The 2026 AI Agent
Security Checklist
Before deploying any AI agent to production, teams must verify 15 critical security controls: tool call allowlists, credential isolation, budget enforcement, human-in-the-loop gates, audit logging, loop detection, PII scrubbing, prompt injection defenses, output validation, network segmentation, rate limiting, session isolation, compliance evidence, rollback procedures, and incident response runbooks. Missing even one of these controls has caused real-world incidents costing companies millions.
Why This Checklist Matters
AI agents are fundamentally different from traditional applications. They make autonomous decisions, call external APIs, and access systems with minimal human oversight. A single misconfigured agent can burn thousands in minutes, exfiltrate credentials, violate compliance regulations, or cause customer harm. This checklist distills the fifteen most critical controls that stand between you and a production incident.
Each control below includes: what could go wrong if you skip it (a real-world incident), how to implement it technically, and code examples for five key controls. The controls are prioritized: start with the first five (allowlists, vault, budget, human approval, audit logs) and then add the remaining ten based on your risk profile.
15 Critical Security Controls
Tool Call Allowlists
Why It Matters
Without explicit allowlists, a compromised agent can call any API on your network. In 2024, a misconfigured SaaS agent was given access to the entire internal API surface. It called a billing API endpoint it shouldn't have known about and refunded $240K in customer transactions before the incident was caught 8 hours later.
How to Implement
Define every tool, API endpoint, and function each agent can invoke. Use a deny-by-default policy: if a tool is not explicitly whitelisted, the agent cannot call it. Store these policies in a centralized policy engine that intercepts every tool call at runtime.
// SupraWall Policy Definition
const policy = {
agent_id: "sales-assistant-prod",
allowed_tools: [
{ tool: "send_email", max_recipients: 5 },
{ tool: "query_crm", max_records: 100 },
{ tool: "create_ticket", allowed_fields: ["title", "priority", "description"] },
],
denied_tools: ["delete_user", "access_billing", "modify_permissions"],
default_action: "DENY"
};Learn more: AI Agent Guardrails • SupraWall Vault
Credential Isolation (Vault)
Why It Matters
Agents that hold API keys are a single exploit away from exfiltration. A prompt injection in the agent's reasoning can cause it to print the key to logs. Or a malicious tool call can extract the credential. In 2023, a misconfigured LangChain agent logged its own system prompt, which included hardcoded database credentials. Those credentials were indexed by search engines.
How to Implement
Use a secrets vault (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) to store all credentials. At runtime, inject scoped, short-lived credentials directly into tool calls. The agent never holds the raw credential. Use per-agent service accounts with minimum necessary permissions.
// Agent receives short-lived, scoped token at runtime
const tool_result = await execute_tool({
tool: "query_database",
vault_token: "sv-rwR92.p8L2x2..." // 30-min expiration
vault_scope: "sales_database_read_only"
});
// Not this:
// password: "sk-prod-final-2024-xyz" // NEVER hardcodeLearn more: Protecting API Keys • Credential Vault
Budget Enforcement
Why It Matters
An agent in a loop calling expensive APIs can burn thousands per minute. In January 2025, a research lab's agent entered a loop calling GPT-4 Vision on images. It cost $47,000 in 45 minutes before the loop was discovered and halted manually.
How to Implement
Set hard spending caps per agent, per session, and per day. Track real-time spend across all tool calls. When an agent reaches its budget threshold, immediately halt all subsequent tool calls and trigger an alert. This is a circuit breaker, not a soft limit.
// Budget enforcement config
const budget_policy = {
agent_id: "research-analyzer",
daily_budget_cents: 500000, // $5000/day hard cap
per_session_budget_cents: 100000, // $1000/session hard cap
per_call_budget_cents: 10000, // $100 max per tool call
enforcement: "HARD_HALT" // Stops immediately when budget hit
};Learn more: Budget Enforcement • Cost Control Guide
Human-in-the-Loop Gates
Why It Matters
Agents that can take high-risk actions without approval are a liability. A travel booking agent approved a $85,000 luxury hotel booking without human verification. A hiring assistant sent rejection emails to candidates with insulting language because it was never reviewed before sending.
