How to secure AI agents?

Secure AI agents by implementing controls across six domains: identity and authentication (unique credentials, short-lived tokens, human-in-the-loop), permissions and least privilege (tool allowlisting, scoped access, no ambient authority), input/output security (prompt injection defense, output filtering, schema validation), memory and data (session isolation, PII handling, retention policies), monitoring and observability (tool call logging, anomaly detection, kill switches), and multi-agent orchestration (encrypted communication, cascade failure isolation, cross-agent audit trails). Use this 30-point checklist as a structured assessment framework.

What are the OWASP Top 10 for AI agents?

The OWASP Top 10 for Agentic Applications (2026) covers: (1) Excessive Agency — agents with more permissions than needed, (2) Unrestricted Autonomous Operation — agents without execution constraints, (3) Prompt Injection to Agent Manipulation — manipulating agent behavior through crafted inputs, (4) Unsafe Tool/Function Execution — unvalidated tool calls, (5) Inadequate Sandboxing — lack of execution isolation, (6) Improper Multi-Agent Trust — blind trust between agents, (7) Identity and Access Mismanagement — missing agent identity controls, (8) Insufficient Logging and Monitoring — no observability into agent actions, (9) Uncontrolled Resource Consumption — runaway cost and compute usage, and (10) Supply Chain Vulnerabilities — malicious dependencies in agent toolchains.

← Back to Blog

Security ChecklistAI AgentsOWASPCompliance

AI Agent Security Checklist 2026

30-point security checklist for production AI agents. Covers OWASP agentic top 10, identity, permissions, monitoring, and compliance mapping. Free PDF download.

AI Vyuh Security · 7 April 2026

AI agents are not chatbots. They hold credentials, call APIs, read databases, write files, and make autonomous decisions. This AI agent security checklist exists because securing agents requires a fundamentally different approach than anything you’d use for a traditional web application or even a standalone LLM deployment.

The OWASP Top 10 for Agentic Applications arrived in 2026, confirming what practitioners already knew: agents introduce AI agent security risks that existing frameworks don’t cover. Tool poisoning, confused deputy attacks, memory manipulation, and multi-agent privilege escalation aren’t edge cases — they’re the default attack surface of any agent that connects to external tools.

This AI agent security checklist gives you 30 concrete controls across 6 domains. Each control is implementable today, mapped to compliance frameworks, and applicable regardless of whether you’re building with LangChain, CrewAI, AutoGen, or a custom orchestration layer. Download the full checklist for your team’s security review.

Why AI Agents Need Their Own Security Checklist

Traditional application security assumes a request-response model: a user sends a request, the server processes it, and returns a response. Every action traces back to an authenticated user. The blast radius of any single vulnerability is bounded by that user’s session.

AI agents break every one of these assumptions. An agent may chain 15 tool calls to fulfill a single user request, each call touching a different system with different permissions. The agent makes autonomous decisions about which tools to call, what data to send, and how to interpret results. There’s no human reviewing each intermediate step. A single prompt injection in a tool response can redirect the entire chain.

The OWASP Agentic Top 10, the NIST AI Risk Management Framework, and the EU AI Act all recognize this gap. But none of them provide a control-level checklist you can hand to your engineering team on Monday morning. That’s what this is.

The 30-Point AI Agent Security Checklist

Domain 1: Identity & Authentication

Every agent needs an identity. Not a shared service account. Not the developer’s personal API key. A unique, auditable identity that can be granted, scoped, rotated, and revoked independently.

Control 1: Agent identity management. Assign unique credentials to every agent instance. No shared service accounts across agents. When Agent-A is compromised, you need to revoke Agent-A’s credentials without taking down Agent-B through Agent-Z. This means unique client IDs, unique API keys, and unique identity records in your IAM system.

Control 2: Short-lived tokens. Replace long-lived API keys with OAuth 2.0 tokens that rotate automatically. A leaked API key with no expiration is a permanent backdoor. Short-lived tokens (15-60 minute TTL) limit the blast radius of credential theft. Implement token rotation with automatic refresh — the agent should never hold a credential valid for more than one hour.

Control 3: Human-in-the-loop for privileged actions. Not every action needs approval. But data deletion, fund transfers, permission changes, and external communications should require explicit human confirmation. Define your privilege threshold clearly: what’s the blast radius if this action goes wrong? If the answer is “significant and irreversible,” require a human in the loop.

Control 4: Agent-to-agent authentication. When agents communicate with each other, they must authenticate mutually. Use mTLS certificates or signed JWTs. Never trust an agent request based solely on network location or a shared secret. In multi-agent architectures, a compromised worker agent should not be able to impersonate an orchestrator.

