AI Agent Identity Security Checklist
A practical, prioritized AI agent identity security checklist covering identity, authorization, prompt safety, monitoring, governance, and recovery.
AI Agent Identity Security Checklist
A practical, prioritized checklist for hardening AI agent identity security. Score each item, focus on highest-impact first, re-score quarterly.
1. Discovery and Inventory
- All AI agents inventoried (SaaS, custom, MCP, vendor integrations).
- Continuous discovery in place (OAuth grants, network egress, cost monitoring).
- Each agent has a named owner.
- Each agent has documented purpose.
- Each agent has risk classification (Tier 0–4).
2. Identity
- Per-agent identity (no sharing).
- Federation / managed identity preferred over OAuth client / API key.
- No hardcoded secrets in code or configs.
- Secrets in secret manager (Key Vault / Secrets Manager / GCP Secret Manager).
- Secret rotation automated.
- Short-lived tokens (≤ 1 hour where possible).
- Audience binding on tokens.
- Service account keys minimized; Workload Identity Federation used.
3. Authorization — Tools
- Tool allow-list explicit per agent.
- Tool composition risk analyzed.
- Per-environment tools (dev / staging / prod scoped).
- Sandboxed tool execution.
4. Authorization — Data
- Data scopes narrow (tenant / folder / table / row / column).
- No tenant-wide access unless intentional.
- No production data in non-production agents.
- Sensitive columns masked.
5. Delegation
- OBO scopes bounded per use case.
- No
*.Allscopes. - Domain-wide delegation avoided / tightly governed.
- Refresh tokens in secret manager + rotated.
- Audit attribution preserved (user + agent).
6. Multi-Agent
- A2A authentication (mTLS / signed JWT / OAuth).
- Audience binding.
- Explicit allow-list of A2A relationships.
- Output validation between agents.
- Chain depth limit.
- Recursion detection.
7. Human-in-the-Loop
- Sensitive action categories defined per agent.
- HITL enforced at action gateway (not prompt).
- Threshold / risk-score model for HITL.
- Approver SSO + MFA.
- Per-action approval IDs (no replay).
- Quorum for highest-risk actions.
- Approval audit logged.
- Approver fatigue monitored.
8. Prompt and Input Safety
- Trusted vs untrusted text separation in system prompts.
- All external content treated as untrusted.
- Tool outputs not executed as instructions.
- RAG sources vetted; provenance tagged.
- Output validation (schema, sensitive data redaction).
- Output content filters for secret leakage.
9. Memory and State
- Per-session memory isolation.
- Per-tenant memory isolation.
- Signed system instructions.
- No cross-context bleed (tested in CI).
10. Operational Controls
- Per-agent rate limits.
- Per-agent / per-conversation budget caps.
- Token budget per session.
- Kill switch ready.
- Graceful pause supported.
- Network egress controlled (allow-list).
11. Monitoring
- Comprehensive logging (prompts, plans, tool calls, parameters, results).
- Logs centralized to SIEM.
- Long retention (≥ 1 year).
- Immutable log storage.
- Anomaly detection live (volume, scope, time, cost, chain).
- Cost alerts.
12. Compliance
- Risk classification mapped to framework (NIST AI RMF / EU AI Act / ISO 42001).
- Controls per tier documented.
- Evidence collection automated.
- Audit-ready.
13. Governance
- AI policy formal + socialized.
- Approval workflow for new agents.
- Re-review on significant change (new tool, new data).
- Quarterly review on Tier 1+ agents (more for higher tiers).
- Decommissioning playbook.
- Joiner / mover / leaver process for agent owners.
14. Incident Response
- Playbooks for: compromised agent, prompt injection, runaway loop, data leak, credential theft, cost / DoS.
- Tabletop exercises annually.
- Containment runbook tested.
- Communication plan for agent incidents.
- Post-incident review process.
15. Vendor / Supply-Chain
- Model provider risk assessment.
- SaaS agent vendor reviews.
- Contractual data scoping.
- SSO + audit integration with vendors.
- Periodic review.
16. Continuous Improvement
- Posture tool deployed (Forestall).
- KPI tracking:
- Number of agents inventoried.
- Number with owners.
- Number with permission models.
- HITL coverage on sensitive actions.
- MTTD for agent anomalies.
- MTTR for over-permissioning findings.
- Quarterly leadership reporting.
- Trend over time as KPI.
How to Use This Checklist
- Score each item as Implemented / Partial / Not Started.
- Identify the worst 5–10 in high-impact sections (Identity, Authorization, HITL, Monitoring, Governance).
- Make those this quarter's goals.
- Re-score quarterly.
- Use trend (items implemented over time) as your KPI.
How Forestall Helps
Forestall continuously evaluates these items per agent, ranks findings by impact, and tracks remediation — turning this checklist into measurable agentic AI risk reduction over time.
Conclusion
AI agent identity security has many surfaces, but a small set of high-impact controls (per-agent identity, federation, least-privilege tools / data / delegation, HITL on sensitive actions, comprehensive audit, ownership and lifecycle, anomaly detection) closes most risk for most organizations. Use this checklist as your map; fix the highest-impact items first; and watch your agentic AI risk shrink quarter over quarter while productivity scales.
Turn this checklist into measurable agentic AI risk reduction.
Forestall continuously evaluates AI agent identity security and prioritizes remediation.