiang, Z., Xiao, C., Xu, D., Li, B. (July 2024). AgentPoison: Red-teaming LLM Agents via Poisoning Memory or Knowledge Bases. NeurIPS 2024. First backdoor attack on RAG-based agents; 80 percent or higher attack success at less than 0.1 percent poisoning rate across autonomous-driving, QA, and EHR healthcare agents. arXiv:2407.12784
  10. Dong, S., Xu, S., He, P., Li, Y., Tang, J., Liu, T., Zhao, H., Liu, J., Wang, Y. (March 2025). A Practical Memory Injection Attack against LLM Agents. arXiv preprint. MINJA achieves 95 percent or higher injection success and 70 percent attack success rate on memory-augmented agents through query-only interactions. arXiv:2503.03704
  11. Xu, P., Zhao, H., Yi, X., et al. (October 2025). The Trust Paradox in LLM-Based Multi-Agent Systems: When Collaboration Becomes a Security Vulnerability. arXiv preprint. Empirical study across 1,488 agent chains showing inter-agent trust monotonically increases attack risk. Defines Over-Exposure Rate (OER) and Authorization Drift (AD) against a Minimum Necessary Information baseline. arXiv:2510.18563
  12. Hines, K., Lopez, G., Hall, M., Zarfati, F., Zunger, Y., Kiciman, E. (March 2024). Defending Against Indirect Prompt Injection Attacks With Spotlighting. CAMLIS 2024. Delimiting, datamarking, and base64 encoding of untrusted text. Reduces attack success rate from above 50 percent to below 2 percent on GPT-family models. arXiv:2403.14720
  13. Chen, S., Piet, J., Sitawarin, C., Wagner, D. (February 2024). StruQ: Defending Against Prompt Injection with Structured Queries. USENIX Security 2025. Two-channel front-end formatter plus structured-instruction-tuned LLM. Companion paper SecAlign (Chen et al., October 2024, arXiv:2410.05451) extends the technique with preference optimization. Both broken by the ASTRA whitebox attack at up to 70 percent ASR. arXiv:2402.06363 · arXiv:2410.05451
  14. Shi, T., Zhang, J., Liu, Y., Wang, Q., Zhang, X., Yu, F., Zhao, J., Hou, T., Liu, A., Yan, X., Hu, Z., Yang, Z., Zhang, Y., Sayyed, Z., Zhao, B. Y., Liu, X., Han, X., Wang, B., Song, D. (April 2025). Progent: Programmable Privilege Control for LLM Agents. arXiv preprint. JSON-based DSL for fine-grained tool-call policies. Reduces AgentDojo attack success rate from 41.2 percent to 2.2 percent and ASB attack success rate from 70.3 percent to 0 percent. arXiv:2504.11703
  15. Sharma, M., et al. (January 2025). Constitutional Classifiers: Defending against Universal Jailbreaks across Thousands of Hours of Red Teaming. Anthropic technical report. Synthetic-data-trained input and output classifiers from a natural-language constitution. No universal jailbreak found across 3,000+ red-team hours; 0.38 percent absolute refusal-rate increase, 23.7 percent inference overhead. arXiv:2501.18837
  16. Meta AI (April 2025). Llama Guard 4 12B Model Card. Meta. Dense early-fusion multimodal classifier pruned from Llama 4 Scout. Replaces Llama Guard 3-8B and 3-11B-vision; adds a Code Interpreter Abuse category for tool-call use. External evaluation finds 4.5 to 21.8 percent harmful detection at 97 to 99 percent benign accuracy. github.com/meta-llama
  17. Zhan, Q., Liang, Z., Ying, Z., Kang, D. (March 2024). InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents. ACL 2024 Findings. 1,054 cases across 17 user tools and 62 attacker tools. ReAct GPT-4 reaches 24 percent attack success rate baseline, 47 percent with hacking-prompt enhancement. arXiv:2403.02691
Memory poisoning & long-term agent state
  1. Chhikara, P., et al. (April 2025). Mem0: Building Production-Ready AI Agents with Scalable Long-Term Memory. ECAI 2025. Two-stage extract-then-update memory pipeline; on the LOCOMO benchmark, Mem0 outperforms full-context with 91 percent lower p95 latency and 90 percent or higher token savings. arXiv:2504.19413
  2. Rasmussen, P., et al. (January 2025). Zep: A Temporal Knowledge Graph Architecture for Agent Memory. arXiv preprint. Bitemporal knowledge graph with episode, semantic entity, and community subgraphs; each fact carries explicit validity periods. Up to 18.5 percentage point accuracy improvement on LongMemEval with 90 percent latency reduction over full-context baselines. arXiv:2501.13956
