AI Control Plane Ship Checklist (v1) Use this as a pre-launch gate for any AI feature (chat, RAG, agent, batch summarization, autocomplete). The goal is simple: every request is attributable, governed by policy, observable, and reversible. 1) Boundary + Identity - All LLM calls go through one gateway/service (even if it’s thin). - Every request includes: user ID, tenant/org ID, role, and environment (prod/stage). - No shared API keys embedded in clients; keys live server-side with rotation. - Service accounts used for background jobs are distinct from user-initiated traffic. 2) Policy Enforcement (code, not docs) - Define allow/deny rules for: data sensitivity, model/provider, geography, and tool categories. - Redaction rules exist for PII/secrets before sending prompts to any model. - Policy decisions are logged with the request (what rule fired and why). - There is a safe default when policy can’t decide (deny or degrade to safe mode). 3) Tool Use: Least Privilege - Every tool has explicit scopes (read vs write vs execute). - Write actions require an extra approval step (human-in-the-loop or explicit user confirmation) for high-impact operations. - Tool calls are rate-limited and time-bounded. - Tool outputs are treated as untrusted input on the way back to the model. 4) Retrieval (RAG) Provenance - Log which sources were queried and which documents/snippets were retrieved. - Maintain an allowlist for indexed sources per tenant. - Strip or quarantine instruction-like text from untrusted content where possible. - You can reproduce an answer by re-running with the same prompt version + retrieval config. 5) Observability + Audit - Store prompts/responses with necessary redaction; restrict access (need-to-know). - Log tool calls (name, parameters, response metadata) and model route/provider. - Emit traces/metrics for latency, error rate, fallback rate, and refusal rate. - Define an incident playbook: who can disable a tool, swap a route, or turn on safe mode. 6) Evals + Release Discipline - Version prompts, system messages, retrieval configs, and tool schemas. - Maintain a small regression set for critical tasks (support, financial ops, compliance workflows). - Gate releases on eval results for those critical tasks. - Track known bad cases as tests, not as tribal knowledge. 7) Rollback / Degrade Gracefully - Implement a kill switch for: (a) individual tools, (b) connectors/data sources, (c) entire model routes. - Have a safe mode: retrieval-only or no-tools mode with conservative behavior. - Fallback routing exists across at least two model options (even if performance differs). - Document how to revert a prompt bundle/tool schema within minutes. If you can’t check most of these boxes, don’t ship an “agent.” Ship a read-only feature first while you build the boundary.