Home / Blog / AI Compliance Checklist: Before You Ship Claude Agents to Production
AI compliance Claude agents production security checklist

AI Compliance Checklist: Before You Ship Claude Agents to Production

April 22, 2026 · 7 min read

Most teams discover their compliance gaps in production. An auditor asks for a list of every action a specific agent took last Tuesday. An incident happens and nobody can reconstruct what occurred. A security review flags that all agents share one set of credentials.

This checklist exists so you discover those gaps before you ship.

It’s organized by the layer where failures happen most often. Work through it before your first production agent goes live — or use it to audit what’s already running.

Access Control

[ ] Every agent has its own identity. No shared API keys or credentials across agents. Each agent authenticates with a unique identity that’s traceable in audit logs. If you have 10 agents sharing one token, you have one identity in your audit trail.

[ ] Policies follow least privilege. Each agent can access only what it needs for its specific task. An agent that processes invoices doesn’t need write access to your user database. An agent that reviews code doesn’t need production deployment credentials. Start restrictive and expand only when the agent demonstrably needs more.

[ ] Branch protection is enforced at the gateway level. Not just at the git host. An agent with push access should not be able to push to main or release branches without an approval gate, even if the git host would technically allow it. The control plane enforces this independent of git settings.

[ ] AWS (and other cloud) permissions are scoped to specific resources. s3:PutObject on arn:aws:s3:::invoice-data/processed/* — not s3:* on *. Every wildcard in a policy is a gap in your blast radius control.

[ ] Credential rotation doesn’t break agents. Credentials used by agents are managed through a secrets store, not hardcoded. When you rotate a key, agents pick it up automatically.

Audit Trail

[ ] Every tool call is logged. Not sampled, not summarized — every call. The log includes: agent identity, session ID, action attempted, whether it was allowed or denied, timestamp, and result.

[ ] Logs are immutable and tamper-evident. Audit logs that agents (or operators) can modify are not audit logs. They’re suggestions. Store logs in append-only storage (S3 with object lock, or equivalent).

[ ] You can reconstruct any session. Given a session ID, you can replay exactly what the agent did, in order, with timestamps. This is the test: pick a session from last week and try to answer “what did this agent do between 2:00 PM and 2:30 PM?”

[ ] Logs are exported to infrastructure you own. If your control plane is a managed service, make sure audit data exports to your own S3 bucket or equivalent. You need to own your audit trail, not just have access to it through a vendor dashboard.

[ ] Retention policy is defined and enforced. How long do you keep agent audit logs? 90 days? 1 year? 7 years (for financial services)? Define it, configure it, verify it.

Human Oversight

[ ] Approval gates are configured for high-risk operations. Define which operations require human approval before proceeding. At minimum: pushing to protected branches, deleting data, sending external communications (email, Slack messages, API calls to external systems), and any financial transactions.

[ ] Notification channels are configured and tested. Approval requests need to reach a human reliably. Test the Slack/Telegram integration before going live. Verify that someone is actually monitoring the approval channel.

[ ] There’s a kill switch. You can terminate a specific agent session, or pause all agents in a project, from a single action. Test this. If you can’t kill a runaway agent in under 30 seconds, your oversight model has a gap.

[ ] Session timeouts are configured. An agent that’s been idle for 2 hours probably shouldn’t still be running. Configure maximum session durations appropriate for your use case.

Cost Controls

[ ] Per-project token budgets are set. Each project has a maximum daily or monthly token allowance. Not a soft guideline — a hard limit that pauses agents when reached.

[ ] Alert thresholds are configured. You get notified when a project hits 50%, 80%, and 100% of budget. The 50% alert is the useful one — it gives you time to investigate before the problem becomes expensive.

[ ] Rate limits are defined. Maximum requests per minute, per agent. This prevents runaway loops from burning budget before the daily limit kicks in.

[ ] You’ve tested what happens when budget is exhausted. Does the agent stop gracefully? Does it error in a way that creates cascading problems? Verify the budget exhaustion behavior in a test environment.

Data Handling

[ ] Sensitive data is masked before entering agent context. Credit card numbers, SSNs, passwords, and similar data should not appear verbatim in agent prompts. Pass tokenized or masked versions. If the agent doesn’t need the raw value, don’t give it the raw value.

[ ] Data access is scoped to what the agent needs. If the agent is analyzing invoices from Q1, it shouldn’t have read access to all invoices from all time. Scope data access at the query level where possible.

[ ] Your control plane provider’s data handling policy is documented. If you’re using a managed gateway, you need to know: what do they log? where is it stored? what’s the retention policy? This should be in a DPA (Data Processing Agreement) if you’re handling GDPR-regulated data.

[ ] Applicable regulations are identified. For the data your agents touch: does GDPR apply? HIPAA? PCI-DSS? SOC 2? List them. Each has specific requirements that map to controls above.

Incident Response

[ ] You have a documented response process for agent incidents. When an agent does something unexpected, what’s the sequence? Who gets notified? Who has authority to kill sessions? Where do you look first?

[ ] You’ve run a tabletop exercise. Pick a scenario: “Agent X pushed to main at 3 AM.” Walk through your response. How long does it take to understand what happened? How long to contain it? This exercise reliably surfaces gaps.

[ ] Recovery procedures are documented. If an agent deletes something it shouldn’t have, can you restore it? From where? In how long? These questions have answers that aren’t “hope for the best.”

The Meta-Question

After going through this checklist, ask: “If something goes wrong with an agent, can I answer these four questions in under 10 minutes?”

  1. What exactly did the agent do?
  2. When did it happen?
  3. What was the blast radius?
  4. How do I stop it from happening again?

If the answer to any of these is “I don’t know,” that’s your gap. Fix it before you ship.

// get-started

Put this into practice with Sentrely

Everything covered in this article is built into Sentrely's managed control plane. Get early access and have it running against your Claude agents in minutes.

Get Early Access Read More Articles