Audit your AI agent setup: a hands-on self-audit walkthrough
To audit your AI agent setup, inventory every tool the agent can call, confirm each runs at least privilege, gate high-impact actions behind a human, test prompt-injection exposure on untrusted content, remove long-lived secrets, log all tool calls, and verify each connected MCP server is trusted.
Independent SEO consultant & AI practitioner who builds and tests these tools.
Audit your AI agent setup: a hands-on self-audit walkthrough
To audit your AI agent setup, you map what the agent can do, then test what can make it do something it should not. Most agent risk is not exotic; it is an over-privileged tool sitting next to an untrusted data source. This walkthrough gives you a numbered process and a printable checklist covering tools, permissions, human gates, prompt-injection exposure, secrets, logging, and MCP trust.
TL;DR:
- Audit two things: capability (what the agent can do) and exposure (what can manipulate it).
- Work the seven areas in order, score each pass or fail, fix the riskiest first.
- The highest-leverage fixes are least privilege plus a human gate on irreversible actions.
- A guided audit service is planned; for now, use the self-audit below and the security checklists, starting with the AI agent hardening checklist.
How do I audit my AI agent?
You audit an AI agent by inventorying its tools, then checking each one against least privilege, human approval, injection exposure, secret handling, logging, and MCP trust. The goal is to know, for every action the agent can take, who authorised it and what could trick the agent into taking it. Here is the walkthrough.
- Inventory the agent’s tools. List every tool, function, and API the agent can call, including anything reached through an MCP server. You cannot secure capabilities you have not written down. If the list surprises you, that is the audit already paying off.
- Check tool permissions for least privilege. For each tool, confirm it has the narrowest scope that still works: read-only where possible, scoped to specific resources, no wildcard write or delete. See least-privilege for AI agents for the scoping patterns.
- Check for a human-in-the-loop on high-impact actions. Any irreversible or sensitive action, such as sending email, moving money, deleting data, or changing access, should require explicit human approval. List these actions and confirm each has a gate.
- Check prompt-injection exposure. Identify every place the agent reads untrusted content: web pages, emails, documents, tickets, code comments. If the agent both reads untrusted content and holds powerful tools, you have the classic injection-to-action chain. Read prompt injection explained for the attack shape.
- Check secrets handling. Confirm the agent uses short-lived, scoped credentials, not long-lived keys pasted into prompts, config, or code. Rotate anything long-lived and move secrets into a manager the agent reads at call time.
- Check logging and monitoring of tool calls. Confirm every tool invocation is logged with its inputs, so you can detect and investigate abuse after the fact. An agent you cannot observe is an agent you cannot audit.
- Check MCP server trust. For each connected MCP server, confirm you trust its source and that it exposes only the tools you expect. A malicious or compromised server can inject tools and instructions; see MCP security best practices.
What should an AI agent security audit cover?
The checklist below is the printable version of the walkthrough. Treat any failing row as a live risk, not a future improvement, and fix the rows tied to irreversible actions first.
| # | Audit area | What good looks like | Pass / Fail |
|---|---|---|---|
| 1 | Tool inventory | Every callable tool and API, including via MCP, is written down and reviewed. | |
| 2 | Tool permissions (least privilege) | Each tool runs at the narrowest viable scope; no wildcard write or delete. | |
| 3 | Human-in-the-loop | All irreversible or high-impact actions require explicit human approval. | |
| 4 | Prompt-injection exposure | Untrusted content the agent reads is identified and isolated from powerful tools. | |
| 5 | Secrets handling | No long-lived keys in prompts, config, or code; credentials are short-lived and scoped. | |
| 6 | Logging and monitoring | Every tool call is logged with inputs and is reviewable. | |
| 7 | MCP server trust | Every connected MCP server is from a trusted source and exposes only expected tools. |
This structure follows the risk priorities in the OWASP LLM Top 10, maintained by the OWASP GenAI Security Project. Prompt injection and excessive agency sit near the top of that list precisely because they convert a model mistake into a real action.
What are the riskiest misconfigurations?
The riskiest setups combine capability and exposure. A read-only agent that gets injected is annoying; a delete-capable agent that gets injected is an incident. Three patterns cause most serious harm:
- Broad tools with no human gate. An agent that can send email, delete records, or change permissions without approval will eventually act on a malicious instruction. This is excessive agency in practice; see excessive agency explained.
- Long-lived secrets in reach of the model. A static API key in a prompt or config is one injection away from exfiltration. Short-lived, scoped credentials limit what a leaked secret can do.
- Untrusted content next to powerful tools. When the same agent reads arbitrary web pages or emails and holds write tools, a hidden instruction can drive a real action. Separate the reading agent from the acting agent where you can.
How often should I audit?
Audit on every change to tools, permissions, or connected MCP servers, and re-run the full checklist at least quarterly. A new tool or data source changes the blast radius, so treat it like new code reaching production. Logging from area six is what makes between-audit drift visible, so do not skip it.
Where to go next
Start by running the seven steps against your own agent, then harden the failing rows. The AI agent hardening checklist turns each fix into a concrete change, and the wider security checklists cover adjacent surfaces. For the underlying risks, read prompt injection explained and least-privilege for AI agents. A guided audit service is planned for complex multi-agent systems; for now, the self-audit above is the fastest way to reduce real risk.
Frequently asked questions
How do I audit my AI agent?
Work through the seven areas below in order: tool inventory, permissions, human-in-the-loop, prompt-injection exposure, secrets handling, logging, and MCP trust. Score each as pass or fail against the checklist, then fix the failures starting with the riskiest, which is usually an over-privileged tool.
What should an AI agent security audit cover?
It should cover what the agent can do and what can manipulate it. That means tool inventory and permissions, human approval for irreversible actions, exposure to untrusted content, secret storage, tool-call logging, and the trust level of every connected MCP server and external data source.
What are the riskiest AI agent misconfigurations?
The riskiest are an agent with broad write or delete tools and no human gate, long-lived API keys baked into the agent, and an agent that reads untrusted content while holding sensitive tools. Any one of these turns a prompt injection into a real-world action.
How often should I audit my AI agent setup?
Audit on every meaningful change to tools, permissions, or connected MCP servers, and re-run the full checklist at least quarterly. Treat a new tool or a new data source the same way you would treat new code reaching production, because it changes the blast radius.
Is a self-audit enough, or do I need a service?
For most single-agent setups the self-audit below is a strong first pass and catches the common high-impact mistakes. A guided audit service is planned for more complex multi-agent or multi-tenant systems; for now, use the self-audit and the linked checklists.