How to Implement
Define high-risk actions: financial transactions, user communication, data modification, external API calls. For these actions, require explicit human approval before execution. Integrate approval workflows with Slack, email, PagerDuty. Track approval/rejection audit trails.
// Human approval gate
const action_policy = {
high_risk_actions: [
{ action: "send_email", approval_required: true },
{ action: "process_payment", approval_required: true },
{ action: "modify_user_data", approval_required: true },
{ action: "query_crm", approval_required: false }
],
approval_channels: ["slack", "email"],
timeout_seconds: 900 // 15 min to approve, then auto-deny
};Learn more: Human-in-the-Loop AI Agents
Immutable Audit Logging
Why It Matters
When incidents happen, you need a tamper-proof record of exactly what the agent did. Log entries that can be modified or deleted offer zero evidentiary value. In regulatory audits (SOC 2, ISO 27001), mutable logs are a critical finding.
How to Implement
Log every tool call with timestamp, agent ID, tool name, input parameters, output, and result status. Use cryptographic chaining or append-only storage so logs cannot be retroactively modified. Include user context and session IDs. Export logs to immutable storage (S3 with object lock, Datadog, Splunk).
// Immutable audit log entry
{
"timestamp": "2026-03-20T14:32:15.234Z",
"session_id": "sess-8f2e9d",
"agent_id": "sales-bot-prod",
"tool": "send_email",
"input": { "recipient": "customer@example.com", "subject": "...", "body": "..." },
"output": { "message_id": "msg-xyz", "status": "sent" },
"status": "ALLOWED",
"prior_hash": "b3a2f1c9...", // Chained to previous entry
"entry_hash": "e8d1a7f2..."
}Learn more: Audit Trail Logging
Infinite Loop Detection
Why It Matters
An agent stuck in a loop calling the same tool repeatedly is one of the fastest ways to burn budget and degrade service. A retrieval-augmented generation (RAG) agent got stuck in a loop re-querying the same documents 847 times trying to find an answer that didn't exist.
How to Implement
Track tool call patterns per session. If the same tool is called with identical or near-identical parameters more than N times in M seconds, trigger a circuit breaker. Options: halt execution, alert human, rollback to last known good state. Implement configurable thresholds based on agent type.
// Loop detection config
const loop_detection = {
enabled: true,
detection_window_seconds: 60,
max_repeated_calls: 5, // Alert if same tool called 5x in 60s
action_on_loop: "HALT_AND_ALERT",
similarity_threshold: 0.95 // 95% parameter similarity = same call
};Learn more: Infinite Loop Detection
PII Scrubbing
Why It Matters
Agent outputs and logs often contain PII that was never intended to be logged. A customer support agent copied an entire customer record into logs, including passport numbers and addresses. These logs were accessible to 50+ employees and had been archived to cold storage for 3 years.
How to Implement
Before logging any agent output, scan for PII patterns: emails, phone numbers, SSNs, credit card numbers, passport numbers, medical data. Redact or hash these values. Use regex patterns and ML-based PII detection. Maintain a list of data fields that are always PII (addresses, IDs, etc.).
// PII scrubbing policy
const pii_scrubbing = {
enabled: true,
patterns: [
/d{3}-d{2}-d{4}/, // SSN
/d{4}[s-]?d{4}[s-]?d{4}[s-]?d{4}/, // Credit card
/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-z]{2,}/, // Email
/d{3}-d{3}-d{4}/, // Phone
],
sensitive_fields: ["address", "ssn", "passport", "driver_license"],
action: "REDACT" // Replace with [REDACTED]
};Learn more: PII Protection for AI Agents
Prompt Injection Defenses
Why It Matters
Prompt injection in tool parameters can cause agents to misbehave. An attacker injected instructions into a knowledge base document. When the agent retrieved that document, it obeyed the injected instructions instead of its original goal.
How to Implement
Detect injection patterns in tool call parameters before execution. Look for: system prompt markers, jailbreak phrases, instruction keywords, encoding attacks (base64, hex). Use both rule-based detection and ML models trained on injection datasets. Quarantine suspicious parameters for human review.
