AI Agent Data Protection Checklist

AI agents that read, process, or generate data must be constrained to prevent unauthorized data access, exfiltration, and leakage. This checklist covers every data protection control an AI agent deployment needs. SafeClaw by Authensor enforces these controls through deny-by-default action gating — blocking all file reads, file writes, and network requests unless a YAML policy explicitly permits them. Install with npx @authensor/safeclaw.

Data Access Controls

• ✅ 1. Default deny all file reads. Start with defaultAction: deny. The agent cannot read any file until you add a specific allow rule.

• ✅ 2. Scope file read permissions to required directories only. Allow reads only in the directories the agent legitimately needs.

defaultAction: deny
rules:
  - action: file.read
    path: "/app/data/public/**"
    decision: allow
    reason: "Public dataset for analysis"
  - action: file.read
    path: "/app/data/customer/**"
    decision: escalate
    reason: "Customer data requires human approval"

• ✅ 3. Deny access to credential files. Explicitly block all common credential locations.

  - action: file.read
    path: "**/.env"
    decision: deny
  - action: file.read
    path: "*/.env."
    decision: deny
  - action: file.read
    path: "/.ssh/"
    decision: deny
  - action: file.read
    path: "/.aws/"
    decision: deny
  - action: file.read
    path: "/.gcloud/"
    decision: deny
  - action: file.read
    path: "*/credentials"
    decision: deny
  - action: file.read
    path: "*/secrets"
    decision: deny

• ✅ 4. Deny access to system files. Block reads on /etc/passwd, /etc/shadow, system configs, and kernel parameters.

• ✅ 5. Deny access to other applications' data. The agent should not read databases, logs, or files belonging to other services.

Data Exfiltration Prevention

• ✅ 6. Default deny all network requests. The agent cannot send data anywhere unless the policy permits the specific domain.

• ✅ 7. Whitelist only required network targets. Allow requests only to the specific APIs the agent needs.

  - action: network.request
    domain: "api.internal.com"
    decision: allow
  - action: network.request
    domain: "api.openai.com"
    decision: allow
  # All other domains: denied by default

• ✅ 8. Block requests to known data-exfiltration vectors. Deny requests to file-sharing services, paste sites, and webhook endpoints the agent does not need.

• ✅ 9. Monitor denied network requests. A denied network request to an unexpected domain is a potential exfiltration attempt. Alert on these.

• ✅ 10. Restrict DNS lookups (if applicable). Agents can exfiltrate data through DNS queries. If your environment supports it, restrict DNS to approved resolvers.

Data Write Controls

• ✅ 11. Scope file write permissions narrowly. Allow writes only to specific output directories.

  - action: file.write
    path: "/app/output/**"
    decision: allow
  - action: file.write
    path: "/tmp/agent-workspace/**"
    decision: allow
  # All other writes: denied

• ✅ 12. Deny writes to system directories. Block writes to /etc/, /usr/, /bin/, and other system paths.

• ✅ 13. Deny writes to other applications' directories. The agent should not modify files belonging to other services.

• ✅ 14. Escalate writes to configuration files. Any write to a .config, .yaml, .json, or .toml file in a configuration directory should require human approval.

Data in Transit

• ✅ 15. Enforce HTTPS for all allowed network requests. Deny plain HTTP requests to prevent data interception.

• ✅ 16. Verify that LLM API calls do not leak sensitive data. If the agent sends data to an LLM provider, ensure the data is classified as safe for external processing.

• ✅ 17. Log all data sent to external APIs. The audit trail should record the target domain for every network request the agent makes.

Data at Rest

• ✅ 18. Agent output files should not contain credentials. Review agent outputs for accidentally included API keys, tokens, or passwords.

• ✅ 19. Audit trail does not contain sensitive data. Sanitize action parameters in audit entries to prevent logging full file contents or credentials.

• ✅ 20. Agent workspace is cleaned after execution. Temporary files created by the agent should be deleted when the agent completes its task.

Audit and Evidence

• ✅ 21. All data access is recorded in the audit trail. Every file read, file write, and network request is logged with the full path or domain.

• ✅ 22. Data access patterns can be exported for review. Generate reports of all data the agent accessed during a specific period.

• ✅ 23. Hash chain integrity is verified regularly. Ensure the audit trail has not been tampered with, maintaining the integrity of data access records.

Cross-References

• Prevent Agent Data Exfiltration
• Prevent Agent Env File Access
• Data Exfiltration Threat
• GDPR and AI Agents
• Credential File Read Threat