AI Security Readiness Checklist

Description

AI Security Readiness Checklist

86 actionable checkboxes covering the full OWASP LLM Top 10 (2025) and OWASP Agentic Top 10 (2026, ASI01-ASI10).

This role-based checklist contains 86 ready-to-use checkboxes extracted from the LLM Production Readiness — Complete Checklist (v8 consolidated). It provides comprehensive security coverage for production AI systems against current and emerging threat vectors.

What’s Inside

• 86 checkboxes across 1 domain: Security (86)
• Prompt & input security (OWASP LLM01): input guardrails for prompt injection detection, external source sanitisation before RAG injection, structured prompt template wrapping, explicit refusal conditions in system prompts, jailbreak payload testing before launch and after every update, and indirect prompt injection defences for agentic systems (OWASP ASI01 — Agent Goal Hijacking)
• Output security (OWASP LLM05:2025): PII leakage scanning on all responses, toxicity and harmful content filters, sandboxed validation of LLM-generated code (never direct execution), and embedding inversion / training data extraction monitoring
• PII detection pipeline (inputs & outputs): automated detection on all inputs and outputs (Presidio/Comprehend/DLP), three-tier PII handling (Tier 1 redact names/emails/phone, Tier 2 block financial/health, Tier 3 alert on government IDs/passwords), PII detection audit logging, domain-specific identifier coverage testing, and PII incident response procedure for already-delivered responses
• Multimodal input security: image file type/size/format validation with metadata stripping, OCR scanning for embedded adversarial text in images, malicious macro and executable scanning in document uploads (PDF/DOCX/PPTX), same PII detection and filtering applied to all modalities, and separate hallucination rate evaluation for multimodal inputs
• Access control & RBAC: role-based access (developers → APIs only, analysts → NL-query only, security → read-only logs), least-privilege at every layer, MFA for privileged accounts, just-in-time access for high-risk functions, and quarterly access reviews
• Supply chain & model integrity: model artifact checksum verification at every deploy, fine-tuning dataset provenance tracking, LLM dependency vulnerability scanning, and security scanning in CI/CD pipeline
• SIEM integration: centralised SIEM ingestion of all LLM audit logs, LLM-specific detection rules (prompt injection signatures, rapid sequential queries, output volume spikes, repeated guardrail triggers), guardrail block events routed to security queue, structured JSON log schema, and SIEM rule testing with simulated attack patterns
• Red teaming: pre-launch exercises (prompt injection, data leakage, jailbreaks, indirect injection via RAG), monthly exercises with DeepTeam or equivalent, and all OWASP LLM Top 10 (2025) and Agentic Top 10 (2026) categories tested before each major release
• OWASP LLM03:2025 — Supply chain & training data poisoning: training/fine-tuning dataset validation and scanning, RAG corpus integrity monitoring for unauthorised modifications
• OWASP LLM04:2025 — Data & model poisoning: adversarial content scanning plus domain expert review, RAG corpus integrity monitoring, and backdoor detection evaluation on every fine-tuned model using adversarial probe sets
• OWASP LLM10:2025 — Unbounded consumption: per-request token limits, maximum context window length per user tier, global concurrency caps, and abnormal context-length pattern monitoring
• OWASP LLM07:2025 — System prompt leakage: system prompt contents treated as secrets, extraction testing (direct and indirect prompting), and prohibition on embedding credentials/keys/URLs/business logic in system prompts
• OWASP LLM09:2025 — Misinformation & overreliance: output confidence signalling to users and human-in-the-loop review gates for high-stakes decisions (legal/financial/medical/HR)
• OWASP LLM10:2025 addendum — Model theft & IP protection: access controls on fine-tuned model weights and inference endpoints, model extraction pattern monitoring, and systematic API probing detection
• OWASP LLM08:2025 — Vector & embedding weaknesses (RAG-specific): RAG retrieval pipeline as security boundary, access-control filtering at vector index level, embedding inversion risk testing (Vec2Text), and retrieval log monitoring for corpus mapping patterns
• MCP server security (OWASP MCP Security Cheat Sheet): least privilege per MCP server, tool description and schema integrity validation, container/process isolation per MCP server, human-in-the-loop for write/send/execute/financial tool calls, message-level integrity and replay protection (HMAC + timestamps), external MCP servers treated as untrusted supply chain, full MCP tool invocation logging, and prompt injection defence on tool return values
• AI Security Posture Management (AI-SPM): continuous AI stack security assessment (models/datasets/APIs/integrations/access controls) and living AI asset inventory aligned with NIST AI RMF Map function
• Advanced agent security (OWASP AI Agent Security Cheat Sheet): least agency principle with justified tool grants, action classification and approval flow (read-only auto-approve / write log-and-alert / irreversible require human approval), agent memory security (input validation, per-user isolation), and multi-agent communication authentication
• OWASP ASI08 — Cascading failures & ASI09 — Human-agent trust exploitation: payload splitting detection across multiple turns, circuit breakers and dead-letter queues at agent-to-agent boundaries, cascading failure detection for anomalous upstream output propagation, confidence signal and limitation surfacing in agent UIs, and over-reliance testing in human-in-the-loop workflows with deliberately wrong AI outputs
• Advanced red teaming additions: WildGuard and AEGIS 2.0 evaluation, multi-turn conversation history as attack surface, and ML framework supply chain red teaming (Ray/PyTorch/HuggingFace Hub/triton CVE assessment)
• Software SBOM & VEX: software bill of materials generation (SPDX or CycloneDX) for every deployment, VEX (Vulnerability Exploitability eXchange) statements alongside SBOM, and SBOM/VEX updates on every release
• MCP security — additional controls: independent input/output validation at MCP tool boundary (separate from LLM guardrails), cross-origin protection in multi-MCP-server deployments, and explicit administrator/user consent before MCP server activation with capability and permission scope display
• Interactive HTML with progress tracking — check off items as you complete them

Use Cases

• OWASP LLM Top 10 (2025) compliance and remediation
• OWASP Agentic Top 10 (2026) security controls for AI agent deployments
• AI red teaming programme design with structured methodology
• MCP server security hardening and supply chain verification
• Prompt injection, data poisoning, and model theft prevention
• SIEM integration and LLM-specific detection rule creation
• Software supply chain transparency (SBOM/VEX)

Perfect For

CISOs, security engineers, penetration testers, red team leads, AppSec engineers, and security architects responsible for securing AI systems against current and emerging threats.