// Prompt injection detection
const injection_defense = {
enabled: true,
detection_methods: ["pattern_matching", "ml_classifier"],
blocked_patterns: [
"ignore previous", "system prompt", "ignore instructions",
"do the opposite", "override your", "disregard"
],
encoded_attack_check: true, // Detect base64, hex, unicode escapes
action: "BLOCK_AND_LOG"
};Learn more: Prompt Injection Defense • Prompt Injection Use Case
Output Validation
Why It Matters
Agents can return malformed, incomplete, or malicious outputs. A scheduling agent returned invalid date formats that broke downstream systems. A content generator returned outputs exceeding size limits, crashing the API.
How to Implement
Define expected output schemas for each tool. Before returning results to the agent or to downstream systems, validate outputs against the schema. Check data types, field presence, size limits, encoding. Reject invalid outputs and trigger an alert.
// Output validation schema
const output_schema = {
tool: "book_meeting",
expected_output: {
type: "object",
properties: {
meeting_id: { type: "string", pattern: "^mtg_[a-z0-9]{8}$" },
scheduled_time: { type: "string", format: "iso8601" },
status: { enum: ["confirmed", "pending", "failed"] }
},
required: ["meeting_id", "scheduled_time", "status"],
maxProperties: 10
}
};Network Segmentation
Why It Matters
An agent running with unrestricted network access can reach internal APIs, databases, and services it shouldn't. A chatbot agent was used to scan the internal network and discover unpatched services.
How to Implement
Restrict agent network access to a whitelist of approved endpoints. Use network policies (security groups, network ACLs) or proxy rules to enforce this. Log all network calls made by agents. For external APIs, use allowlists and rate limits at the network level.
// Network segmentation policy
const network_policy = {
agent_id: "customer-support-bot",
allowed_endpoints: [
{ url: "https://api.crm.internal/", methods: ["GET", "POST"] },
{ url: "https://api.stripe.com/", methods: ["POST"] },
],
blocked_patterns: [
"127.0.0.1",
"10.0.0.0/8", // Internal RFC1918
"**/admin",
"**/.env"
],
proxy_enforcement: true
};Rate Limiting
Why It Matters
Without rate limits, a single misbehaving agent can overwhelm external APIs or internal systems. A RAG agent called the search API 10,000 times in 5 minutes, causing service degradation for all users.
How to Implement
Implement rate limits per agent, per user, and globally. Set limits at both the application level and the API gateway. Use token bucket or sliding window algorithms. Different APIs may have different limits; apply the most restrictive per endpoint.
// Rate limiting rules
const rate_limits = {
per_agent: {
calls_per_minute: 100,
calls_per_hour: 5000
},
per_endpoint: {
"stripe_api": { calls_per_minute: 10 },
"crm_api": { calls_per_minute: 50 },
"search_api": { calls_per_minute: 200 }
},
strategy: "TOKEN_BUCKET",
enforcement: "SOFT_REJECT" // Reject excess calls with 429
};Session Isolation
Why It Matters
Data from one agent session can leak into another if sessions share memory or storage. A multi-tenant SaaS accidentally returned customer B's data in an agent response meant for customer A.
How to Implement
Ensure each agent session has its own isolated context, memory, and temporary storage. Do not share state across sessions. Use separate database transactions for each session. Implement session timeouts and explicit cleanup. Verify isolation in multi-agent scenarios.
// Session isolation
const session_context = {
session_id: "sess-9x2m1k",
user_id: "user-456",
customer_id: "cust-789",
memory: {}, // Isolated to this session
storage_path: "/tmp/session-9x2m1k/",
ttl_seconds: 3600,
cleanup_on_exit: true,
allowed_access: ["session-9x2m1k"] // Can't access other sessions
};EU AI Act Compliance Evidence
Why It Matters
The EU AI Act (Articles 12–14) requires detailed documentation and logging of AI system decisions. Without automated compliance evidence, you cannot prove you meet the requirements. Non-compliance carries fines up to 6% of revenue.
How to Implement
Automatically generate compliance artifacts: action logs, approval records, human override logs, model cards, risk assessments. Track every human-in-the-loop decision and agent action. Export evidence for audits in standardized formats. Update policies as regulations evolve.
