Security Checklist

Architecture and Agents

We have a documented threat model that includes agentic-specific risks: prompt injection, RAG poisoning, tool misuse, and cross-tenant leakage.

Each agent has a clear, narrow scope and a minimal tool set.

The orchestration layer - not the model - enforces security and policy.

Plan-verify-execute and/or controlled breakpoints are used for high-risk actions.

Multi-agent workflows and communications are explicitly defined, schema-validated, and restricted.

Identity and Access

Agents are first-class identities with owners, roles, and environments.

RBAC/ABAC rules constrain data and tools per agent, per user, and per tenant.

High-privilege access is granted just-in-time and is short-lived.

All elevation events and high-risk actions are logged and monitored.

Data, RAG, and Memory

Data is classified and access-controlled at the record and document level.

RAG and long-term memory are protected against unauthorized edits and poisoning.

We minimize what is sent to models and never send secrets.

PII and secrets are detected and appropriately redacted or tokenized before storage.

Retention and deletion policies meet regulatory and contractual requirements.

Tools, MCP, and External APIs

Tools are atomic, single-purpose, and schema-validated server-side.

Per-agent and per-tenant tool allowlists are enforced with default deny.

High-impact tools require human approval or propose/confirm flows.

Code execution tools run in hardened sandboxes with no default network access.

MCP servers and plugins go through security review and are centrally registered.

Network egress from agents and tools is restricted to approved endpoints.

Frontend and UX

Standard web security (auth, CSRF, XSS, CSP) is implemented for the frontend layer.

All model output is treated as untrusted and rendered safely.

The UI clearly communicates agent capabilities and limitations.

Domain-specific disclaimers are present where needed (health, legal, financial).

Users can flag harmful or incorrect outputs and escalate to humans.

Infrastructure and Model Gateway

Agent workloads run in hardened, least-privilege containers.

Network segmentation prevents agents from reaching core data stores directly.

A model gateway mediates all LLM traffic with auth, rate limits, and logging.

High-risk tools are isolated with additional sandboxing and resource limits.

Supply chain risks are managed (SBOMs, scanning, model version tracking).

Cloud provider resources are configured following security best practices.

Guardrails and Responsible AI

Pre-input, mid-execution, and post-output guardrails are implemented and configurable per product.

Responsible AI harm categories relevant to the use case have been assessed and mitigations are in place.

Domain-specific constraints (financial, health, legal, security) are encoded as policies and guardrails.

Hallucination and grounding checks are in place where correctness is critical.

Bias and fairness considerations are explicitly addressed in sensitive contexts.

Monitoring and Incident Response

End-to-end structured, privacy-aware audit logging is enabled.

Behavioral baselines and anomaly detection for agents and tools are in place.

Alerts exist for AI-specific threats: injection attempts, tool misuse, data exfiltration, and behavior shifts.

AI-specific incident response runbooks are defined and integrated with security operations.

There is clear operational ownership and on-call coverage for agentic systems.

SDLC, Testing, and Red Teaming

AI and agent threat modeling is part of design reviews.

Automated security tests (SAST, DAST, dependency scanning, container scanning) run in CI/CD.

AI-specific tests (prompt injection, RAG poisoning, tool misuse, responsible AI harms) are part of regression suites.

Periodic adversarial red teaming is performed and findings are addressed.

Continuous evaluation uses incidents, metrics, and assessments to harden defenses over time.