AI Agent Security Red Lines: My Production Checklist
Contents
Why AI Agent Security Matters
Stronger AI Agent capabilities = bigger security risks.
# If AI Agent can execute commands:
task = "clean up log files for me"
# It executes:
rm -rf /var/log/*
# or worse:
task = "look at this file for me"
# file is /etc/shadowThis article is a production AI Agent security checklist.
Permission Control
1. Principle of Least Privilege
# Don't give AI Agent admin permissions
# Only grant minimum permissions needed for the task
# Wrong:
admin_agent = Agent(
role="admin",
permissions=["read", "write", "execute", "delete"]
)
# Correct:
limited_agent = Agent(
role="code_reviewer",
permissions=["read", "comment"]
)2. Dangerous Operation Double Confirmation
# Require human confirmation before dangerous operations
dangerous_operations = [
"rm",
"drop table",
"delete",
"sudo",
"chmod",
"curl http", # prevent SSRF
]
def check_dangerous(command):
for op in dangerous_operations:
if op in command:
return require_human_approval(command)
return execute(command)3. Network Access Restrictions
# AI Agent network access should be restricted
Allowed domains:
- github.com
- api.slack.com
- internal company APIs
Not allowed:
- arbitrary external APIs
- internal databases
- metadata service (169.254.169.254)Data Security
1. Sensitive Data Not in Agent Context
# Don't put sensitive data in Agent's context
# API keys, passwords, Tokens should pass via secure channels
# Wrong:
task = "call this API for me: https://api.example.com
Headers: Authorization: Bearer sk-xxxxx"
# Correct:
# API key stored in secret manager
# Agent only gets token, doesn't touch plaintext key2. Data Classification
Data AI Agent can access:
Green (no risk):
- public code
- README
- documentation
Yellow (needs approval):
- internal code
- non-sensitive user data
- config (no keys)
Red (forbidden):
- database passwords
- sensitive user information
- payment information
- keys/tokens3. Logging and Audit
# All Agent operations must be logged
class SecureAgent:
def execute(self, command, context):
# log operation
audit_log.info({
"agent": self.name,
"command": command,
"context_hash": hash(context), # don't log actual content
"timestamp": now(),
"user": current_user()
})
# execute
return self.run(command)MCP Server Security
MCP Server Permission Isolation
# Each MCP Server uses different token
mcp_servers:
github_readonly:
token: read_only_github_token
permissions: [read]
github_write:
token: write_github_token
permissions: [read, write]
database:
token: db_readonly_token
permissions: [select] # SELECT only, no DDL/DMLMCP Server Minimum Exposure
# MCP Server exposes only necessary tools
class SecureGitHubServer:
# expose only safe tools
allowed_tools = [
"get_file", # ✅ read files
"list_files", # ✅ list
"create_pr", # ⚠️ needs approval
]
# hide dangerous tools
hidden_tools = [
"delete_file", # ❌
"delete_repo", # ❌
"admin_api", # ❌
]Production Checklist
Permissions:
□ Agent has no admin rights
□ dangerous operations need approval
□ each MCP Server uses independent token
□ database read-only, no write
Network:
□ domain whitelist
□ metadata access blocked
□ SSRF protection
Data:
□ sensitive data not in context
□ data classification marked
□ operation logging
Audit:
□ all operations traceable
□ regular log audits
□ anomaly alertingConclusion
AI Agent security isn’t optional—it’s mandatory.
Stronger capabilities = bigger risks. Before deploying Agent to production, go through the checklist.
Security design from day one, not patches later.