Agent Workflow Readiness Checklist (2026)

Use this to pressure-test whether you’re building a durable workflow product or a fragile chat demo.

1) Workflow definition (no hand-waving)
- Name the workflow in one sentence (ex: “Triage inbound incidents into ServiceNow with proposed category, priority, owner”).
- List the systems of record involved (ex: ServiceNow, Jira, Salesforce, Google Workspace).
- Enumerate side effects your agent will perform (create/update records, send emails, change permissions, trigger deployments).
- Define the “done” state as a typed outcome, not a natural-language answer.

2) Permissions and tool safety
- Use scoped credentials per connector (least privilege). Avoid a single shared admin token.
- Implement tool allowlists (which tools/actions are permitted for this workflow).
- Separate “propose” vs “execute” modes. Default to propose.
- Add idempotency for every side effect (retries must not duplicate actions).

3) Policy and injection resistance
- Treat all external text as untrusted (tickets, emails, docs can contain instructions).
- Maintain a clear boundary between system instructions and user content.
- Validate outputs against schema before execution (reject malformed or unexpected actions).
- Add rule checks for prohibited data types or destinations (ex: no secrets in outbound email).

4) Observability and audit
- Capture a trace per run: inputs, tool calls, tool outputs, model outputs, and final actions.
- Provide a human-readable run timeline for operators.
- Support replay (or at minimum, deterministic reconstruction of what happened).
- Define retention/redaction policies for logs and stored prompts.

5) Human review where it counts
- Identify “high-blast-radius” actions (payments, account changes, outbound customer comms).
- Require explicit approval for those actions.
- Make review UX fast: diff views, highlighted fields, and clear rationale.

6) Evaluation and rollout
- Build a fixed test set of real tasks (sanitized) and run it on every release.
- Track failures by category (tool error, policy violation, hallucination, schema rejection).
- Roll out behind feature flags; start with read-only/propose-only.

Pass condition: you can explain exactly what the agent did, why it did it, what it touched, and how you’d prevent the same incident tomorrow.