AI Agent Security Checklist for Enterprise IT Managers

Enable Azure AD authentication for all Azure OpenAI endpoints required

Disable API key authentication entirely and require Entra ID (Azure AD) for every Azure OpenAI Service call. Eliminates shared credential risks and enables per-user audit trails.

Implement role-based access control (RBAC) with least privilege required

Use Azure built-in roles like Cognitive Services OpenAI User for read access and Contributor only for admins. Assign at resource group level, not subscription. Prevents lateral movement after credential compromise.

Enforce managed identities for application access required

Configure Azure AI services to authenticate via managed identities instead of connection strings. Rotates credentials automatically and eliminates secrets in code. Reduces breach window from months to minutes.

Enable Conditional Access policies for AI service access recommended

Require MFA, compliant devices, and approved locations for Azure OpenAI access through Entra ID Conditional Access. Blocks 90% of credential stuffing attacks at the identity layer.

Set up Privileged Identity Management (PIM) for admin roles recommended

Require just-in-time activation with approval workflow for Cognitive Services Contributor role. Limits standing admin access and creates audit trail for every elevation.

Deploy Azure OpenAI behind private endpoints required

Configure private link to keep all Azure OpenAI traffic on your virtual network. Blocks internet exposure entirely and prevents data exfiltration through public APIs. Required for HIPAA and PCI-DSS.

Enable customer-managed keys (CMK) for data at rest required

Use Azure Key Vault with your own encryption keys for Azure AI Search indexes and Document Intelligence storage. Gives you cryptographic control and supports data residency requirements.

Configure Azure AI Content Safety filters at deployment level required

Set content filters to block hate speech, violence, sexual content, and self-harm in both prompts and completions. Enforced at the Azure OpenAI deployment, not application layer—can't be bypassed by developers.

Implement network security groups (NSGs) with deny-by-default recommended

Whitelist only required IP ranges and Azure service tags for AI workloads. Block outbound internet from AI agent VMs. Stops exfiltration through compromised agents.

Enable Azure Private Link for Azure AI Search recommended

Move your RAG vector databases off public endpoints. Keeps enterprise documents and embeddings isolated from internet. Reduces attack surface by 80% for retrieval-augmented generation apps.

Turn on diagnostic logging for all Azure AI services required

Send Azure OpenAI request logs, Azure AI Search query logs, and Document Intelligence activity to Log Analytics workspace. Retain 90+ days. Required for SOC 2 and incident response.

Configure Azure Monitor alerts for anomalous usage patterns required

Set alerts for token usage spikes >200% baseline, after-hours access, and new geo-locations. Detects compromised credentials and shadow AI deployments within 15 minutes.

Enable Microsoft Defender for Cloud for AI workloads recommended

Activates threat detection for Azure OpenAI and AI Search. Flags prompt injection attempts, credential scanning, and data exfiltration patterns. Generates MITRE ATT&CK-aligned alerts.

Implement Azure Policy guardrails for AI resource creation recommended

Block deployment of Azure OpenAI and AI Search outside approved regions and resource groups. Prevents developers from spinning up non-compliant instances. Saves 5+ hours per month chasing shadow deployments.

Configure Azure Purview data governance for AI data sources optional

Scan and classify data sources used in RAG applications. Tracks sensitive data lineage from SharePoint to Azure AI Search to OpenAI. Required for GDPR Article 30 records of processing.

Deploy Azure AI Foundry prompt shields for injection defense required

Use built-in jailbreak detection and user prompt validation in Azure AI Foundry. Blocks 95% of known prompt injection attacks before they reach your model. Enabled per-deployment in Azure portal.

Implement Semantic Kernel guardrails for agent function calling required

Use Semantic Kernel's function filters to validate every tool call before execution. Prevents agents from invoking unapproved APIs or accessing unauthorized data stores. Critical for autonomous agents.

Establish Azure OpenAI deployment quotas and rate limits recommended

Set tokens-per-minute (TPM) limits at deployment level, not subscription. Prevents runaway costs from infinite loops and limits blast radius from compromised agents. Configure 20% below usage baseline.

Use Azure OpenAI Provisioned Throughput for production workloads optional

Locks capacity and pricing for critical agents. Eliminates throttling risk and noisy neighbor issues in multi-tenant deployments. Guarantees SLA for customer-facing AI features.

Deploy Prompt Flow for centralized prompt version control recommended

Store all production prompts in Prompt Flow with Git integration. Tracks every prompt change, enables rollback, and enforces peer review. Prevents developers from pushing untested system messages to production.

Mandate Azure AI Foundry evaluation runs before deployment recommended

Require groundedness, relevance, and coherence scores above 0.7 threshold using Azure AI evaluators. Blocks low-quality or hallucinating agents from reaching production. Automated in CI/CD pipeline.

Publish approved AI patterns in Azure DevOps repository optional

Provide secure reference architectures for RAG, agent orchestration, and document processing. Include Bicep templates with security controls baked in. Cuts developer onboarding time from 3 weeks to 3 days.