AI Agent Security Review Checklist

List every tool the agent can call: shell commands, browsers, file systems, databases, ticket systems, email, calendars, cloud APIs, and deployment tools. A capability map makes hidden risk visible.

For each tool, identify read permissions, write permissions, destructive actions, credential exposure, and whether humans approve actions before execution.

Agents that read webpages, documents, tickets, or emails can encounter malicious instructions embedded in content. Treat external text as untrusted input, even when it appears inside a normal document.

Use explicit tool policies, retrieval boundaries, and review steps for sensitive actions. The model should not be able to override system rules because a webpage asked it to.

A useful audit trail includes prompts, retrieved context, tool calls, files touched, commands run, API calls, approvals, and final outputs. Logs should be searchable when an incident happens.

For engineering agents, keep generated changes in normal version-control workflows. For business automation agents, store enough context to explain why an action was taken.

Begin with read-only access, then limited write access, then scoped automation. Each stage should have rollback instructions and a clear owner.

The goal is not to remove humans from every step. The goal is to reserve human attention for decisions that carry security, financial, legal, or customer trust risk.