AgentSecOps

Free resource

AI Agent Security Minimum Bar

A practical baseline that reduces and contains agent risk — not a guarantee of security. Treat it as the floor, not the ceiling.

  1. 01

    Separate agent identities from personal accounts

    Give agents their own scoped identities so their blast radius and audit trail are distinct from a human’s full access.

  2. 02

    Use short-lived, scoped credentials

    Prefer ephemeral, narrowly-scoped tokens over long-lived broad ones, so a leak ages out fast and reaches little.

  3. 03

    Run untrusted work in containers / devcontainers / VMs

    Isolation reduces impact but is not absolute — containers share a kernel. Match the isolation strength to the sensitivity of what the agent can reach.

  4. 04

    Default-deny outbound network, then allowlist egress

    Block egress by default and allow only the destinations a workflow needs. Egress is the exfiltration leg of the lethal trifecta.

  5. 05

    Least-privilege filesystem allowlist (not a secret-path denylist)

    Grant access to the specific paths an agent needs rather than trying to enumerate every secret-bearing path to block. Denylists miss things.

  6. 06

    Isolate untrusted-content processing from privileged tools

    Keep the context that reads untrusted input separate from the one holding credentials and powerful tools. You can’t reliably "sanitize" prompt injection away — isolate instead.

  7. 07

    Require risk-tiered, informed approval

    Gate shell, egress, deployment, and off-repo writes behind human approval that shows what will happen — without so many prompts that people rubber-stamp.

  8. 08

    Log tool calls and approvals (with secrets redacted)

    You should be able to answer "what did the agent actually do?" after the fact. Redact secrets from logs.

  9. 09

    Kill switch + independent budget / time / action caps

    Long-running agents need a tested stop, plus caps on spend, runtime, and actions that hold even if the agent misbehaves.

  10. 10

    Keep memory narrow, disposable, and source-attributed

    Persistent memory can carry poisoned instructions across sessions. Store little, expire it, and know where each entry came from.

  11. 11

    Scan MCP configs, skills, hooks, and agent descriptors

    Tool descriptions and instruction files steer agents — treat them as untrusted input and review changes.

  12. 12

    Pin and review the agent supply chain

    MCP servers, skills, and extensions are dependencies. Pin versions and review what you connect before you trust it.

Want to know where your stack actually stands?

An assessment maps your agents against this bar and gives you a prioritized plan to close the gaps.

Request an AssessmentJoin Scanner Waitlist