← Back to article
AI Agent Security Review Template
Free checklist from our agentic AI security playbook
A standardized review template to evaluate tools, permissions, approvals, memory, and auditability before any AI agent reaches production.
Get your free checklist
Enter your email to unlock this resource instantly.
Instructions
Complete this review for every AI agent before it reaches production. Every team should answer the same core questions. If any section has unanswered items, the agent is not ready for production deployment.
1. Agent Overview
Agent name:
Team / Owner:
Purpose:
Target environment:
Review date:
2. Tool Access and Permissions
- All tools the agent can invoke are explicitly listed and documented
- Tool permissions follow least privilege (no broad "admin" access)
- File system access scoped to specific directories only
- Network access restricted to required endpoints
- Database access limited to specific tables/operations
- No ability to escalate its own permissions
- Tool allow-list enforced (agent cannot discover and use new tools)
3. Approval and Human-in-the-Loop
- High-impact actions require human approval before execution
- Approval thresholds defined (cost, data sensitivity, irreversibility)
- Approval workflow has a timeout (no indefinite pending actions)
- Agent cannot bypass approval by rephrasing or chaining actions
- Fallback behavior defined when approval is denied or times out
- Escalation path defined for edge cases the agent cannot handle
4. Memory and Context
- Memory scope defined (session-only, persistent, shared)
- Sensitive data excluded from long-term memory
- Memory contents auditable and deletable
- Cross-session memory cannot be poisoned by adversarial inputs
- Context window limits enforced to prevent prompt injection via history
- RAG sources validated and access-controlled
5. Input and Output Controls
- User inputs sanitized before reaching the agent
- Prompt injection defenses in place (input filtering, output validation)
- Agent outputs validated before taking effect (no blind execution)
- PII and sensitive data filtered from agent responses
- Output format constrained to expected schemas where possible
- Error messages do not leak system internals or prompt content
6. Auditability and Logging
- Every agent action logged with timestamp, identity, and result
- Tool invocations logged with full parameters and responses
- Approval decisions and overrides recorded
- Logs tamper-resistant and retained per compliance requirements
- Anomalous behavior patterns alerted (unusual tool usage, volume spikes)
- Post-incident replay possible from logs
7. Deployment and Lifecycle
- Agent deployed through standard CI/CD with code review
- Agent version pinned and rollback plan documented
- Kill switch available to disable the agent immediately
- Regular review cadence scheduled (quarterly or after incidents)
- Model updates tested in staging before production deployment
Review Decision
Decision:
Conditions:
Reviewer:
Next review:
Found this useful? Read the full article:
Read: How to Secure Agentic AI Applications: The 2026 Playbook →