Agentic Product Control Plane Checklist (V1)

Use this to review any “agent” feature before you let it touch real systems. Goal: verifiable actions, bounded blast radius, and predictable operations.

1) Define the execution boundary
- List every system the agent can access (GitHub, Jira, Salesforce, ServiceNow, Gmail, Slack, AWS, Stripe, etc.).
- For each system, list allowed verbs: read, draft, write, delete, send, approve, pay.
- Explicitly list forbidden actions (ex: delete data, change billing, invite external users, disable MFA).

2) Identity and authorization
- Decide whose identity the agent uses (service account vs delegated user identity).
- Require short-lived credentials for tool execution.
- Implement role-based access for the agent: read-only, draft-only, execute-with-approval, execute.
- Tenant/workspace isolation: prove requests cannot cross customers.

3) Policy enforcement (in code, not prompts)
- Add a policy gate in front of every tool call.
- Policies should be testable with unit tests and runnable in CI.
- Support admin-configurable rules (allowlists/denylists) without redeploying.

4) Human approvals and change management
- Decide which actions require approval by default (writes to systems of record, external sends, refunds, infra changes).
- Provide a clear diff before execution (old vs new fields; message preview; PR diff; config delta).
- Provide “break glass” procedures for emergencies with extra logging.

5) Observability and proof artifacts
- Emit a trace ID for every agent run.
- Store a structured ledger: user intent, agent plan, policy decisions, tool calls, results, diffs, approvals.
- Redact sensitive fields in logs; document what is stored.
- Make the ledger visible to users/admins via a “Show work” UI.

6) Rollback and failure modes
- For each side effect, define rollback: undo changes, revert fields, cancel sends (if possible), reopen tickets.
- Circuit breakers: rate limits, spend limits, volume caps, and automatic shutdown on anomaly.
- Timeouts and retries: define which tools are safe to retry and which are not.

7) Data boundaries
- Define what data can be retrieved for context and what cannot.
- Require source links/citations for retrieved knowledge.
- Control connector scope (folders, projects, accounts) and make scope visible.

8) Release strategy
- Start with read-only, then draft-only, then constrained writes, then narrow auto-execution.
- Ship per-tenant toggles and per-feature kill switches.
- Add an internal incident runbook before GA.

If you can’t complete this checklist without hand-waving, you’re not ready to ship an agent that acts.