Agent Production Readiness Checklist (Enterprise)

Use this to qualify your build before you promise “autonomy” to a real buyer.

1) Workflow Boundary (write this down)
- Define the single workflow the agent owns (start/end conditions).
- List every system it touches (Jira, GitHub, Salesforce, Slack, data warehouse, etc.).
- For each system: mark actions as READ, WRITE, DELETE, or EXTERNAL-SEND.
- Decide what is never allowed (hard block), what is allowed with approval, and what is allowed automatically.

2) Identity, Auth, and Access
- Use scoped OAuth permissions per connector; avoid blanket scopes.
- Support token revocation and connector disconnect.
- Separate tenants cleanly (no shared storage paths, no mixed logs).
- Decide whether actions are taken as the user, a service account, or both—and document it.

3) Policy and Approvals
- Implement a policy layer that can block or require approval for high-risk actions.
- Start with “approval required for every write,” then selectively relax.
- Record who approved what, and when.
- Provide an admin UI (or API) to configure policies per workspace.

4) Observability and Audit
- Log every tool call with a trace/run ID.
- Store inputs and outputs in a retrievable way (with redaction rules for secrets).
- Make logs exportable to customer tooling (at minimum via API; ideally SIEM-friendly).
- Provide a human-readable run timeline (“what happened” view).

5) Determinism and Change Control
- Version prompts, tools, and policies; store versions in each run record.
- Make agent behavior reproducible enough to investigate incidents.
- Gate releases: a new model version or prompt change must pass regression checks on representative workflows.

6) Spend and Reliability Controls
- Set per-run budgets (tool-call caps, model-call caps) and fail safely.
- Add retry policies with hard limits (avoid infinite loops).
- Implement rate limiting and backoff for external APIs.
- Provide spend/usage visibility to admins and alerts for anomalies.

7) Data Handling and Privacy
- Document what data is sent to model providers and why.
- Minimize sensitive data in prompts; redact secrets.
- Decide retention windows for logs and run artifacts; make them configurable.

Sales tip: bring this checklist to customer calls. Ask the buyer which items are non-negotiable. That answer is your real product roadmap.