Control 5: Identity audit trail. Every authentication event — logins, token issuances, permission changes, failed attempts — must be logged in a tamper-evident store. When (not if) you investigate an incident, you need to reconstruct exactly which agent authenticated where, when, and with what permissions. Append-only logs with integrity verification are the minimum.

Domain 2: Permissions & Least Privilege

The most common agentic vulnerability is excessive agency: agents with more permissions than they need. OWASP ranks this as the #1 risk in their Agentic Top 10 for a reason.

Control 6: Tool allowlisting. Agents should only be able to call tools that are explicitly approved. Default-deny, not default-allow. If your agent framework gives agents access to every registered tool by default, you’ve already lost. Maintain a per-agent allowlist that is reviewed and updated as part of your deployment process.

Control 7: Scope-limited tool permissions. It’s not enough to allowlist a tool — you must scope what that tool can do. A database tool should have read-only access unless writes are specifically required. An email tool should be limited to specific recipients or domains. A file system tool should be sandboxed to a specific directory. The principle is simple: grant the minimum permission required for the task, not the minimum permission required for the tool to function.

Control 8: No ambient authority. An agent must not automatically inherit the invoking user’s full permissions. If a user with admin privileges asks an agent to “clean up old files,” the agent should not operate with admin-level file system access. Agents get their own permission sets, defined independently of the user who triggered them.

Control 9: Resource access boundaries. Define explicit boundaries for each agent: which databases, which S3 buckets, which API endpoints, which network segments. Use network policies, IAM roles, and service mesh configurations to enforce these boundaries at the infrastructure level — not just at the application level. Defense in depth means the agent can’t reach resources it shouldn’t touch even if application-level controls fail.

Control 10: Escalation controls for sensitive operations. Some operations are too sensitive for any agent to perform autonomously, regardless of its permission level. Define a sensitivity tier system: Tier 1 actions are autonomous, Tier 2 require logging and async review, Tier 3 require synchronous human approval. Implement a breakglass procedure for emergencies that bypasses normal controls but generates maximum alerting.

Domain 3: Input/Output Security

Agents process untrusted input from two directions: user prompts and tool responses. Both are attack vectors. Traditional input validation covers the user side; agent security must also cover the tool side.

Control 11: Prompt injection defenses. Deploy layered defenses against prompt injection: input scanning (detect known injection patterns), instruction hierarchy (system prompts take precedence over user input), guardrail models (a smaller model screens inputs before they reach the primary agent), and canary tokens (detect when system prompt boundaries are violated). No single defense is sufficient — layering is required. See our guide to MCP-specific security risks for injection vectors specific to tool-connected agents.

Control 12: Tool response sanitization. Every response from every tool must be treated as untrusted input. Tool responses can contain prompt injections, malicious URLs, encoded commands, or manipulated data. Sanitize tool outputs before they re-enter the agent’s context window. Strip HTML, decode and inspect Base64, remove ANSI escape sequences, and flag content that resembles prompt injection patterns.

Control 13: Output filtering before display. Before any agent output reaches a user, apply output filters: PII redaction (SSNs, credit card numbers, emails that shouldn’t be exposed), code injection prevention (no executable JavaScript in HTML-rendered outputs), and content policy enforcement. The agent may have processed sensitive data during its tool chain — ensure none of it leaks into the user-facing response.

Control 14: Schema validation on tool inputs. Every tool call an agent makes should be validated against a strict JSON schema before execution. Reject malformed payloads, unexpected fields, and out-of-range values. This catches both accidental hallucinations (the agent fabricates a parameter) and intentional manipulation (an injection causes the agent to craft a malicious payload). Schema validation is your last line of defense before a tool call touches an external system.

Control 15: Rate limiting on tool calls. Set per-agent, per-tool, and per-time-window rate limits. An agent stuck in a retry loop can burn thousands of dollars in API costs and overwhelm downstream services. Rate limits catch runaway agents before they cause damage. Define reasonable ceilings: if your agent should never make more than 50 database queries per minute, enforce that at the framework level.

Domain 4: Memory & Data

Agent memory is a new attack surface with no equivalent in traditional application security. Agents persist context across interactions, store retrieval-augmented generation (RAG) embeddings, and maintain conversation history. Each of these is a target.

Control 16: Memory isolation between sessions and users. An agent serving User A must not be able to access memories, context, or conversation history from User B’s sessions. This sounds obvious, but many agent frameworks use shared vector stores or conversation databases with inadequate tenant isolation. Test for cross-session and cross-user data leakage explicitly.

Control 17: PII handling in agent memory. Agents inevitably encounter PII: names, emails, phone numbers, addresses, financial data. Implement PII detection on all data entering agent memory, redact or encrypt PII at rest, and enforce access controls on memory retrieval. Compliance frameworks (GDPR, CCPA, India’s DPDPA) require this — but even without regulation, PII in agent memory is a data breach waiting to happen.