// EU AI Act compliance export
const compliance_export = {
regulation: "EU_AI_ACT_2024",
articles: ["12_transparency", "14_human_oversight"],
period: "2026-Q1",
export_data: {
total_agent_actions: 145230,
human_approved_actions: 8932,
human_rejected_actions: 234,
audit_log_entries: 145230,
incident_count: 3,
avg_decision_time_ms: 2340
},
certification: "compliance_evidence_q1_2026.pdf"
};Learn more: EU AI Act Compliance
Rollback Procedures
Why It Matters
When an agent misbehaves and takes harmful actions (sends emails, modifies data, processes payments), you need the ability to undo those actions quickly. A calendar agent scheduled meetings for the wrong times. Without rollback, 200+ meetings had to be manually rescheduled.
How to Implement
Design every high-risk action to be reversible. Before committing state changes, record the original state and the change. Implement rollback endpoints that undo agent actions. For irreversible actions (sending emails), implement approval gates to prevent them in the first place.
// Rollback capability
const action_record = {
action_id: "act-x8f2k1",
tool: "send_email",
state_before: { sent_count: 42, mailbox_size: "2.3GB" },
state_after: { sent_count: 43, mailbox_size: "2.31GB" },
reversible: true,
rollback_endpoint: "/api/rollback/act-x8f2k1",
rollback_deadline_seconds: 86400 // 24 hours to undo
};Incident Response Runbook
Why It Matters
When a production incident happens, your team's response time is critical. Without a pre-defined runbook, response is slow and error-prone. An agent credential leak in 2024 took 14 hours to respond to, even though the team knew the playbook conceptually.
How to Implement
Document a step-by-step incident response playbook. Define escalation paths, notification channels, rollback procedures, communication templates, and post-mortem procedures. Practice the runbook quarterly. Test it with chaos engineering exercises.
// Incident response runbook
const incident_runbook = {
incident_type: "agent_credential_leak",
severity: "P1",
steps: [
{ order: 1, action: "halt_agent", delay_ms: 0 },
{ order: 2, action: "notify_slack", channel: "#security-incidents" },
{ order: 3, action: "rotate_credentials", services: ["crm", "stripe", "db"] },
{ order: 4, action: "export_audit_logs", destination: "s3://security-audit" },
{ order: 5, action: "post_mortem", template: "credential_compromise" }
],
estimated_time_to_respond: 300 // seconds
};Learn more: AI Agent Security Best Practices
Phased Implementation Strategy
Do not try to implement all 15 controls at once. Use a phased approach:
Phase 1: Non-Negotiable (Week 1)
- ✓ Tool Call Allowlists (Control #1)
- ✓ Credential Isolation (Control #2)
- ✓ Budget Enforcement (Control #3)
- ✓ Human-in-the-Loop Gates (Control #4)
- ✓ Immutable Audit Logging (Control #5)
These five controls stop 80% of real-world incidents. Do not deploy to production without them.
Phase 2: High-Risk Coverage (Week 2–3)
- ✓ Infinite Loop Detection (Control #6)
- ✓ PII Scrubbing (Control #7)
- ✓ Prompt Injection Defenses (Control #8)
- ✓ Network Segmentation (Control #10)
Add these if your agents access external APIs, handle sensitive data, or accept user input.
Phase 3: Operational Excellence (Week 4+)
- ✓ Output Validation (Control #9)
- ✓ Rate Limiting (Control #11)
- ✓ Session Isolation (Control #12)
- ✓ EU AI Act Evidence (Control #13)
- ✓ Rollback Procedures (Control #14)
- ✓ Incident Response Runbook (Control #15)
Implement as you scale production deployments and approach regulatory audits.
Common Mistakes to Avoid
Mistake 1: Implementing Controls After an Incident
Do not wait for an incident to implement controls. By then, the damage is already done. A finance company waited until after a $500K unauthorized wire transfer to implement approval gates. Implement all controls before production deployment.
Mistake 2: Soft Limits Instead of Hard Caps
Budget enforcement must be a hard circuit breaker, not a warning. A soft limit that "suggests" the agent stop will be ignored by a misbehaving agent. Use hard caps: when the budget is hit, execution halts immediately.
