Agent Permissioning & Audit Checklist (v1) Use this before you connect an LLM to any system that can change state (code, infra, data, billing, identity, comms). 1) Define the agent’s job (one sentence) - What workflow does it compress? - What is explicitly out of scope? - What is the maximum acceptable blast radius if it behaves incorrectly? 2) Inventory tool surfaces (write them down) For each tool/API the agent can call: - System name (e.g., GitHub, Slack, Jira, AWS) - Read vs write operations (separate them) - Data sensitivity (PII, secrets, financial, regulated) - Irreversibility (can you undo the action?) 3) Identity and auth (ban the “shared key” default) - Prefer per-user OAuth with least-privilege scopes. - If you must use service credentials, put them behind a tool proxy. The model never receives raw secrets. - Decide how to handle offboarding: what happens to the agent’s access when an employee leaves? 4) Action gating (make “plan” a first-class step) - Require a preview payload or diff for any write. - Define which actions require explicit human approval (examples: IAM changes, production config edits, billing actions, data exports). - Add rate limits and budgets per tool (requests per minute, max objects affected, max query result size). 5) Validation (assume the model will produce malformed or risky requests) - Enforce schemas on tool inputs. - Validate targets against allowlists (repos, projects, channels, accounts). - Strip or mask sensitive fields before sending context to the model. 6) Logging and evidence (conversation logs aren’t enough) Log as immutable events: - Tool request + response (or hashes if needed) - Policy decision (allowed/blocked + reason) - Identity context (requester, scopes, approver) - References to external inputs (URLs, ticket IDs, document IDs) - Versions (model, prompt template, tool schema) 7) Replay and incident readiness - Can you reconstruct exactly what happened without “trusting the model”? - Can you disable a tool instantly without taking the whole product down? - Do you have a break-glass path for emergency human access that is auditable? 8) Ship criteria (hard stop rules) Do not ship if any of these are true: - The agent can perform write actions with no approvals and no preview. - The agent uses shared credentials with broad scopes. - You cannot answer: who requested this action, and what evidence shows why it was allowed? - External/untrusted content can directly influence tool calls without a validation layer. Print this checklist and use it in design review. If it feels like CI/CD governance, that’s the point.