AI systems introduce security requirements that traditional application security checklists do not cover. The surface area is different: you are not just securing code and infrastructure, you are securing the data the model trains on, the prompts users submit, the model outputs that reach downstream systems, and the vendors whose models and services sit inside your stack.
This checklist covers the areas that US enterprise security and compliance teams ask about most frequently before approving AI deployments. It is organized by category. Not every item applies to every deployment, but each one should be explicitly evaluated.
Data handling
- Data classification completed. Every dataset used to train, fine-tune, or provide retrieval context to the AI system has been classified (public, internal, confidential, regulated). The classification determines which data can be sent to external model APIs.
- PII identified and handled. Any personal data that enters the AI pipeline has explicit handling: anonymization, pseudonymization, or documented basis for processing under CCPA or GDPR.
- Data residency requirements documented. If the organization has data residency obligations, the model provider and processing infrastructure have been verified to meet those requirements. Not all model APIs offer regional data processing guarantees.
- Training data provenance recorded. The source and licensing status of all training data is documented. This is relevant for intellectual property risk and for responding to data subject access requests.
Access control
- Least-privilege access enforced. The AI system has access only to the data sources, APIs, and systems required for its specific function. This applies to both the model inference calls and any agents that take actions on behalf of users.
- API key management in place. Model provider API keys and internal service credentials are stored in a secrets manager (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault), not in environment variables or source code.
- User-level authorization implemented. If the AI system surfaces information from internal data sources, the retrieval layer respects the same access controls as the underlying systems. A user who cannot access a document directly should not receive its contents through an AI interface.
Audit logging
- Input and output logging configured. All inputs to the model and all outputs are logged with timestamps and user or session identifiers. Logging is essential for incident investigation, compliance reporting, and identifying performance degradation.
- Retention policy defined. Log retention period is defined, consistent with legal hold requirements and regulatory obligations. Logs containing personal data have a documented retention and deletion schedule.
- Access to logs restricted. Log access is limited to authorized personnel. Logs that contain user inputs may themselves be sensitive.
Model and prompt security
- Prompt injection mitigations in place. If users can provide free-text input that becomes part of a prompt, the system has mitigations against prompt injection: input validation, output filtering, and sandboxing of any tool calls the model can make.
- System prompt confidentiality considered. If the system prompt contains instructions that should not be disclosed, the design assumes users will attempt to extract it and mitigates accordingly.
- Output validation in place. Model outputs that feed into downstream systems (databases, APIs, user interfaces) are validated before use. Raw LLM output should not be trusted as structured data without parsing and validation.
Vendor due diligence
- Model provider terms reviewed.The data processing addendum and terms of service for the model provider have been reviewed by legal. Specifically: whether submitted data is used for training, how long inputs are retained, and what the provider's incident notification obligations are.
- Subprocessor inventory updated.The model provider and any third-party AI services are added to the organization's subprocessor inventory for GDPR and CCPA compliance purposes.
- Vendor security posture assessed.The model provider's security certifications (SOC 2 Type II, ISO 27001) have been reviewed. MetaSys operates as SOC 2-aligned and HIPAA-ready for engagements where these frameworks apply.
Compliance alignment
- HIPAA requirements addressed if applicable. Healthcare organizations deploying AI that processes protected health information need a business associate agreement with the model provider and must verify that the AI system does not disclose PHI inappropriately.
- Financial regulations reviewed if applicable. AI systems making or informing credit, underwriting, or investment decisions may fall under Fair Credit Reporting Act, Equal Credit Opportunity Act, or SEC regulations depending on their function.
- Human oversight defined. For high-stakes decisions (lending, medical, employment), the human review process is documented and operational before the AI system goes live.
This checklist is a starting point, not a comprehensive security program. The specific requirements depend on your industry, the sensitivity of data the system processes, and the actions the AI system is authorized to take. Our Cloud and DevOps Engineering practice covers the infrastructure security controls, and our AI systems team covers the model-layer security patterns for every production deployment.
If you are preparing for a security review before an AI deployment and want a technical walkthrough of your architecture, book a scoping call. We will work through the checklist with your specific system in mind.