  3. Xu, W., et al. (February 2025). A-MEM: Agentic Memory for LLM Agents. arXiv preprint. Zettelkasten-inspired self-organizing memory; new notes link to existing ones, and existing notes update when new connections form. Up to 6x improvement over baselines on six foundation models. arXiv:2502.12110
  4. Wu, D., et al. (October 2024). LongMemEval: Benchmarking Chat Assistants on Long-Term Interactive Memory. ICLR 2025. 500 questions across five core abilities. Commercial chat assistants and long-context LLMs show 30 to 60 percent accuracy drop on memorization across sustained interactions. arXiv:2410.10813
  5. Packer, C., Wooders, S., Lin, K., Fang, V., Patil, S. G., Stoica, I., Gonzalez, J. E. (October 2023). MemGPT: Towards LLMs as Operating Systems. arXiv preprint. OS-inspired hierarchical memory with main context, recall storage, and archival storage. Foundational design for memory-as-a-tool agents. arXiv:2310.08560
  6. DeChant, C. (January 2025). Episodic Memory in AI Agents Poses Risks That Should Be Studied and Mitigated. SaTML 2025. Identifies four primary safety risks of episodic memory: deception, situational awareness as attack surface, retrieval unpredictability, and unwanted retention. arXiv:2501.11739
Observability & OpenTelemetry GenAI conventions
  1. OpenTelemetry Project (2024 to 2026). Semantic Conventions for Generative AI. CNCF specification. Standardizes spans (chat, execute_tool, invoke_agent, invoke_workflow, embeddings, retrieval), metrics (gen_ai.client.operation.duration, gen_ai.client.token.usage), and events (gen_ai.evaluation.result, gen_ai.client.inference.operation.details). Critical caveat: as of v1.41.0 (May 2026), all gen_ai.* attributes remain Status: Development, not Stable. opentelemetry.io/docs/specs/semconv/gen-ai
  2. OpenTelemetry Project (2026). Semantic Conventions for Model Context Protocol (MCP). CNCF specification sub-spec. Defines mcp.method.name, mcp.session.id, mcp.resource.uri, mcp.prompt.name, mcp.tool.name. When the MCP method is a tool call, gen_ai.operation.name=execute_tool and gen_ai.tool.name MUST also be set so MCP tool-call spans aggregate with non-MCP ones. opentelemetry.io/docs/specs/semconv/gen-ai/mcp
  3. AgentSight Authors (August 2025). AgentSight: System-Level Observability for AI Agents Using eBPF. arXiv preprint. Boundary tracing intercepts TLS-encrypted LLM traffic for semantic intent and kernel events for system effects, with less than 3 percent performance overhead. Detects prompt injection, reasoning loops, and multi-agent coordination bottlenecks. arXiv:2508.02736
  4. AgenTracer Authors (September 2025). AgenTracer: Who Is Inducing Failure in the LLM Agentic Systems? arXiv preprint. First automated framework for annotating failed multi-agent trajectories using counterfactual replay plus programmed fault injection. Releases TracerTraj dataset with 2,000+ failure trajectories. arXiv:2509.03312
  5. LangChain Issue #35357 (2025). Feature: Structured compliance audit logging for EU AI Act (Article 12). GitHub. Community-acknowledged gap: BaseCallbackHandler and LangSmith integration are designed for debugging and monitoring, not for regulatory compliance audits. github.com/langchain-ai
Computer-use agents (NeurIPS 2025)
  1. Cua AI (Nov 2025). NeurIPS 2025: 45 Computer-Use Agent Papers You Should Know About. Cua Blog. cua.ai blog
  2. Jedi / OSWorld-G authors (2025). OSWorld-G and Jedi: Scaling GUI Grounding with 4 Million Synthetic Examples. NeurIPS 2025. NeurIPS 2025 poster
Surveys & landscape papers
  1. Architectures / Taxonomies authors (2026). Agentic Artificial Intelligence (AI): Architectures, Taxonomies, and Evaluation of Large Language Model Agents. arXiv preprint. arXiv:2601.12560
  2. Prompt-Response to Goal-Directed authors (2026). From Prompt-Response to Goal-Directed Systems: The Evolution of Agentic AI Software Architecture. arXiv preprint. arXiv:2602.10479
