# AI Agent Security Checklist 2026

**30 Controls for Production AI Agents**
*AI Vyuh Security — security.aivyuh.com*

---

## How to Use This Checklist

For each control: mark **Done**, **Partial**, or **Not Started**. A production-ready agent system should have all 30 controls at **Done** or **Partial** (with a documented remediation plan for partial items).

---

## Domain 1: Identity & Authentication

| # | Control | Status |
|---|---------|--------|
| 1 | **Agent identity management** — Every agent instance has unique credentials. No shared service accounts across agents. | ☐ Done ☐ Partial ☐ Not Started |
| 2 | **Short-lived tokens** — OAuth 2.0 with automatic rotation. No long-lived API keys. Token TTL ≤ 60 minutes. | ☐ Done ☐ Partial ☐ Not Started |
| 3 | **Human-in-the-loop for privileged actions** — Data deletion, fund transfers, permission changes, and external communications require explicit human approval. | ☐ Done ☐ Partial ☐ Not Started |
| 4 | **Agent-to-agent authentication** — Mutual authentication via mTLS or signed JWTs for all inter-agent communication. | ☐ Done ☐ Partial ☐ Not Started |
| 5 | **Identity audit trail** — All authentication events logged in a tamper-evident, append-only store. | ☐ Done ☐ Partial ☐ Not Started |

**OWASP Mapping:** #7 Identity & Access Mismanagement
**NIST AI RMF:** Govern 1.1, Map 3.1
**EU AI Act:** Art. 9 (Risk Management), Art. 15 (Accuracy & Robustness)
**SOC 2:** CC6.1, CC6.2

---

## Domain 2: Permissions & Least Privilege

| # | Control | Status |
|---|---------|--------|
| 6 | **Tool allowlisting** — Default-deny. Agents can only call explicitly approved tools. Per-agent allowlist reviewed at each deployment. | ☐ Done ☐ Partial ☐ Not Started |
| 7 | **Scope-limited tool permissions** — Minimum required actions per tool. Read-only where possible. | ☐ Done ☐ Partial ☐ Not Started |
| 8 | **No ambient authority** — Agents do not inherit the invoking user's full permissions. Separate permission sets per agent. | ☐ Done ☐ Partial ☐ Not Started |
| 9 | **Resource access boundaries** — Explicit per-agent boundaries for databases, storage, endpoints, and network segments. Enforced at infrastructure level. | ☐ Done ☐ Partial ☐ Not Started |
| 10 | **Escalation controls** — Sensitivity tier system (Tier 1: autonomous, Tier 2: logged + async review, Tier 3: synchronous human approval). Breakglass procedure documented. | ☐ Done ☐ Partial ☐ Not Started |

**OWASP Mapping:** #1 Excessive Agency, #5 Inadequate Sandboxing
**NIST AI RMF:** Map 2.1, Manage 2.1
**EU AI Act:** Art. 9.2 (Risk Mitigation), Art. 14 (Human Oversight)
**SOC 2:** CC6.3, CC6.6

---

## Domain 3: Input/Output Security

| # | Control | Status |
|---|---------|--------|
| 11 | **Prompt injection defenses** — Layered: input scanning, instruction hierarchy, guardrail models, canary tokens. | ☐ Done ☐ Partial ☐ Not Started |
| 12 | **Tool response sanitization** — All tool outputs treated as untrusted. Strip HTML, decode Base64, remove ANSI escapes, flag injection patterns. | ☐ Done ☐ Partial ☐ Not Started |
| 13 | **Output filtering** — PII redaction, code injection prevention, and content policy enforcement before user-facing display. | ☐ Done ☐ Partial ☐ Not Started |
| 14 | **Schema validation on tool inputs** — Strict JSON schema validation on every tool call. Reject malformed, unexpected, or out-of-range payloads. | ☐ Done ☐ Partial ☐ Not Started |
| 15 | **Rate limiting on tool calls** — Per-agent, per-tool, per-time-window limits. Prevents runaway execution and cost overruns. | ☐ Done ☐ Partial ☐ Not Started |

**OWASP Mapping:** #3 Prompt Injection, #4 Unsafe Tool Execution
**NIST AI RMF:** Map 1.1, Manage 3.1
**EU AI Act:** Art. 15.3 (Resilience), Art. 13 (Transparency)
**SOC 2:** CC7.1, CC7.2

---

## Domain 4: Memory & Data

| # | Control | Status |
|---|---------|--------|
| 16 | **Memory isolation** — Separate memory stores per session and per user. No cross-contamination. Explicitly test for leakage. | ☐ Done ☐ Partial ☐ Not Started |
| 17 | **PII handling** — PII detection on memory ingestion. Redaction or encryption at rest. Access controls on retrieval. | ☐ Done ☐ Partial ☐ Not Started |
| 18 | **Context window management** — Sensitive data stripped before entering long-lived contexts. No full context persistence without encryption. | ☐ Done ☐ Partial ☐ Not Started |
| 19 | **Data retention policies** — Defined TTLs for conversation history, RAG embeddings, and tool call logs. Auto-expiry enforced. | ☐ Done ☐ Partial ☐ Not Started |
| 20 | **Memory poisoning detection** — Integrity checks (hash verification, source attribution, anomaly detection) on all memory entries. | ☐ Done ☐ Partial ☐ Not Started |