Control 18: Context window management. Sensitive data that enters an agent’s context window stays there for the duration of the session — and potentially longer if context is cached or logged. Strip sensitive data before it enters long-lived contexts. Implement context windowing strategies that expire sensitive segments after use. Never persist full context windows to disk without encryption.

Control 19: Data retention policies. Define TTLs for every type of agent memory: conversation history (7 days?), RAG embeddings (30 days?), tool call logs (90 days?). Auto-expire data that exceeds its retention period. Without explicit policies, agent memory grows unbounded — creating an ever-expanding attack surface and a compliance liability.

Control 20: Memory poisoning detection. Attackers can inject malicious content into agent memory stores — poisoning RAG embeddings, manipulating conversation history, or inserting false context. Implement integrity checks on memory entries: hash verification, source attribution, and anomaly detection on memory content. If an agent’s behavior suddenly changes, check its memory for injected entries.

Domain 5: Monitoring & Observability

You can’t secure what you can’t see. Agent observability is harder than traditional application monitoring because agent behavior is non-deterministic — the same input can produce different tool call sequences on different runs.

Control 21: Log all tool calls with input/output. Every tool call an agent makes must be logged with the full request payload and the full response. This is your forensic foundation. When an incident occurs, you need to reconstruct the exact sequence of tool calls, what data was sent, what was returned, and how the agent interpreted it. Structured logging (JSON) with correlation IDs linking calls within a single agent session.

Control 22: Anomaly detection on agent behavior. Establish baselines for normal agent behavior: typical tool call sequences, normal data access patterns, expected execution durations. Alert on deviations. An agent that suddenly starts querying a database table it’s never touched, or making 10x more API calls than usual, or generating unusually long outputs — these are signals. Statistical anomaly detection or ML-based behavioral models both work.

Control 23: Cost monitoring per agent. Track token consumption, API call costs, and compute costs per agent in real time. Set budget thresholds with automatic alerts. A runaway agent in a retry loop can burn through thousands of dollars in minutes. Real-time cost monitoring is both a security control (detect compromised agents) and a financial control (prevent budget overruns).

Control 24: Break-glass kill switch. Implement the ability to halt any agent within seconds — not minutes, not “after the current task completes.” A kill switch should terminate the agent’s execution, revoke its credentials, and alert the security team simultaneously. Test your kill switch regularly. An untested kill switch is worse than no kill switch — it gives you false confidence.

Control 25: Incident response runbook. Write a runbook specific to agent incidents. Traditional IR runbooks don’t cover: “An agent exfiltrated data through a tool call.” “An agent’s memory was poisoned.” “A multi-agent system entered a cascade failure.” Your runbook should cover detection, containment (kill switch + credential revocation), investigation (tool call log analysis), remediation, and post-incident review.

Domain 6: Multi-Agent & Orchestration

Multi-agent systems introduce coordination risks that don’t exist in single-agent deployments. When agents call other agents, every trust boundary, every permission scope, and every failure mode compounds.

Control 26: Agent-to-agent communication security. All inter-agent communication must be encrypted and authenticated. No cleartext messages between agents, even on internal networks. Use mTLS for transport and signed message payloads for integrity. A compromised agent on the network should not be able to eavesdrop on or tamper with other agents’ communications.

Control 27: Orchestrator privilege boundaries. An orchestrator agent coordinates worker agents — but it should not be able to escalate their permissions. If Worker-A has read-only database access, the orchestrator cannot grant it write access mid-task. Privilege boundaries must be enforced at the infrastructure level, not just the orchestration layer. The orchestrator delegates tasks; it does not delegate permissions.

Control 28: Cascade failure isolation. When one agent in a multi-agent system fails, the failure must not propagate. Implement circuit breakers between agents: if Agent-A stops responding, Agent-B should degrade gracefully rather than entering a retry loop. Define blast radius boundaries — a failure in your email-sending agent should not take down your data-processing pipeline. Test failure scenarios explicitly.

Control 29: Shared resource locking. When multiple agents access shared resources (databases, file systems, APIs), use distributed locking to prevent race conditions. Two agents simultaneously writing to the same database row, or two agents claiming the same task from a queue, can cause data corruption, duplicate actions, or infinite loops. Implement optimistic locking or distributed mutexes depending on your consistency requirements.

Control 30: Cross-agent audit trail. In a multi-agent system, a single user request can trigger actions across 5, 10, or 20 agents. Maintain a unified audit trail that links every action across the full orchestration chain. Use distributed tracing (OpenTelemetry) with a root span per user request and child spans per agent action. When investigating an incident, you need to see the complete chain — not just one agent’s logs.

