AI deployments fail in predictable ways. The same gaps appear across companies of every size — architecture assumptions nobody wrote down, prompts that were never stress-tested at volume, data flows with no visibility, failure modes that only appear at 2 AM when no one is watching.
This checklist exists because the cost of skipping these checks is always higher than the cost of doing them. Work through it before deploying any agent into production. Work through it again every six months for agents already running.
Section 1: Architecture Integrity
1. Map every model, tool, and dependency. Write down what models your system calls, what tools it uses, what external APIs it depends on, and what happens if any of them are unavailable. If you cannot produce this map in 15 minutes, you do not understand your own architecture — and that is the first problem.
2. Identify every data store the agent reads from or writes to. Include databases, vector stores, caches, queues, and file systems. For each one: who else writes to it? Can stale data corrupt the agent's decisions? What happens if the store is unavailable?
3. Define the blast radius for each failure mode. If the LLM API goes down, what breaks? If a tool call times out, does the agent fail gracefully or crash? If context retrieval returns empty results, does the agent escalate or hallucinate? Map every dependency to its worst-case failure and verify there is a response for each one.
4. Verify idempotency for all write operations. Any operation the agent can repeat must produce the same result when run twice. If your agent sends emails, creates records, or triggers payments — those operations need idempotency keys. Running the same agent twice without them causes real damage.
Section 2: Prompt Integrity
5. Test every system prompt under adversarial inputs. Run your production prompts through inputs designed to break them: contradictory instructions, ambiguous edge cases, inputs in unexpected languages, extremely long inputs, extremely short inputs, inputs that contain instructions embedded in them. Document what breaks and fix it before shipping.
6. Check for prompt injection vulnerability. Any system that accepts user-supplied text and incorporates it into downstream prompts is potentially vulnerable. Test specifically: can a malicious user embed instructions that override your system prompt? If yes, implement a sanitization layer before going further.
7. Verify output format stability. If your agent produces structured output — JSON, XML, specific field formats — run 100 requests through it and verify that all 100 match the expected schema. Parsers that rely on model output format break when the model is updated or when inputs are unusual.
8. Document every intentional prompt modification in the last 90 days. Prompt rot is real. Each edit seemed harmless at the time. The cumulative effect is often a system that performs differently than it was deployed to perform. Review the change history. If you do not have a change history, you have an uncontrolled system.
Section 3: Data Exposure and Access Control
9. Audit what data the agent can access. List every data source the agent can query or modify. For each: does the agent need this access? Can it access data it should not (data from other customers, sensitive internal records, financial details outside its scope)? Access creep is one of the most common and dangerous AI deployment gaps.
10. Verify what the agent sends to external APIs. Every tool call, every model API call potentially transmits data. Review every external request your agent makes and verify that it does not transmit PII, proprietary data, or information that should not leave your infrastructure. This review is non-negotiable for any agent in a regulated industry.
11. Check logging completeness. Can you reconstruct what the agent did on any given request? If an incident occurs, can you identify exactly which users were affected and what outputs they received? Incomplete logging is a compliance and incident response problem. For many industries, it is also a legal one.
Section 4: Failure Handling and Escalation
12. Verify that the agent knows what it does not know. Does the agent have an escalation path for inputs outside its competence? Or does it produce confident wrong answers on everything? An agent without calibrated uncertainty is not safe for production. Identify the decision points where escalation is appropriate and verify they are implemented.
13. Test the retry and backoff behavior. What happens when a downstream API returns a 429 or 503? Does the agent crash, retry immediately (causing more 429s), or implement exponential backoff? Naive retry logic makes outages worse. Verify that your retry behavior is safe.
14. Test partial failure recovery. What happens when a multi-step process completes steps 1-4 and fails on step 5? Does it restart from scratch? Can it resume from step 5? Can it detect that steps 1-4 already completed and skip them? For any agent processing significant work, restart behavior matters.
15. Verify the circuit breaker configuration. Does the system automatically degrade or disable failing components rather than continuing to fail loudly? Circuit breakers prevent cascade failures. Every AI system that calls external services needs them.
Section 5: Monitoring and Observability
16. Confirm baseline metrics are established. Before deployment, measure: average latency, p95 latency, error rate, cost per request, token consumption per request. These baselines are what you compare against when something changes. Deploying without them means you cannot measure degradation.
17. Set up anomaly alerts for cost. AI systems can produce runaway cost from context length creep, retry storms, or tool call multiplication. Cost anomaly alerts — triggered when spend exceeds expected baseline by a threshold — catch these before a single incident becomes a budget crisis.
18. Define the quality signal you will monitor. What does good look like for your agent? If you cannot measure quality automatically, define the human review sampling process. An agent with no quality monitoring will degrade silently.
Using This Checklist
Work through each section before any production deployment. For sections with failing checks, do not deploy until the gap is resolved. For existing deployments, run this quarterly — requirements change, dependencies change, and agents that passed six months ago may have drifted.
The Gauntlet adversarial audit runs a version of this checklist externally — stress-testing your agents with the same systematic rigor, then delivering findings with severity ratings and remediation guidance. It is the fastest way to know whether your AI systems are actually production-ready.