**OWASP Mapping:** #9 Uncontrolled Resource Consumption
**NIST AI RMF:** Govern 1.3, Map 3.2
**EU AI Act:** Art. 10 (Data Governance), Art. 12 (Record-Keeping)
**SOC 2:** CC6.5, CC8.1

---

## Domain 5: Monitoring & Observability

| # | Control | Status |
|---|---------|--------|
| 21 | **Full tool call logging** — Every tool call logged with complete input/output payloads. Structured JSON with correlation IDs per session. | ☐ Done ☐ Partial ☐ Not Started |
| 22 | **Anomaly detection** — Behavioral baselines established. Alerts on unusual tool sequences, unexpected data access, abnormal execution duration. | ☐ Done ☐ Partial ☐ Not Started |
| 23 | **Cost monitoring per agent** — Real-time token and API cost tracking. Budget thresholds with automatic alerts. | ☐ Done ☐ Partial ☐ Not Started |
| 24 | **Break-glass kill switch** — Halt any agent within seconds. Terminates execution, revokes credentials, alerts security team. Tested regularly. | ☐ Done ☐ Partial ☐ Not Started |
| 25 | **Incident response runbook** — Agent-specific IR covering: detection, containment (kill switch + revocation), investigation (log analysis), remediation, post-incident review. | ☐ Done ☐ Partial ☐ Not Started |

**OWASP Mapping:** #8 Insufficient Logging & Monitoring, #2 Unrestricted Autonomous Operation
**NIST AI RMF:** Measure 2.1, Manage 1.1
**EU AI Act:** Art. 12 (Record-Keeping), Art. 14 (Human Oversight)
**SOC 2:** CC7.1, CC7.3, CC7.4

---

## Domain 6: Multi-Agent & Orchestration

| # | Control | Status |
|---|---------|--------|
| 26 | **Communication security** — All inter-agent communication encrypted (mTLS) and authenticated (signed payloads). No cleartext even on internal networks. | ☐ Done ☐ Partial ☐ Not Started |
| 27 | **Orchestrator privilege boundaries** — Orchestrators delegate tasks, not permissions. Workers cannot have permissions escalated mid-task. Enforced at infrastructure level. | ☐ Done ☐ Partial ☐ Not Started |
| 28 | **Cascade failure isolation** — Circuit breakers between agents. Defined blast radius boundaries. Graceful degradation on agent failure. | ☐ Done ☐ Partial ☐ Not Started |
| 29 | **Shared resource locking** — Distributed locking (optimistic or mutex) for concurrent agent access to databases, file systems, and task queues. | ☐ Done ☐ Partial ☐ Not Started |
| 30 | **Cross-agent audit trail** — Unified distributed tracing (OpenTelemetry) with root span per user request and child spans per agent action. | ☐ Done ☐ Partial ☐ Not Started |

**OWASP Mapping:** #6 Improper Multi-Agent Trust, #10 Supply Chain Vulnerabilities
**NIST AI RMF:** Map 2.3, Govern 1.5
**EU AI Act:** Art. 9 (Risk Management), Art. 15 (Accuracy)
**SOC 2:** CC6.6, CC9.1

---

## Scoring

| Score | Rating | Guidance |
|-------|--------|----------|
| 28-30 Done | **Production Ready** | Proceed with confidence. Schedule quarterly re-assessment. |
| 22-27 Done | **Conditionally Ready** | Address gaps in highest-risk domains first. Acceptable for low-risk agents. |
| 15-21 Done | **Significant Gaps** | Do not deploy to production until critical controls (kill switch, auth, logging) are implemented. |
| < 15 Done | **Not Ready** | Foundational security controls are missing. Start with Domain 1 and Domain 5. |

---

## Framework Quick Reference

### LangChain / LangGraph
- Use explicit `tools` list (never dynamic discovery in prod)
- `allowed_tools` parameter on AgentExecutor
- LangSmith for tracing + cost alerts
- `ConversationBufferMemory` with per-session keys + TTL store

### CrewAI
- Role-based tool assignment per Crew member
- `max_iter` to prevent runaway loops
- `allow_delegation=False` on restricted agents
- Define explicit delegation paths

### AutoGen
- Message filtering at conversation manager layer
- `max_consecutive_auto_reply` for execution depth limits
- Unique system messages + credentials per AssistantAgent
- Disable or sandbox `code_execution_config` in production

---

*Version: 2026-04-07 | AI Vyuh Security | security.aivyuh.com*
*License: Free to use and share with attribution.*