Mistake 3: Mutable Audit Logs
Logs that can be modified or deleted are useless for compliance and incident forensics. Use cryptographic chaining or append-only storage. In an SOC 2 audit, mutable logs are a finding. Make logs immutable from the start.
Mistake 4: Hardcoding Credentials into Agent Code
Never give agents hardcoded API keys. Use a vault that injects scoped, short-lived credentials at runtime. If an agent is ever compromised, logged, or inspected, the hardcoded credential is exposed to everyone with access to logs.
Mistake 5: Skipping Human Approval for "Low-Risk" Actions
What seems low-risk in engineering can be high-risk in production. Sending a single email seemed low-risk until an agent sent insulting rejection emails to 5,000 job candidates. Require approval for: user communication, data modification, financial transactions, and external API calls.
Regulatory Compliance & This Checklist
This checklist aligns with emerging AI regulations, particularly the EU AI Act (effective 2024–2026):
EU AI Act Article 12 (Transparency)
Covered by: Immutable Audit Logging (#5), EU AI Act Evidence (#13). Your logs and compliance exports provide the transparency Article 12 requires.
EU AI Act Article 14 (Human Oversight)
Covered by: Human-in-the-Loop Gates (#4), Audit Logging (#5). Your approval workflows and decision logs satisfy Article 14's oversight requirements.
SOC 2 Type II (Operational Controls)
Covered by: All 15 controls. Audit logging, role-based access, incident response procedures, and compliance reporting align with SOC 2 requirements.
Why You Need a Purpose-Built Platform
Implementing 15 security controls is theoretically possible in-house, but practically very difficult. Each control has its own implementation surface, testing requirements, and maintenance burden. Framework changes (LangChain updates, OpenAI API versions) can break shims. Regulatory updates require prompt action.
A purpose-built AI agent security platform handles all 15 controls out of the box, updates them as frameworks and regulations evolve, and gives you incident response support when things go wrong. SupraWall is built to implement this exact checklist.
from suprawall.langchain import protect # One line of code. # All 15 controls enabled. secured_agent = protect( my_agent, policy="agentic_ai_security_checklist_2026" )
Key Takeaways
- The 15 controls in this checklist have prevented or mitigated real-world AI agent incidents costing millions. Implement them before deploying to production.
- Start with Phase 1 (allowlists, vault, budget, approval, logs) — these five controls stop 80% of incidents. Add Phase 2 and 3 controls based on your risk profile.
- Budget enforcement must be a hard circuit breaker, not a soft warning. When the budget is hit, the agent halts immediately.
- Credentials must never be hardcoded or held by agents. Use a vault that injects scoped, short-lived credentials at runtime only.
- Human approval gates are not optional for high-risk actions. Even seemingly 'low-risk' actions (sending emails, modifying data) can cause customer harm.
- Audit logs must be immutable and tamper-proof. Mutable logs are a critical finding in SOC 2 audits and offer zero evidentiary value in incidents.
- This checklist aligns with the EU AI Act (Articles 12–14) and SOC 2 Type II. Use it as your compliance baseline.
- Implementing all 15 controls in-house is possible but burdensome. A purpose-built platform handles them automatically, updates as regulations evolve, and provides incident response support.
Related Articles
Pillar Content
What Are AI Agent Guardrails?
Understanding the foundational concept of runtime controls and security guardrails.
Pillar Content
AI Agent Security Best Practices
A complete playbook for securing autonomous agents in production environments.
Feature Guide
SupraWall Vault: Credential Protection
How to isolate credentials and inject scoped secrets at runtime.
Feature Guide
Budget Enforcement & Cost Control
Set hard spending caps and prevent runaway agent costs.
Compliance Guide
EU AI Act Compliance for AI Agents
How this checklist aligns with Articles 12–14 of the EU AI Act.
Decision Guide
Build vs Buy: AI Agent Security
The hidden costs of building these 15 controls in-house.
Implement All 15 Controls
in One Integration
Deploy the 2026 AI Agent Security Checklist with SupraWall. One line of code. All critical controls. Production-ready in minutes.
Try SupraWall Free