Secure AI Coding Agents: The 2026 Security Checklist

March 2026 • 11 min read

AI coding agents are now part of production engineering workflows at companies of every size. But the security practices around deploying these agents have not kept pace with adoption. Most teams are running agents with their personal credentials, full filesystem access, and unrestricted network egress -- essentially giving an AI system the keys to their entire development environment.

This checklist distills guidance from the OWASP Agentic Top 10, NVIDIA's AI Red Team publications, and real-world incidents into 20 actionable security controls. Score your team against each item and prioritize the gaps.

Access Control (Items 1-3)

1. Enforce least-privilege permissions. Your AI agent should not run with your full user permissions. Create a dedicated service account or use permission scoping so the agent can only access what it needs for the current task. Claude Code's permission model, which requires explicit approval for file writes and command execution, is a good baseline -- but it still runs as your user.

2. Scope file system access to the project directory. The agent should not be able to read ~/.ssh, ~/.aws, ~/.config, or any directory outside the current project. Use bind mounts or chroot to enforce this at the OS level, not just at the application level. Application-level restrictions can be bypassed through shell commands.

3. Maintain a tool allowlist. If your agent framework supports MCP (Model Context Protocol) servers or tool plugins, explicitly allowlist only the tools required for the task. Every additional tool expands the attack surface. Review tool permissions quarterly and remove unused ones.

Sandboxing (Items 4-6)

4. Run agents in container or VM isolation. At minimum, use a hardened Docker container with dropped capabilities, seccomp profiles, and no-new-privileges. For higher-risk workloads, use gVisor or microVMs (Firecracker, Kata Containers). Never run agents directly on your development machine for production workloads.

5. Use a read-only root filesystem. The agent's container should have a read-only root filesystem with a size-limited tmpfs for temporary files. This prevents the agent from modifying system binaries, installing persistent backdoors, or exhausting disk space.

6. Set resource limits. Configure CPU, memory, and disk quotas for every agent session. An agent caught in an infinite loop or performing a denial-of-service attack (whether intentional or accidental) should hit a hard ceiling rather than consuming all available resources.

Network Security (Items 7-9)

7. Deploy an egress allowlist proxy. This is the single most impactful network control. Route all outbound traffic through a proxy that only permits connections to known-good destinations: your AI provider's API, package registries, and your internal services. Block everything else. This prevents data exfiltration even if the agent is fully compromised.

8. Log all DNS queries. DNS logging catches exfiltration attempts that use DNS tunneling and reveals which domains the agent is attempting to contact. Any query to an unexpected domain should trigger an alert.

9. Enable TLS inspection for outbound connections. Without TLS inspection, you cannot verify what data is being sent to allowed endpoints. A compromised agent could embed stolen credentials in an API request body. TLS inspection at the proxy level lets you audit outbound payloads.

Credential Management (Items 10-12)

10. Use only short-lived tokens. Every credential available to the agent should expire when the session ends. Use STS (AWS), workload identity (GCP), or managed identity (Azure) for cloud access. For API keys, generate session-scoped tokens from your secrets manager.

11. Never expose personal credentials to the agent. Your personal SSH keys, cloud credentials, and API tokens should not exist in the agent's environment. If the agent needs git access, provide a deploy key. If it needs cloud access, provide a scoped service account. The agent's compromise should not compromise your personal identity.

12. Integrate with a secrets vault. Use HashiCorp Vault, AWS Secrets Manager, or 1Password Service Accounts to inject secrets at runtime. Secrets should never appear in environment variables, config files, or command-line arguments visible in process listings.

Code Review (Items 13-15)

13. Review every diff before applying. Never auto-accept agent-generated code changes. Review diffs with the same scrutiny you would apply to a junior developer's pull request. Look specifically for: added dependencies, modified config files, new network calls, permission changes, and any code that handles credentials.

14. Run SAST on agent output. Feed all agent-generated code through your static analysis pipeline before merging. Tools like Semgrep, CodeQL, and Snyk can catch insecure patterns that human review might miss -- hardcoded secrets, SQL injection, path traversal, and insecure deserialization.

15. Audit all dependency additions. When an agent adds a new dependency, verify it against known-good packages. Check the package name for typosquatting, verify the publisher, review the download count, and scan for known vulnerabilities. Supply chain attacks via agent-suggested packages are a documented attack vector.

Monitoring and Incident Response (Items 16-20)

16. Ship immutable audit logs. Every agent action should be logged to a tamper-proof destination. The agent should not be able to modify or delete its own logs. Include timestamps, action type, affected files/commands, and the prompt context that triggered the action.

17. Implement anomaly detection. Set baselines for normal agent behavior (typical number of file writes, command executions, API calls per session) and alert on deviations. An agent that suddenly starts writing to system directories or making unusual network connections should trigger immediate investigation.

18. Enforce session time limits. No agent session should run indefinitely. Set hard time limits based on the expected task duration. A code review agent might get 30 minutes; a feature implementation agent might get 2 hours. Sessions that hit the limit should terminate automatically.

19. Maintain a kill switch. Every agent session must have an immediate termination mechanism. This should kill the agent process, revoke its credentials, and preserve logs for investigation. Test this mechanism regularly -- a kill switch that does not work when you need it is worse than none at all.

20. Document rollback procedures. Before running an agent on any codebase, ensure you can roll back all changes it makes. This means working on feature branches (never main), committing before agent sessions, and having tested procedures for reverting infrastructure changes. If an agent corrupts your state, recovery should take minutes, not hours.

Scoring Your Team

Rate your implementation of each item: 1 point for fully implemented, 0.5 for partially implemented, 0 for not implemented.

• 18-20: Production-ready. Your agent security posture is strong. Focus on continuous improvement and red-teaming.
• 14-17: Good foundation. Address the gaps in your weakest category first.
• 10-13: Significant risk. Prioritize the critical items (Access Control and Sandboxing) immediately.
• Below 10: Pause agent deployments until you have addressed the top 5 items listed in the Pro Tip above.

Security for AI coding agents is not a one-time setup -- it is an ongoing practice. Review this checklist quarterly, update it as new threats emerge, and treat agent security with the same rigor you apply to your production infrastructure. The tools are powerful. The responsibility to use them safely is yours.