# Production AI architecture review checklist

Use this before increasing an agent's autonomy or allowing it to act on a production system.

## 1. Outcome and boundary

- [ ] The task has a measurable outcome and stopping condition.
- [ ] The agent's allowed files, tools, data, and environments are explicit.
- [ ] Irreversible decisions and prohibited actions are explicit.
- [ ] The maximum attempts, runtime, token spend, and financial cost are capped.

## 2. Identity and access

- [ ] Every agent and tool call has an attributable identity and trace ID.
- [ ] Permissions are least-privilege and scoped to the current task.
- [ ] Production capabilities use short-lived credentials.
- [ ] The agent cannot provision, widen, or approve its own credentials.
- [ ] Sensitive actions pass through an independently owned policy boundary.

## 3. Verification

- [ ] Success is verified against the real artifact, not the agent's report.
- [ ] Every autonomous iteration verifies the previous step before continuing.
- [ ] Critical checks fail closed when unavailable or uncertain.
- [ ] Negative tests prove that unsafe and incorrect actions are rejected.
- [ ] Evidence is tied to a specific source revision and deployed build.

## 4. Reliability and recovery

- [ ] Timeouts, retries, idempotency, and duplicate actions are handled explicitly.
- [ ] Partial completion can be detected and reconciled.
- [ ] Rollback is rehearsed and faster than manual investigation.
- [ ] The system has a circuit breaker for repeated or correlated failures.
- [ ] Dependency and policy-service outages have defined behaviour.

## 5. Human escalation

- [ ] The system knows which decisions require a person.
- [ ] Escalations include context, actions attempted, evidence, and a recommended next step.
- [ ] Denied actions enter an owned queue with a response expectation.
- [ ] A person can pause, revoke, or reduce autonomy immediately.
- [ ] Approval fatigue is monitored; repetitive low-risk approvals become narrow policies, not blanket access.

## 6. Data, security, and privacy

- [ ] Inputs and retrieved context are treated as untrusted.
- [ ] Secrets and personal data are excluded from prompts, logs, and model context unless essential.
- [ ] Output is validated before it reaches a database, customer, or external system.
- [ ] Tool responses cannot silently inject new instructions into the control plane.
- [ ] Audit evidence is tamper-resistant and retained for incident review.

## 7. Observability and economics

- [ ] Logs connect request, plan, tool calls, policy decisions, evidence, and outcome.
- [ ] Alerts detect loops, unusual spend, denial spikes, and repeated rollback.
- [ ] Latency and cost budgets exist per task and per successful outcome.
- [ ] The system reports human interventions and production escapes by task class.
- [ ] Increasing autonomy requires evidence that the current level is reliable.

## Release decision

Record the decision in one sentence:

> This system may operate at **[autonomy level]** for **[task class]** because **[evidence]** proves it can be detected, stopped, and reversed within **[time/budget]**.

If that sentence cannot be completed without hand-waving, keep the system at its current autonomy level.
