Heading to Blackhat? Let's talk.
Free checklist · For security leaders

The AI Agent Security
Assessment.

30 controls. A maturity model. A 30-day sprint plan to close the gaps.

  • 30 actionable controls across 4 security domains
  • AI Security Maturity Model — Level 1 → Optimized
  • Day-by-day 30-day sprint plan with owners
  • Gap analysis table — board-ready
  • Mapped to NIST AI RMF, OWASP LLM Top 10, EU AI Act, GDPR
Get the checklist. Instant access. No spam.
69%
of enterprises already run AI agents in production
Akto, 2025
21%
have dedicated security controls for those agents
Akto, 2025
Aug ’26
EU AI Act deadline for high-risk AI systems
Regulation (EU) 2024/1689
The window is closing.

EU AI Act enforcement begins August 2026. GDPR fines for AI violations have reached €345M. Procurement now gates on demonstrable governance.

What’s inside

30 controls. Four domains.

Each control includes the action, the framework rationale, and the evidence to collect.

01 8 controls

Inventory & Visibility

Agent registries, shadow AI scans, dependency mapping, lifecycle tracking, vendor inventory, tool & API audit, risk classification, owners.

Items 1–8
02 7 controls

Identity & Access

Cryptographic agent identity, least-privilege scoping, human-in-the-loop gates, delegation boundaries, credential rotation, anomalous access.

Items 9–15
03 7 controls

Data Governance

Data classification, PII/PHI detection, memory isolation, output validation, provenance, retention, prompt injection defenses.

Items 16–22
04 8 controls

Compliance Readiness

EU AI Act classification, GDPR RoPAs, governance policy, vendor assessments, IR playbooks, audit logging, red team, developer training.

Items 23–30
Included in the checklist

The AI Security Maturity Model.

Score your org across all four domains. Locate your level. Identify the highest-priority gaps.

L1
Reactive
No formal inventory. Ad-hoc controls. Incidents handled reactively.
L2
Emerging
Partial inventory. Basic controls. Known gaps unaddressed.
L3
Defined
Full inventory. Least-privilege applied. AI policy published.
L4
Managed
Risk-tiered controls. Behavioral monitoring. Red team in flight.
L5
Optimized
Continuous monitoring. Full audit trail. Compliance covers AI.
Drawn from CSA AI Security Maturity Model, NIST AI RMF, MIT CISR, Reco.
Who it’s for

Built for the teams accountable for AI governance.

CISOs & VP Security

Maturity model + gap analysis for board briefings. The scoring table is built for executive consumption.

Security Architects & Engineers

Use the 30 controls as a design checklist for AI agent architectures, Zero Trust, and agent identity frameworks.

GRC & Compliance

Each control maps to NIST AI RMF, OWASP LLM Top 10, EU AI Act, and GDPR. Use it for vendor assessments.

The 30-day sprint

Three weeks. Sequenced by dependency.

You cannot govern what you cannot see. You cannot access-control what has no identity.

W1 Establish visibility
  • Agent registry
  • Shadow AI scan
  • Dependency mapping
  • Risk classification
  • Owner assignment
Gate: full inventory published.
W2 Enforce access controls
  • Unique identities
  • Least-privilege
  • HITL gates
  • Delegation docs
  • PII detection
  • Memory isolation
Gate: every production agent has a unique identity.
W3 Compliance & resilience
  • Provenance
  • Prompt-injection defenses
  • EU AI Act classification
  • RoPAs
  • Vendor assessments
  • IR playbooks
  • Red team schedule
Gate: AI risk register ratified.

Start your 30-day assessment.

Free. No commitment. Instant access.

  • 30 controls · 4 domains
  • Maturity model with scoring table
  • 30-day sprint plan with owners
Get the checklist. PDF in your inbox in seconds.