  3. Agentic Frameworks authors (2025). Agentic AI Frameworks: Architectures, Protocols, and Design Challenges. IEEE arXiv preprint. arXiv:2508.10146
  4. Haidemariam, T. (2026). From the logic of coordination to goal-directed reasoning: the agentic turn in artificial intelligence. Frontiers in AI. Frontiers DOI
Guidance, rewards & preference learning
  1. Fu, J., Zhao, X., Yao, C., Wang, H., Han, Q., Xiao, Y. (2025–2026). Reward Shaping to Mitigate Reward Hacking in RLHF. arXiv preprint, Feb 2025, latest revision Jan 2026. arXiv:2502.18770
  2. Yang, P., Zhang, K., Wang, J., Chen, X., Tang, Y., Yang, E., Ai, L., Shi, B. (2025–2026). Multi-Agent Collaborative Reward Design for Enhancing Reasoning in Reinforcement Learning (CRM). arXiv preprint, Nov 2025, last revised Jan 2026. arXiv:2511.16202
Future directions: self-improvement, world models, embodied agents
  1. o-mega Research (2026). Self-Improving AI Agents: The 2026 Guide. Industry overview, March 2026. o-mega.ai
  2. Google DeepMind SIMA team (2025). SIMA 2: A Generalist Embodied Agent for Virtual Worlds. arXiv preprint, December 2025. arXiv:2512.04797
  3. Feng, T., Wang, X., Zhou, Z., Wang, R., Zhan, Y., Li, G., Li, Q., Zhu, W. (2025). EvoAgent: Self-evolving Agent with Continual World Model for Long-Horizon Tasks. arXiv preprint, February 2025. arXiv:2502.05907
  4. Embodied AI Survey authors (2025). Embodied AI Agents: Modeling the World. arXiv preprint, June 2025. arXiv:2506.22355
Predictive coding, world models & agent surprise
  1. Friston, K. (2010). The Free-Energy Principle: A Unified Brain Theory? Nature Reviews Neuroscience 11(2): 127-138. Foundational paper for the surprise-minimization framing used in chapter 16. Argues that brains and adaptive systems minimize variational free energy, which is approximately expected surprise over future observations. doi:10.1038/nrn2787
  2. Clark, A. (2013). Whatever Next? Predictive Brains, Situated Agents, and the Future of Cognitive Science. Behavioral and Brain Sciences 36(3): 181-204. The accessible philosophy paper that popularized predictive coding outside neuroscience. Argues that perception is itself prediction-driven, not passive reception. doi:10.1017/S0140525X12000477
  3. Pollak, T. A., Corlett, P. R. (2020). Blindness, Psychosis, and the Visual Construction of the World. Schizophrenia Bulletin 46(6): 1418-1425. The paper underlying the blind-and-schizophrenia observation in chapter 16. Argues that congenital visual deprivation, by preventing the formation of a hierarchical visual predictive system, may also prevent the kind of hierarchical predictive failure underlying schizophrenia's positive symptoms. doi:10.1093/schbul/sbz098
  4. Hafner, D., Pasukonis, J., Ba, J., Lillicrap, T. (2023). Mastering Diverse Domains through World Models. arXiv preprint (DreamerV3). The state-of-the-art reference for jointly trained world models and policies. Achieves human-level performance on Minecraft from scratch through learned imagination. arXiv:2301.04104
  5. Google DeepMind (2025). Genie 3: A New Generation of Generative World Models. DeepMind announcement, July 2025. A foundation generative world model that produces playable environments from text prompts. Sparked the production interest in world models as a primitive for agent training and evaluation. deepmind.google
  6. NVIDIA (January 2025). Cosmos World Foundation Model Platform for Physical AI. arXiv preprint. Foundation world models targeted at physical AI applications (autonomous driving, robotics). The same idea applied at industrial scale: predict the next physical state, score the surprise, train downstream models on the predictions. arXiv:2501.03575
  7. Schrittwieser, J., et al. (2020). Mastering Atari, Go, Chess and Shogi by Planning with a Learned Model. Nature 588: 604-609. The classical MuZero paper showing that learning a model jointly with a policy beats both pure model-free RL and pure planning. Foundational for the "predict-and-plan" framing in chapter 16. doi:10.1038/s41586-020-03051-4
Trust, privileges & reputation in multi-agent systems
