Agentic AI Security Checklist

Controls for the underlying LLM reasoning engine, training integrity, and inference security.

• Verify data provenance with cryptographic attestation for all training and fine-tuning datasets Defends: Training Data Poisoning | MITRE AML.T0020, OWASP LLM04
• Implement rate limiting and query pattern monitoring on model endpoints to prevent model extraction Defends: Model Theft and Extraction | MITRE AML.T0024, OWASP LLM10
• Deploy hallucination detection models on agent outputs with multi-source fact validation before committing to memory Defends: Cascading Hallucination Attacks | MITRE AML.T0048, OWASP LLM09
• Enforce input/output boundary separation between instructions and data, with content sanitization on all ingested sources Defends: Prompt Injection via Indirect Channels | MITRE AML.T0051, OWASP LLM01
• Conduct red-team evaluations focused on deception detection, behavioral consistency, and mandatory human confirmation gates for high-risk actions Defends: Misaligned and Deceptive Behaviors | MITRE AML.T0043, OWASP LLM09

Controls for RAG pipelines, vector databases, knowledge bases, and persistent memory stores.

• Implement session isolation preventing cross-user memory contamination, with cryptographic validation and rollback mechanisms for long-term stored data Defends: Memory Poisoning | MITRE AML.T0018, OWASP LLM04/LLM08
• Deploy permission-aware vector databases with access control on document ingestion and continuous monitoring for embedding drift Defends: RAG Knowledge Base Poisoning | MITRE AML.T0018, OWASP LLM08
• Enable cross-session activity correlation with persistent security state tracking independent of conversation context Defends: Context Window Exploitation | MITRE AML.T0043, OWASP LLM01
• Enforce write-access controls with approval workflows for shared memory modifications, plus multi-agent consensus validation Defends: Shared Memory Cross-Contamination | MITRE AML.T0018, OWASP LLM04

Controls for orchestration, planning engines, reasoning chains, and multi-agent coordination.

• Enforce cryptographic message authentication for all inter-agent communications with role-based communication restrictions Defends: Agent Communication Poisoning | MITRE AML.T0043, OWASP LLM04
• Deploy continuous behavioral monitoring with baseline deviation alerting and regular AI red teaming exercises on multi-agent trust boundaries Defends: Rogue Agents in Multi-Agent Systems | MITRE AML.T0043, OWASP LLM08
• Implement immutable workflow definitions with cryptographic signing and task routing validation against predefined delegation policies Defends: Orchestration Hijacking | MITRE AML.T0043, OWASP LLM08
• Set maximum depth limits on reflection and self-critique cycles with timeout enforcement and resource consumption circuit breakers Defends: Reflection Loop Exploitation | MITRE AML.T0043, OWASP LLM10
• Enforce task segmentation preventing cross-agent privilege escalation with delegation depth limits and inter-agent bidirectional authentication Defends: Human Attacks on Multi-Agent Systems | MITRE AML.T0043, OWASP LLM08

Controls for function calling, external APIs, MCP connections, code generation, and identity boundaries.

• Implement strict tool access control with function-level authentication, execution sandboxes, and just-in-time access granting Defends: Tool Misuse and Excessive Agency | OWASP LLM08/LLM03
• Enforce granular RBAC/ABAC with dynamic access validation, down-scoped agent privileges, and time-based restrictions on privilege elevation Defends: Privilege Compromise via Dynamic Permissions | OWASP LLM08
• Mandate sandboxing of all AI-generated code execution with human review gates for elevated-privilege code and restrictive allowlisted operations Defends: Unexpected Remote Code Execution | OWASP LLM01/LLM05
• Enforce MCP server allowlisting with cryptographic identity verification and tool description integrity validation against known-good manifests Defends: MCP Compositional Risk | OWASP LLM08/LLM03
• Apply zero-trust model for all agent access with strict NHI token scoping to minimum required permissions and session-based oversight Defends: Confused Deputy via Non-Human Identity | OWASP LLM08

Controls for runtime environments, containers, compute resources, and operational boundaries.

• Set resource consumption quotas per agent session with auto-suspension, rate limiting on API calls, and cumulative tracking across multi-agent fleets Defends: Resource Overload and Unbounded Consumption | OWASP LLM10
• Deploy hardened container runtimes (distroless images) with kernel-level isolation (gVisor/Kata) and seccomp profiles restricting system calls Defends: Container and Sandbox Escape | MITRE AML.T0043
• Enforce cryptographic identity verification with behavioral profiling and mutual authentication for all agent-to-agent interactions Defends: Identity Spoofing and Impersonation | OWASP LLM08
• Implement agent registration and inventory management with runtime discovery scanning for unauthorized (shadow) agent instances Defends: Shadow Agent Deployment | OWASP LLM08
• Use secrets management systems (Vault, AWS Secrets Manager) with short-lived auto-rotating credentials and credential isolation per agent Defends: Credential and Secret Exposure | OWASP LLM08

Controls for logging, traceability, alert integrity, and human oversight capacity.

• Deploy comprehensive logging with cryptographic signing, enriched metadata capturing full reasoning chains and tool invocation sequences Defends: Repudiation and Untraceability | OWASP LLM08
• Implement write-once, append-only log storage with separation of logging infrastructure from agent execution environments Defends: Log Tampering and Evidence Destruction | MITRE AML.T0043
• Deploy multi-layer detection combining rule-based and ML-based anomaly detection with canary operations to verify monitoring pipeline integrity Defends: Alert Suppression and Monitoring Evasion | MITRE AML.T0043
• Implement AI trust scoring to prioritize HITL review queues by risk level with adaptive workload distribution across human reviewers Defends: Overwhelming Human-in-the-Loop | OWASP LLM08
• Enable chain-of-thought logging capturing intermediate reasoning states with reasoning path comparison against expected decision patterns Defends: Observability Gap in Reasoning Chains | MITRE AML.T0043

Controls for audit trails, policy enforcement, behavioral documentation, and regulatory alignment.

• Deploy automated compliance reporting aligned to NIST AI RMF and ISO 42001 with continuous audit trail completeness monitoring Defends: Audit Trail Gaps and Compliance Violations | NIST AI RMF, ISO 42001, EU AI Act
• Implement semantic policy enforcement using intent classification (not keyword matching) with action-chain analysis detecting prohibited outcomes Defends: Policy Bypass and Governance Evasion | OWASP LLM08
• Mandate BBOM creation and maintenance for all deployed agents with automated capability discovery and regular accuracy audits Defends: Behavioral Documentation Deficit (BBOM Gaps)
• Implement agent behavior monitoring with guardrails and moderation APIs, restricting agent capabilities for high-risk user-facing actions Defends: Human Manipulation via Agent Trust | OWASP LLM09
• Maintain governance crosswalk mapping identifying gaps between NIST, ISO, and EU AI Act coverage with supplementary agent-specific controls Defends: Cross-Framework Governance Gaps