Checklists
Practitioner-ready defensive guidance distilled from primary research — each item points back to the evidence behind it.
Hardening Multi-Agent Systems Against Prompt Injection
An execution checklist for engineers and security reviewers responsible for multi-agent LLM systems that use tools, shared memory, or agent-to-agent delegation. It defends against prompt injection, memory poisoning, tool-manifest poisoning, and cross-agent infection by enforcing privilege separation, typed channels, authenticated tool metadata, sandboxed sinks, and partitioned memory. Use it per-release on production deployments; treat unchecked items as known gaps with documented exceptions.
Hardening Tool-Using LLM Agents Against Prompt Injection
This checklist hardens single-agent tool-using LLM deployments — MCP clients, Copilot-style assistants, browsing agents, and code agents — against prompt injection and indirect prompt injection. It targets engineers and security reviewers running pre-launch or quarterly reviews. Use it to audit capability planning, untrusted-content ingestion, tool-call validation, memory and RAG provenance, and detection. Some reproduction details are withheld; defenses are framed at the architectural level.
Hardening Tool-Using Agents with Capability Control and Sandboxing
This checklist hardens tool-using LLM agents, including MCP-based deployments, at the architectural layer where prompt-level defenses fail. It is for platform and security engineers who own the runtime, broker, and sandbox. Use it per release on agent platforms and quarterly on production deployments. It defends against indirect prompt injection, tool hijacking, and capability abuse by separating planning from authority, removing ambient authority, brokering short-lived capabilities, enforcing information flow, and sandboxing untrusted computation and tool servers.
Hardening Compound AI Systems for Multi-Step Automation
This checklist hardens compound AI systems — multi-step LLM automation built from orchestrators, tool brokers, retrievers, memory, and validators — against indirect prompt injection, retrieval poisoning, excessive agency, and audit gaps. Audience is platform, ML, and security engineers preparing such a system for production. Run it as a pre-launch review and re-run per release. Some reproduction details are withheld pending vendor coordination.
Hardening Function Calling and Tool-Use Reliability for Production LLM Agents
This checklist hardens LLM agents that call tools with side effects against the failure modes that produce wrong refunds, deleted production resources, duplicated mutations, and exfiltration via tool outputs. The audience is platform engineers, agent developers, and security reviewers who already understand tool use and want a control set beyond 'enable function calling.' Run it per release on every workflow that mutates state, and quarterly across the agent fleet. Some reproduction details are withheld pending vendor coordination.
Designing Generative AI Tutors That Protect Learning, Not Just Practice Performance
This checklist hardens a generative AI tutor against the failure mode recent RCTs have documented: systems that boost practice scores while reducing unaided learning. It targets learning-systems engineers, instructional designers, and learning-experience leads building or reviewing a tutor. Use it per release and before any model-version upgrade. Each check names a control, an implementation pointer, and a verification signal, grouped by execution area from domain model through evaluation and human escalation.
Designing AI Assistance That Preserves Learning: An LX Implementation Checklist
This checklist helps learning experience leads, learning engineers, and instructional designers build or procure AI tutoring systems that scaffold cognition rather than substitute for it. Run it during design review, vendor selection, or pre-launch hardening. It operationalizes seven design controls — objective classification, attempt-first gating, hint ladders, self-explanation, verification, scaffold fading, and AI-off transfer assessment — that separate learning-preserving tutors from answer engines. Pair with the cognitive offloading explainer for threat-model context.
Hardening Agentic Patch Validation in Automated Vulnerability Repair Pipelines
Use this to harden an agentic automated vulnerability repair pipeline so a model-authored patch cannot pass acceptance by suppressing the proof-of-concept, editing tests, or overfitting the validator. Audience is security engineers, AppSec leads, and AI-platform owners running AVR. Apply per-pipeline once, then re-review whenever validation assets, the agent's tool surface, or risk routing change.
Hardening Agentic Binary Reverse-Engineering Platforms
This checklist hardens agentic binary reverse-engineering platforms — LLM agents that drive Ghidra, IDA, radare2, debuggers, and sandboxes against untrusted binaries. It targets platform owners and security architects running malware-triage, firmware-audit, or vulnerability-discovery agents. Use it to audit containment, capability control, evidence handling, and review gates before agent verdicts reach detection systems. Some attack-reproduction detail is withheld; defenses are described at the architectural level.