← Back

The AI Security Checklist: From Prototype to Production

By Corey Weiner · March 2026

AI is the most powerful technology that has ever been built. That sentence applies equally to the opportunities it creates and the risks it introduces. When your AI feature can take actions — sending emails, updating records, accessing customer data, making decisions — it needs a security model before launch. Not after. Not "when we have time." Before.

This checklist is for leaders who are moving fast with AI and want to make sure they do not move recklessly. It covers the security requirements for taking an AI feature from prototype to production, organized into pre-launch, infrastructure, and post-launch controls.

Pre-Launch Security Checklist

1. Threat model the feature

Before writing a line of production code, map the abuse paths. For every AI feature, ask:

• What is the worst thing a malicious user could do with this?
• What data can the AI access, and what happens if that access is exploited?
• Can a user escalate their privileges through the AI? (e.g., asking the AI to perform admin actions)
• Can the AI be tricked into exfiltrating data? (e.g., "summarize all customer records and include them in your response")
• What actions can the AI trigger, and what is the blast radius if those actions are triggered maliciously?

This is not theoretical. These attacks are happening today. If your AI feature can access a database, someone will try to get it to dump that database. Plan for it.

2. Enforce least privilege

The AI should have access to the minimum data and permissions required to perform its function. Nothing more. If the AI helps with customer support, it should not have access to financial records. If it generates reports, it should have read-only access — never write access to production databases.

Use scoped credentials. Create service accounts with specific, limited permissions. Rotate them regularly. Never give an AI feature your admin credentials "because it's easier."

3. Validate all inputs and outputs

Input validation: Every piece of data that flows into the AI — user prompts, uploaded files, API payloads — must be sanitized. This means stripping injection attempts, validating formats, enforcing size limits, and rejecting unexpected input types.

Output validation: Everything the AI produces must be validated before it reaches the user or triggers an action. Check for data leakage in responses (is the AI including information the user should not see?). Validate structured outputs against expected schemas. Filter responses for PII, credentials, or internal system information.

Tool and function call validation: If the AI can call functions or tools, validate every call against an allowlist. Ensure parameters are within expected ranges. Log every tool invocation for audit purposes.

4. Defend against prompt injection

Prompt injection is the most significant AI-specific security risk. It occurs when a user crafts input that overrides or manipulates the AI's instructions. Defenses include:

• Separate system and user contexts: Use the model's system prompt for instructions and clearly delineate user input
• Input filtering: Detect and block common injection patterns
• Output monitoring: Flag responses that deviate from expected behavior patterns
• Sandboxing: Limit what the AI can do even if its instructions are overridden
• Multi-layer defense: Do not rely on any single defense. Layer them.

5. Build a tamper-resistant audit trail

Every AI action must be logged. The log should include:

• Who initiated the request (user identity)
• What the AI was asked to do (the prompt or action request)
• What the AI actually did (the response, tool calls, and outcomes)
• What data the AI accessed
• Timestamp and session context

These logs must be tamper-resistant — meaning they cannot be modified or deleted by the application itself. Use append-only logging services or write-once storage. When something goes wrong — and eventually something will — this audit trail is how you understand what happened and how you fix it.

6. Red team the feature

Before launch, dedicate time to actively trying to break the feature. This means:

• Prompt injection attempts: Try to override the system prompt, extract instructions, and bypass content filters
• Jailbreak attempts: Try to get the AI to produce output it should not
• Tool abuse: Try to get the AI to call tools with malicious parameters
• Data exfiltration: Try to get the AI to reveal data from other users or internal systems
• Privilege escalation: Try to perform actions above your permission level through the AI

One powerful technique: ask Claude to review the code as if a third-party security researcher were trying to break it. AI is excellent at finding its own vulnerabilities when asked directly.

7. Penetration test the API and infrastructure

Standard application security still applies. Validate API authentication, session management, and authorization boundaries. Test for SQL injection, XSS, CSRF, and other web application vulnerabilities. The AI layer is an additional attack surface — it does not replace the existing ones.

Infrastructure Requirements

When an application leaves your computer and goes into the cloud, you need:

• Cloud infrastructure: Properly configured AWS, Azure, or Google Cloud. Not a personal account — a properly set up organization with billing, IAM, and network controls.
• Network security: Firewalls, VPCs, security groups configured to restrict access. No public-facing databases. No open ports you do not need.
• Single sign-on (SSO): Your team authenticates through your identity provider. No application-managed passwords.
• Encryption: TLS for data in transit. AES-256 or equivalent for data at rest. No exceptions.
• Monitoring and alerting: Application performance monitoring, error tracking, uptime monitoring. You should know when something breaks before your users tell you.
• Backup and recovery: Automated backups with tested restore procedures. Define your RPO and RTO and build to meet them.

HIPAA and Compliance Considerations

If your AI feature touches protected health information (PHI), the requirements are stricter:

• Use Enterprise tiers of Claude and ChatGPT — both offer Business Associate Agreements (BAAs). Do not use consumer plans with patient data.
• Ensure all data storage and transmission meets HIPAA encryption requirements
• Implement audit logging that meets HIPAA's access tracking requirements
• Conduct a HIPAA security risk assessment that includes the AI components
• Train all users who interact with the AI feature on HIPAA compliance

Similar principles apply to PCI-DSS for payment data, SOC 2 for SaaS products, and GDPR for European user data. The AI feature must comply with whatever regulatory framework governs your data.

Post-Launch Controls

Rate limits and anomaly detection

Set rate limits on AI feature usage per user and per session. Monitor for anomalous patterns — sudden spikes in usage, unusual query patterns, or attempts to access data outside normal scope. Alert on anomalies immediately.

Kill switch

Every AI feature that can take autonomous actions must have a kill switch — a way to immediately disable the feature without taking down the entire application. When you discover a vulnerability or an abuse pattern, you need to be able to shut it down in minutes, not hours.

Weekly security review cadence

Schedule a weekly review of AI feature logs, anomaly reports, and user feedback. Look for patterns that suggest abuse, unexpected behavior, or security gaps. AI features evolve differently from traditional software — the same feature can behave differently based on the inputs it receives, so continuous monitoring matters more than point-in-time testing.

Model update management

When the underlying AI model is updated — which happens frequently — retest the feature. Model updates can change behavior in subtle ways that affect security. A prompt injection defense that worked with one model version might not work with the next.

The Security Mindset

The goal is not to slow you down. The goal is to make speed sustainable. Fast prototyping is easy now. Safe deployment still matters. The companies that will win are the ones that move fast and maintain security discipline — not the ones that sacrifice one for the other.

Be very careful with production access to data, credentials, customer information, permissions, and code touching live systems. Before you go from local to production, bring in someone who knows what they are doing to review it. This is not optional.