Agent Privilege Review Checklist (APR)

Goal: reduce the blast radius of tool-calling agents by tightening permissions, adding policy gates, and improving auditability. Use this for each agent (support agent, SRE agent, finance agent) and each environment (dev/staging/prod).

1) Inventory (no skipping)
- Agent name + owner:
- Environment(s): dev / staging / prod
- Where does it run? (server, container, CI, vendor-hosted)
- Model provider(s): (OpenAI, Anthropic, Google, self-hosted)
- Tool list (every callable action):
 - Tool name:
 - Read-only or write?
 - External system (Stripe, GitHub, Jira, Slack, DB, cloud IAM):

2) Credential map
For each external system, record:
- Credential type: API key / OAuth / OIDC exchange / service account
- Lifetime: short-lived or long-lived
- Storage: secrets manager, env var, vendor vault, config file
- Rotation: manual or automated
- Scope: which resources can it touch?

3) High-risk actions (mark YES/NO)
- Money movement (refunds, credits, payouts)
- Account access changes (roles, invitations, password resets)
- Data export (CSV export, bulk download, sending files)
- Destructive actions (delete customer, delete repo, drop table)
- Production changes (feature flags, deploy triggers, incident paging)

4) Controls to enforce via a tool broker (recommended)
- Schema validation for every tool call (typed parameters)
- Central allow/deny policy per tool and per agent
- Rate limits per agent + per tenant
- Idempotency keys for write actions
- Mandatory context fields: request_id, ticket_id/incident_id, actor, tenant

5) Approval gates (decide explicitly)
For each high-risk action above, choose one:
- Auto-execute allowed (only with strict constraints)
- Requires human approval (in internal UI or ticketing system)
- Disallowed (agent can draft but never execute)

6) Audit trail requirements
- Can you answer: who/what/why for every side effect?
- Do logs include tool args (sanitized), timestamps, and correlation IDs?
- Where do logs go? (SIEM, log pipeline, vendor audit logs)
- Retention policy (match your security/compliance needs)

7) Red-team prompts (15 minutes)
Try to get the agent to:
- Reveal secrets from logs/docs
- Call a write tool based on untrusted text
- Perform an action without a ticket/approval object
Record failures and add constraints at the tool/policy layer (not just prompt tweaks).

Done criteria: the agent can’t perform irreversible actions without explicit, reviewable intent; credentials are scoped and rotated; and every tool call is auditable end-to-end.