← All glossary terms
AI Identity4 min read

AI Agent Security Best Practices

A consolidated set of AI agent security best practices covering identity, authorization, prompt safety, monitoring, governance, and incident response.

AI Agent Security Best Practices

A consolidated set of AI agent security best practices, drawn from emerging standards (NIST AI RMF, OWASP LLM Top 10, ISO 42001), platform guidance, and real incident response experience.


1. Identity Foundation

  • Per-agent identity — never share credentials across agents.
  • Federation > managed identity > OAuth client > API key.
  • No hardcoded secrets; secret manager + rotation.
  • Short-lived tokens with audience binding.
  • Dedicated owner per agent (named individuals).
  • Naming convention and tags (env, BU, model, version).

2. Authorization

Tools

  • Explicit allow-list; deny-by-default.
  • Per environment (dev / staging / prod).
  • Tool composition risk analysis.

Data

  • Narrow scopes (tenant, folder, dataset, row, column).
  • No tenant-wide unless intentional.
  • No production data in non-production agents.

Delegation

  • OBO bounded with explicit scopes.
  • Avoid domain-wide delegation.
  • Refresh tokens in secret manager + rotated.

Multi-Agent

  • A2A authentication (mTLS, signed JWT).
  • Audience binding.
  • Output validation between agents.
  • Chain depth and recursion limits.

HITL

  • Sensitive actions require human approval.
  • Enforce at action gateway, not prompt.
  • Strong approver auth (SSO + MFA).
  • Per-action approval IDs (no replay).
  • Quorum for highest-risk actions.

3. Prompt and Input Safety

  • Trusted vs untrusted text separation in prompts.
  • Treat all external content as untrusted (RAG, tool outputs, emails, files, web).
  • Allow-list system instructions.
  • Output validation — schema, sensitive data redaction.
  • Tool output not auto-trusted as instructions.
  • Provenance tagging for retrieved content.
  • Source vetting for RAG corpora.

4. Operational Controls

Sandboxing

  • Containerized / WASM execution.
  • No network access by default; allow-list egress.
  • Read-only / scratch volumes.
  • Time and resource limits.

Containment

  • Per-agent rate limits.
  • Per-agent / per-conversation budgets.
  • Kill switch.
  • Graceful pause.
  • Quick revocation playbook.

Memory / State

  • Per-session, per-tenant isolation.
  • Signed system instructions.
  • No cross-context bleed.

5. Monitoring and Detection

Audit

  • Comprehensive logging: prompts, plans, tool calls, parameters, results, outputs.
  • Centralized log sinks (SIEM).
  • Long retention.
  • Immutable storage.

Anomaly Detection

  • Volume, scope, time patterns.
  • Cost spikes.
  • Unusual tool combinations.
  • Chain depth anomalies.
  • Memory growth.
  • Authentication anomalies.

Cost Controls

  • Per-agent budgets.
  • Per-conversation caps.
  • Alerts on usage spikes.

Posture Tooling

  • Forestall (or similar) for continuous risk-rank.

6. Compliance

Frameworks

  • NIST AI RMF — Govern / Map / Measure / Manage.
  • EU AI Act — risk-tier classification; human oversight on high-risk.
  • ISO 42001 — AI management systems.
  • GDPR / HIPAA / sector regs — data handling.

Mapping

  • Risk classification per agent.
  • Controls mapped to applicable frameworks.
  • Evidence collection automated.
  • Audit-ready.

7. Governance

Inventory

  • Every agent known.
  • Owners assigned.
  • Risk classified.
  • Lifecycle status.

Approval Workflow

  • New agents reviewed before deployment.
  • Significant changes (new tool / data scope) re-reviewed.

Lifecycle

  • Creation → identity → scoping → audit setup → deployment.
  • Change → re-review.
  • Retirement → identity deletion + key revocation + audit archive.

Periodic Review

  • Quarterly minimum; monthly for high-risk; weekly for highest-risk.

AI Policy

  • Formal, socialized.
  • Risk classification.
  • Approval / monitoring / decommissioning.

8. Incident Response

Playbooks

  • Compromised agent.
  • Prompt injection abuse.
  • Runaway loop.
  • Data leak via agent.
  • Credential theft.
  • Cost / DoS attack.

Tabletop Exercises

  • Annually minimum.
  • Cross-functional (Security + Eng + Product + Legal).

Containment Runbooks

  • Disable identity.
  • Revoke tokens.
  • Rotate secrets.
  • Pause workflows.
  • Communicate to stakeholders.

Post-Incident Review

  • Root cause + systemic improvements.
  • Update playbooks; share learnings.

9. Vendor / Supply-Chain

Model Providers

  • Risk assessment per provider.
  • Data handling contracts.
  • Supply-chain integrity (model provenance).

SaaS Agents

  • Vendor risk assessments.
  • Contractual data scoping.
  • SSO + audit integration.
  • Periodic review.

Third-Party MCP / Tool Servers

  • Code review where available.
  • Authentication enforced.
  • Sandboxed execution.

10. Continuous Improvement

Metrics

  • Number of agents.
  • Number with owners.
  • Number with permission models declared.
  • HITL coverage on sensitive actions.
  • Mean time to detect agent anomaly.
  • Mean time to remediate over-permissioning.
  • Compliance evidence completeness.

Reporting

  • Quarterly to leadership.
  • Trend over time as KPI.

Trend-Driven Improvement

  • Identify patterns; address root causes.

Quick Best-Practice Summary

  • Per-agent identity; no hardcoded secrets.
  • Federation / managed identity preferred.
  • Tools / data / delegation least privilege; bounded OBO.
  • HITL on sensitive actions, enforced at gateway.
  • Trusted vs untrusted text separation; outputs untrusted.
  • Sandboxing; rate limits; budgets; chain depth limits.
  • Per-tenant memory isolation.
  • Comprehensive audit + anomaly detection.
  • Risk classification; compliance mapping.
  • Inventory + ownership + lifecycle.
  • Incident playbooks + tabletop exercises.
  • Posture tooling.
  • Quarterly review; trend tracking.

How Forestall Helps

Forestall translates these best practices into continuous, prioritized work across your agentic AI:

  • Posture scoring per agent.
  • Risk-rank findings.
  • Compliance evidence.
  • Trend tracking.

Conclusion

AI agent security best practices span identity, authorization, prompt safety, operational controls, monitoring, compliance, governance, incident response, supply-chain, and continuous improvement. Implement in tiers — start with per-agent identity + least privilege + HITL on sensitive actions + audit + governance — and expand outward. Measure quarterly. With these in place, agentic AI delivers transformative productivity safely.

AI SecurityBest PracticesAI Agent IdentityAI Governance

Implement these best practices and measure progress.

Forestall continuously evaluates your agentic AI against best practices and tracks remediation.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

AI Agent Security Best Practices for 2026 | Forestall