AI agent hardening checklists
AI agent hardening checklists are structured, repeatable controls that reduce the attack surface of autonomous agents and the tools they call. They cover scoped identity, tool allow-listing, sandboxing, egress control, human review, audit logging, and prompt-injection defence. Start with the core agent hardening checklist, then layer in MCP and least-privilege checks.
AI agent hardening checklists
TL;DR:
- This hub indexes tested, hands-on hardening checklists for AI agents, MCP servers, and AI coding tools.
- Each checklist maps a control to why it matters and how to verify it in a lab or staging run.
- Start with the core AI agent hardening checklist, then layer in MCP and least-privilege controls.
- Downloadable packs are planned; the download buttons below are placeholders only.
What are AI agent hardening checklists?
AI agent hardening checklists are repeatable lists of defensive controls that shrink an autonomous agent’s attack surface. An AI agent is a system that uses a language model to plan and then call tools, so its blast radius is the union of every credential and tool it can reach. Hardening means constraining that blast radius before an attacker, or a poisoned input, can abuse it.
We maintain these as operational documents, not theory. Every control on a child checklist is phrased so you can run it and watch it pass or fail, rather than ticking a box on trust. This mirrors the testing-first stance across the rest of the site, including our security tools directory and implementation guides.
Why use a checklist instead of ad hoc hardening?
A checklist makes hardening repeatable, auditable, and hard to skip under deadline pressure. Ad hoc hardening tends to secure whatever the last incident touched and miss the rest. A sequenced checklist forces coverage of identity, sandboxing, egress, logging, and prompt-injection defence in one pass.
Primary guidance backs this approach. The OWASP GenAI project catalogues agentic and LLM risks such as excessive agency and prompt injection, and the Model Context Protocol specification defines the trust boundaries you must enforce when an agent calls external tools. Checklists turn those documents into steps.
Which checklist should I use?
Pick by what your agent touches: its own actions, its MCP tools, or its credentials. The table below maps each checklist type to its target and its current status. Start at the top and work down.
| Checklist type | What it hardens | Primary risk addressed | Status |
|---|---|---|---|
| Core agent hardening checklist | The agent runtime and its tool calls | Excessive agency, prompt injection | Live |
| MCP security best practices | MCP servers and tool transports | Tool poisoning, confused-deputy | Live |
| Least privilege for AI agents | Identity and scoped credentials | Credential overreach, lateral movement | Live |
| OWASP LLM Top 10 mapping | Coverage against named LLM risks | Gaps versus a recognised taxonomy | Live |
| Coding-assistant hardening pack | IDE agents and CI runners | Untrusted-repo execution | Planned pack |
How are these checklists tested?
Each control is written to be verified in a disposable lab before it reaches production. In our June 2026 test passes we ran candidate controls against a deliberately over-permissioned agent, confirmed the control changed behaviour, and only then promoted it to the published list. Where we cite a figure, such as a reduction in reachable tools, we frame it as illustrative unless it comes from a named primary source.
This is the same evidence-first discipline the NSA and CISA joint guidance on AI system deployment recommends: validate controls, log decisions, and assume inputs are hostile. We do not publish a control we have not watched pass and fail.
How do the checklists fit together?
They stack: identity first, then sandboxing and egress, then logging and injection defence. The core hardening checklist sequences this so the highest-impact controls land first. Tool-rich agents then add the MCP security best practices, and any agent holding credentials adds least privilege for AI agents.
For broader context, the home page frames the site’s testing-first mission, and the OWASP LLM Top 10 mapping shows which named risks each checklist covers. Together they form a defensible, auditable hardening programme rather than a pile of tips.
Downloadable checklist packs
Printable PDF and machine-readable YAML packs are planned for each checklist on this hub. These will let you drop a checklist straight into a pull-request template or a CI gate. The download buttons are placeholders only today: no pack is live yet, and there is nothing to purchase.
When packs ship, they will carry the same dated, tested controls you see in the articles, with no change to the free web versions. Until then, work from the core AI agent hardening checklist and the sibling hubs above.
Frequently asked questions
Do I need every checklist? No. Run the core checklist on every agent, then add MCP and least-privilege checklists only where the agent calls tools or holds credentials.
How often should I re-run them? Re-run on every material change to an agent’s tools, prompts, or credentials, and on a fixed cadence such as monthly, because new tools quietly expand the blast radius.
Are the numbers in the articles real? Specific figures are illustrative unless linked to a primary source. The controls themselves are tested; the headline metrics are examples to show shape, not invented facts.
In this hub
- AI agent hardening checklist (tested, step by step) A practical, numbered hardening checklist for AI agents: scoped identity, tool allow-listing, sandboxing, egress control, human review, audit logging, prompt-injection defence, and secret handling, each with a way to verify it.
- Audit your AI agent setup: a hands-on self-audit walkthrough A practical self-audit for your AI agent: inventory tools, check permissions, gate high-impact actions, test prompt-injection exposure, handle secrets, log tool calls, and vet MCP servers. Includes a numbered walkthrough and a printable checklist.
Frequently asked questions
What is an AI agent hardening checklist?
It is a numbered set of defensive controls you apply to an autonomous AI agent and its tools, covering identity, sandboxing, egress, logging, and prompt-injection defence, each with a way to verify it works.
Where should I start?
Start with the core AI agent hardening checklist, which sequences the highest-impact controls first, then add the MCP security and least-privilege checklists for tool-rich agents.
Are these checklists tested?
Yes. Each control is written to be verifiable in a lab or staging environment, with a stated way to confirm the control actually blocks the behaviour it targets. Numbers shown in articles are illustrative unless sourced.
Do these replace OWASP or NSA guidance?
No. They operationalise primary guidance such as the OWASP GenAI project and NSA/CISA advisories into hands-on steps you can run and verify.
Will there be downloadable packs?
Yes, printable and machine-readable checklist packs are planned. The download buttons on this hub are placeholders until those packs ship.