Tools
Can the workflow email, browse, edit files, post publicly, update records, call APIs, or run code?
AI Agent Launch
Checklist
A quick no-login checklist for one AI workflow before a demo, pilot, client handoff, or public launch.
Eight launch questions
Data
Does it see customer records, support tickets, CRM notes, billing context, uploaded files, or private documents?
Memory
Can retrieved documents, saved context, previous conversations, or vector search affect later actions?
Permissions
Are OAuth scopes, service accounts, MCP servers, or delegated user permissions broader than the workflow needs?
Untrusted Input
Can external pages, comments, files, tickets, or emails tell the model to ignore instructions or misuse tools?
Architecture Clues
Could tool-call history, endpoint names, schemas, debug traces, or error messages reveal internal systems?
Stop Rules
Is there a clear list of actions the AI must never take, plus a human escalation path for uncertainty?
Launch Evidence
Can the team show what was tested, what remains risky, and the highest-priority fixes before users depend on it?
Risk Signal
If two or more answers are vague, pause the launch path and tighten the workflow before real customer impact.
What to prepare safely
- One-sentence workflow summary with placeholder data only.
- Tool/action list with high-level permissions, not credentials.
- What the workflow reads, writes, sends, posts, or changes.
- Known launch concerns and the planned launch date or urgency.
- Any public docs or sanitized screenshots that do not expose private records.
What not to send
Do not send secrets, API keys, credentials, OAuth tokens, cookies, card or bank details, private payment pages, customer records, private handles, full names, full transaction IDs, or private dashboard screenshots.
Need a fast second pass?
The fixed-scope review covers one workflow and returns top risks, severity, rationale, and 3 prioritized fixes within 24 hours after scope and safe intake are complete.