TechLevity

Free PDF · 25-Point Pre-Deployment Audit

25 Things You Need Before AI Agents Touch Your Production Code

From the team that has shipped 18 AI systems. Infrastructure, observability, security, evaluation, and rollback — the controls we wish every team had before they switched the agent on.

5 of 25 items
  • Agent Runtime IsolationInfrastructureCritical

    Agents execute inside isolated sandboxes — containers, microVMs, or restricted processes — never on the host that runs your production services.

  • Network Boundary ControlsInfrastructureCritical

    Egress allowlists, explicit deny-by-default rules, and per-agent network namespaces stop a compromised agent from reaching your internal services.

  • Secret ManagementInfrastructureCritical

    Short-lived credentials issued just-in-time. No long-lived API keys. No secrets in prompts, environment variables, or version control.

  • Logging and TracingObservabilityCritical

    Every agent action — tool call, model response, file write — is logged with a trace ID. You can reconstruct any session end-to-end.

  • Rate LimitingInfrastructureImportant

    Per-agent, per-tool, and per-tenant rate limits. A runaway loop should hit a circuit breaker, not your cloud bill.

Plus 20 more across observability, security, evaluation, governance, and rollback.

Get the full checklist

Enter your email and we will send you the PDF. No spam — unsubscribe anytime.

Why this matters

Shipped, not theorised

Every item came from a real production incident or a near-miss. We have made these mistakes so you do not have to.

Prioritised by risk

Critical items block production. Important items prevent the most common outages. You will know what to fix first.

UK-grounded

Written for UK scale-ups working under UK GDPR and the EU AI Act. The governance items map to controls auditors actually ask about.

Frequently asked questions

What makes AI agents different from regular software in production?

Agents are non-deterministic, take actions on your behalf, and chain tool calls in ways you have not explicitly authorised. Standard release processes do not account for behaviour drift, prompt injection, or cascading tool-call failures. This checklist adds the controls that traditional CI/CD pipelines miss.

Who is this checklist for?

Engineering leaders and senior engineers preparing to ship AI agents to production at UK scale-ups. It assumes you have already prototyped — the focus is on the controls you need before real users, real data, and real money are involved.

How long does the audit take?

Working through all 25 items takes around 2 hours with the team that owns the agent. Most teams identify 4–6 gaps on the first pass. Fixing them takes anywhere from a few days to a sprint, depending on your starting point.

Do I need this if I am only using a single AI agent for internal tools?

Yes. Internal agents reach production data, internal APIs, and internal users — the blast radius is real. Runtime isolation, secret management, and observability matter regardless of whether end customers see the agent.

Related resources

AI SDLC Maturity Scorecard →AI Engineering ROI Calculator →AI-Native Engineering Services →

Need help shipping AI agents safely?

We embed with engineering teams to ship AI systems that survive production. Book a 30-minute call to see how we work.

Explore AI-Native Engineering →