  1. Inter-Agent Trust authors (2025). Inter-Agent Trust Models: A Comparative Study of Brief, Claim, Proof, Stake, Reputation and Constraint in Agentic Web Protocol Design: A2A, AP2, ERC-8004, and Beyond. arXiv preprint, November 2025. arXiv:2511.03434
  2. Bouchiha, M. A., et al. (2025). DRF: LLM-AGENT Dynamic Reputation Filtering Framework. arXiv preprint, September 2025. arXiv:2509.05764
  3. Prakash, S. (2026). The Provenance Paradox in Multi-Agent LLM Routing: Delegation Contracts and Attested Identity in LDP. arXiv preprint, March 2026. arXiv:2603.18043
  4. Chaffer, T. J. (2025). AgentBound Tokens (ABTs): AI-Governed Agent Architecture for Web-Trustworthy Tokenization of Alternative Assets. arXiv preprint, June 2025. arXiv:2507.00096
  5. Foerster, M., Blanchard, N., et al. (2026). CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents. arXiv preprint, January 2026. arXiv:2601.09923
Beyond software: medical and scientific frontiers
  1. Wang, J., et al. (2025). AI-Powered early warning systems for clinical deterioration significantly improve patient outcomes: a meta-analysis. BMC Medical Informatics and Decision Making, 25:203. doi:10.1186/s12911-025-03048-x
  2. Authors of medRxiv 2025.06.20.25329978 (2025). Early Warning Model for Patient Deterioration: A Machine Learning Approach for Nurse-Led Monitoring. medRxiv preprint, June 2025. medRxiv:2025.06.20.25329978
  3. Shanghai Zhongshan Hospital, Fudan University (2025). AIME-ICU: Exploring the Use of AI-Assisted Video Monitoring to Predict Accidental Events in ICU Patients. ClinicalTrials.gov NCT07307521 (observational, 300 patients). NCT07307521
  4. Authors of PMC12701216 (2025). Artificial intelligence applications in intensive care unit nursing: A narrative review (2020-2025). Open access journal, 2025. PMC12701216
  5. Authors of MDPI Clinical Medicine 14:4026 (2025). Machine Learning and Artificial Intelligence in Intensive Care Medicine: Critical Recalibrations from Rule-Based Systems to Frontier Models. Journal of Clinical Medicine, June 2025. MDPI 14:4026
  6. Dong, et al. (2025). Brain Harmony: A unified 1D token representation integrating structural and functional MRI for foundation-model neuroimaging. Preprint, September 2025 (described in the Foundation Models for Neuroimaging survey). survey overview
  7. Lyu, et al. (2025). Prima: Health-system-scale neuroimaging diagnosis with explainable, fair, generalizable reasoning. Preprint, September 2025 (mean diagnostic AUROC 0.92). survey overview
  8. Mahé, et al. (2025). Unsupervised anomaly detection in brain MRI via VAE-, GAN-, and diffusion-model reconstruction. Preprint, October 2025. related work in the same family
  9. Benchetrit, Y., Banville, H., & King, J.-R. (2024). Brain decoding: toward real-time reconstruction of visual perception. Meta FAIR / ENS PSL University, ICLR 2024 spotlight. arXiv:2310.19812
  10. Authors of PMC8869956 (2025). fMRI Brain Decoding and Its Applications in Brain–Computer Interface: A Survey. PMC8869956. PMC8869956
  11. Tobias, A. V., & Wahab, A. (2025). Autonomous 'self-driving' laboratories: a review of technology and policy implications. Royal Society Open Science 12(7):250646, July 2025. doi:10.1098/rsos.250646
  12. Rapp, J. T., Bremer, B. J., & Romero, P. A. (2024). Self-driving laboratories to autonomously navigate the protein fitness landscape (SAMPLE platform). Nature Chemical Engineering / bioRxiv, 2023-2024. bioRxiv preprint
  13. Hartung, T. (2025). AI, agentic models and lab automation for scientific discovery: the beginning of scAInce. Frontiers in Artificial Intelligence, August 2025. doi:10.3389/frai.2025.1649155
  14. Nature News (2026). Inside the 'self-driving' lab revolution (covers Periodic Labs, founded 2025 by Liam Fedus and Ekin Dogus Cubuk). Nature, March 2026. Nature feature
Citation discipline grows on you. The first time you find a paper you cited two months ago and can't quite remember why, you understand. Hyperlinked references from the start are worth the small upfront effort.