AS-101 · Module 3

The Security Checklist

3 min read

Good news, everyone! We have a checklist. Every pilot runs a pre-flight checklist. Every surgeon runs a pre-procedure checklist. And every person deploying an AI workflow should run a security checklist before anything goes live. This is the part most people skip. This is the part that matters.

  1. 1. API Keys Secured All API keys are stored in environment variables or a secret manager. No keys are hardcoded in source files. The .env file is in .gitignore. You have verified this by searching the codebase for your key string — if it appears anywhere other than the .env file, fix it now.
  2. 2. Inputs Sanitized User-supplied input is validated and sanitized before reaching the model. Input length is limited. Known injection patterns are filtered. If your AI system processes external data (emails, web content, uploaded files), that data is treated as untrusted input.
  3. 3. Outputs Validated The model's output is checked before being returned to users or fed into downstream systems. Automated checks verify that the response stays within expected boundaries — format, content type, length, and the absence of information the model should not reveal.
  4. 4. Access Controlled The AI system requires authentication before accepting requests. The principle of least privilege is applied — the model only has access to the data and systems it needs for its specific function. No broad database access. No unnecessary API permissions.
  5. 5. Logging Enabled All access attempts, inputs, and outputs are logged with timestamps. You can audit who used the system, when, and what they asked. If something goes wrong, the logs tell you what happened. Without logs, a breach is invisible until the damage surfaces elsewhere.

Run this checklist before every deployment. Not most deployments. Every deployment. The day you skip the checklist because "this is just a quick prototype" is the day the prototype gets shared with a client, gets connected to production data, and quietly becomes the production system that nobody secured. Prototypes have a way of becoming permanent. Secure them from the start.