AI Security Audit Checklist

Every administrator account — email, cloud services, hosting, payment processors, domain registrar — must require MFA. Password alone is not sufficient for any privileged account.

Shared credentials make it impossible to audit who did what, and a single departed employee can retain access indefinitely. Every person must have their own login to every system.

Each employee and service account should have access only to the resources needed for their specific job. Marketing doesn't need database access. Customer service doesn't need billing admin.

Former employees retaining access is one of the most common (and preventable) breach vectors. Google Workspace, GitHub, Slack, CRM, cloud hosting — all must be revoked on the same day someone leaves.

Password reuse across services means a single breach of any service can cascade into every other. All passwords must be unique, randomly generated, and stored in an encrypted vault — not in a spreadsheet or browser.

Software integrations (Zapier, Make, your website) should authenticate via dedicated API keys or service accounts, not an employee's personal login. If that employee leaves, everything breaks.

Admin panels, databases, and internal tools should not be accessible from any IP address in the world. Requiring VPN or an IP allowlist means stolen credentials alone are not enough to gain access.

Permissions accumulate over time. Employees change roles, projects end, contractors finish — but access rarely gets cleaned up automatically. A quarterly audit prevents privilege creep.

Every open port is a potential entry point. Production servers should expose only the ports required for their function (80, 443, and SSH on a non-standard port). Database ports (3306, 5432, 27017) must never be publicly accessible.

Any page that receives form submissions, login credentials, or payment info must use HTTPS. Mixed content (HTTP resources on HTTPS pages) is also a violation. SSL certificates must not be expired.

A server without a firewall is a server with every door unlocked. UFW (Linux) or Windows Defender Firewall must be active with default-deny rules, allowing only explicitly required traffic.

Brute-force attacks against SSH password authentication are constant. If your server accepts password-based SSH logins, it's being attacked right now. Key-based auth eliminates this attack vector entirely.

A basic DDoS attack can take your website offline for days, costing you customers and revenue. Cloudflare's free tier provides substantial protection against volumetric attacks.

Without logging, you have no way to know when a breach happened, what was accessed, or how the attacker got in. Logs are required for incident response and often for compliance.

A customer or visitor connecting to your main WiFi has potential access to internal systems, printers, and network shares. Guest networks must be isolated from your business network.

Employees working from coffee shops, hotels, or home networks are on untrusted connections. A VPN encrypts their traffic and ensures access to internal resources is controlled.

HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) are free mitigations against XSS, clickjacking, and data injection attacks. Most businesses have them missing entirely.

A pen test finds vulnerabilities before attackers do. Annual testing is considered best practice and is required for some compliance frameworks (PCI-DSS, SOC2).

Customer PII, payment info, and credentials stored in plain text in a database is a compliance violation and a catastrophic breach risk. All sensitive data must be encrypted using AES-256 or equivalent.

Untested backups are not backups — they're false confidence. Ransomware attacks are only recoverable if you have verified, offline backups. The test is whether you can restore, not just whether the backup runs.

Data retention policy, GDPR/CCPA compliance, third-party data processor audit, employee data handling training, data breach notification procedure, secrets/API key rotation, and database access logging. Full details in paid version.

SQL injection protection, XSS prevention, dependency vulnerability scanning, secrets not in source code, rate limiting on all APIs, input validation at every boundary, CORS policy configuration, and software update policy. Full details in paid version.

Without these DNS records, attackers can send email that appears to come from your domain — tricking customers, partners, and employees. SPF+DKIM+DMARC is the baseline for email security.

Phishing simulation training, email filtering active, business email compromise (BEC) protection, wire transfer authorization policy, suspicious email reporting procedure, and executive impersonation protection. Full details in paid version.

When a breach happens, panic is your enemy. A written IR plan with clear roles, communication templates, and step-by-step procedures means your team responds effectively instead of improvising.

Security incident log, cyber insurance coverage, legal counsel identified, PR communication plan, customer notification templates, forensic evidence preservation, and post-incident review process. Full details in paid version.