Compliance Mapping

These 30 controls don’t exist in a vacuum. Here’s how each domain maps to the major compliance and standards frameworks relevant to AI agent deployments.

Domain	OWASP Agentic Top 10	NIST AI RMF	EU AI Act	SOC 2
Identity & Authentication	#7 Identity & Access Mismanagement	Govern 1.1, Map 3.1	Art. 9 (Risk Management), Art. 15 (Accuracy & Robustness)	CC6.1 (Logical Access), CC6.2 (Access Control)
Permissions & Least Privilege	#1 Excessive Agency, #5 Inadequate Sandboxing	Map 2.1, Manage 2.1	Art. 9.2 (Risk Mitigation), Art. 14 (Human Oversight)	CC6.3 (Role-Based Access), CC6.6 (System Boundaries)
Input/Output Security	#3 Prompt Injection, #4 Unsafe Tool Execution	Map 1.1, Manage 3.1	Art. 15.3 (Resilience), Art. 13 (Transparency)	CC7.1 (System Monitoring), CC7.2 (Incident Detection)
Memory & Data	#9 Uncontrolled Resource Consumption	Govern 1.3, Map 3.2	Art. 10 (Data Governance), Art. 12 (Record-Keeping)	CC6.5 (Data Protection), CC8.1 (Change Management)
Monitoring & Observability	#8 Insufficient Logging & Monitoring, #2 Unrestricted Autonomous Operation	Measure 2.1, Manage 1.1	Art. 12 (Record-Keeping), Art. 14 (Human Oversight)	CC7.1 (Monitoring), CC7.3 (Evaluation), CC7.4 (Incident Response)
Multi-Agent & Orchestration	#6 Improper Multi-Agent Trust, #10 Supply Chain Vulnerabilities	Map 2.3, Govern 1.5	Art. 9 (Risk Management), Art. 15 (Accuracy)	CC6.6 (System Boundaries), CC9.1 (Vendor Management)

Framework-Specific Implementation Notes

LangChain / LangGraph

LangChain’s tool abstraction makes allowlisting straightforward — define your tools list explicitly and never use dynamic tool discovery in production. For memory isolation, use ConversationBufferMemory with per-session keys and a TTL-backed store (Redis with expiry). LangGraph’s state machine model naturally supports human-in-the-loop by adding approval nodes before sensitive tool calls. For observability, LangSmith provides built-in tracing — enable it in production and set up cost alerts.

Watch out for: LangChain’s default AgentExecutor gives agents access to all tools passed at initialization. Use allowed_tools parameter or switch to LangGraph where tool access is explicit per node.

CrewAI

CrewAI’s role-based architecture maps naturally to the least privilege model: each agent (Crew member) gets its own tool set and role description. Use the max_iter parameter to prevent runaway execution loops (Control 15). For multi-agent security, CrewAI’s delegation mechanism must be constrained — a researcher agent should not be able to delegate to a writer agent that has database access.

Watch out for: CrewAI allows agents to delegate tasks to each other by default. Set allow_delegation=False on agents that should not delegate, and define explicit delegation paths for those that should.

AutoGen

AutoGen’s conversation-based multi-agent pattern requires careful attention to message-level security. All inter-agent messages flow through the conversation manager — implement message filtering at this layer (Control 12, 26). Use max_consecutive_auto_reply to limit autonomous execution depth. For identity, assign each AssistantAgent a unique system message and credentials — don’t reuse configurations.

Watch out for: AutoGen’s UserProxyAgent with code_execution_config enabled can execute arbitrary code by default. In production, either disable code execution or sandbox it in a container with no network access and minimal file system permissions.

Download the Checklist

Get the complete 30-point checklist as a printable, shareable document for your team’s security review.

AI Agent Security Checklist 2026

30 controls across 6 domains. Compliance mapping included.

Download Checklist (Markdown/PDF)

What’s Next

This checklist is a point-in-time assessment. Agent security is evolving as fast as agent capabilities. The controls here reflect the threat landscape as of mid-2026 — new attack vectors will emerge as agents gain more autonomy, access more tools, and operate in more complex multi-agent topologies.

For deeper coverage of MCP-specific threats, read our complete guide to MCP security risks and hardening.

Need help implementing these controls across your agent infrastructure? AI Vyuh Security provides agent security assessments, red teaming, and implementation support. Get in touch.

Built by AI Vyuh — securing the AI agent economy.

This checklist covers the security layer, but production AI agents face quality and cost risks too. The AI-generated code quality crisis explains the five failure patterns we see in AI-written codebases — from hardcoded secrets to dependency roulette.

Want to validate your checklist results with real data? We scanned our own codebase and found 75 security findings — and that was in a system built by a security team. See what a Code QA scan uncovers in yours.