AI Agent Security Checklist
for Startups

Before you can secure your agents, you need to know what you have. List every agent in your system — customer support bots, code assistants, data pipelines, internal tools. For each one, document what tools it can access, what data sources it reads from, and what external services it can call.

Most teams we talk to discover agents they forgot about: a prototype someone deployed to staging three months ago, a Slack bot with database access, a cron-triggered agent with broad API permissions. You can't protect what you don't know exists. Rune's agent dashboard gives you a single pane of glass across all registered agents.

Every agent should have access to only the tools and data it needs to do its job — nothing more. A customer service bot doesn't need execute_sql. A summarization agent doesn't need send_email. If an agent gets compromised via prompt injection, the blast radius is limited to what it can reach.

Review every tool binding. Remove anything unused. Privilege escalation attacks exploit overly broad permissions — and our research found that 73% of agents have access to tools they never actually call.

Every user-facing input should be scanned before it reaches your agent's context window. This means checking for prompt injection attempts, embedded PII, and leaked secrets (API keys, tokens, credentials that users may accidentally paste).

Don't forget indirect inputs: tool outputs from web scraping, database queries, and third-party APIs can all contain injected payloads. Rune's Python SDK scans both direct user inputs and tool outputs with a single integration point.

Scanning inputs is half the equation. You also need to scan what your agent sends back. Check every response for data exfiltration patterns, PII leakage, exposed secrets, and system prompt extraction before showing results to users.

This is especially important for agents that query databases or internal systems. An agent might include a customer's SSN in a response simply because it was in the query results and no output filter caught it. Output scanning prevents this class of accidental data leak entirely.

Write explicit, enforceable security policies for your agents. This means defining what tools each agent can use, what data fields are sensitive, what rate limits apply, and what actions should be blocked outright. Policies should be version-controlled and reviewable, not buried in application code.

Rune uses YAML-based policies that define scanner rules, severity levels, and enforcement actions (block, flag, or log). This keeps security configuration declarative and auditable — not scattered across your codebase.

You need real-time visibility into what your agents are doing in production. That means logging every tool call, every LLM interaction, and every external request — then surfacing it in a dashboard where your team can actually see it.

"We don't really know what our agents are doing in production" is the most common answer we hear from engineering teams. Rune's monitoring dashboard shows agent activity, scan results, and threat trends in real time — no custom observability setup required.

Monitoring is useless if nobody is watching the dashboard. Configure alerts for critical events: blocked prompt injections, data exfiltration attempts, policy violations, and anomalous agent behavior patterns. Route them to Slack, PagerDuty, email — wherever your team will actually see them.

Good alert hygiene matters. Start with high-severity events only to avoid alert fatigue, then expand coverage as you learn your agents' normal patterns. Rune generates alerts automatically when scans detect threats above your configured severity threshold.

What happens when you detect a compromised agent? You need a plan before it happens, not after. At minimum, define: a kill switch to disable a specific agent immediately, an audit trail to understand what happened, and a communication plan for affected users.

Document who on your team is responsible for agent security incidents. If the answer is "nobody," assign someone now. The getting started guide covers how to set up Rune's block mode so compromised agents can be stopped in real time, with a full event log for post-incident review.

If your agents handle user data, you have compliance obligations. GDPR requires you to know what personal data your systems process and where it goes. CCPA gives users the right to know what data is collected about them. SOC 2 auditors will ask about your controls for automated systems that access sensitive data.

AI agents make compliance harder because they make dynamic decisions about data access at runtime. Scanning for PII exposure and maintaining audit logs of every agent action are table stakes. Start here, and build toward a formal data processing inventory that includes your agents.

Agent capabilities change constantly. New tools get added, new data sources get connected, new models get swapped in. A permission set that was appropriate three months ago might be dangerously broad today.

Put a recurring calendar event on the books: review agent permissions, audit policy configurations, check that alerting is still working, and look at scan trends for new threat patterns. Treat it like a security review for any other production system — because that's exactly what it is.