AI Agent Security Review Before Launch: A Practical Checklist
An AI agent security review checks whether hostile or messy input can make an agent read the wrong data, call the wrong tool, or take an action a user did not approve.
Quick Answer
- Test prompt injection against every tool boundary.
- Separate read, write, send, spend, and delete permissions.
- Check what private context the model can see.
- Log tool calls with exact arguments.
- Add regression tests for every failed boundary.
Start with the tools
The risky part of an agent is usually not the chat response. It is what the agent can do after reading a prompt.
List every tool, then mark its capability:
| Tool type | Risk |
|---|---|
| Read-only search | Low to medium |
| Internal write | Medium |
| External send | High |
| Payment or purchase | High |
| Delete or revoke | High |
Each tier needs a different confirmation and logging policy.
Test indirect input
Do not only test prompts typed by the user. Test email bodies, documents, web pages, calendar descriptions, support tickets, and any retrieved context the agent may read.
Indirect prompt injection is where many real systems fail because the hostile text looks like data.
What to capture
For each test, save the hostile input, retrieved context, model response, tool call arguments, expected boundary, actual behavior, and mitigation.
Screenshots are not enough. The fix needs a reproducible case.
Where BreakMyAgent fits
BreakMyAgent is built to make these tests concrete. It gives teams a way to catalog attack patterns, run checks, and turn failures into regression coverage.
FAQ
Is a refusal policy enough?
No. Refusal text helps, but scoped tools and server-side checks matter more.
Should every agent need security review?
Any agent with private data or tools should get a review before launch.
What should fail closed?
External sends, purchases, destructive writes, credential handling, and cross-user data access.