AI Agent Security: The CFO/CIO Risk Checklist Before You Sign

AI agent contracts are unlike any enterprise software contract you have signed before.

When you buy an ERP, the vendor gives you software and you configure it. Risk lives in your configuration choices. When you buy a SaaS application, the vendor operates the service and you consume it. Risk lives at the integration boundary. When you deploy AI agents, something new is true: the vendor’s software takes autonomous actions inside your transactional systems, using your data, producing outcomes that affect your customers.

The risk profile is different. The evaluation checklist has to be different. This is the checklist every CFO, CIO, CISO, and General Counsel should run before the first agent contract is signed.

Category 1: Data access and residency

Agents need data to operate. The question is what data, where it goes, who else sees it, and under what legal regime it is processed.

Questions to ask

• Which data systems will agents access, and with what permissions?
• Where is the data processed — in your tenant, in the vendor’s tenant, in a third-party model provider’s tenant?
• Is customer data used to train shared models? (The answer should be no for enterprise deployments.)
• What is the data residency story for multi-region operations?
• If a subpoena or investigation is issued, what does the vendor’s data have to disclose?

What a good answer looks like

Data stays in your tenant or in a dedicated tenant under your account. Model providers do not retain or train on your data. Residency can be configured per region. Contracts specify the vendor’s obligations on legal process disclosure.

Category 2: Agent access and least-privilege

Agents execute transactions. If an agent has more access than it needs, you have amplified your attack surface. The right answer is least-privilege enforced at the tool level, not just at the credential level.

Questions to ask

• Can access be scoped per agent, per tool, per data object, per action type?
• What happens if an agent attempts an action outside its scope?
• Are credentials scoped and rotated, or is there one service account with broad rights?
• Can a human revoke or pause an agent without taking down the whole platform?
• What is the model for approving new tools or expanded access over time?

Category 3: Human-in-the-loop thresholds

The most common cause of AI incidents in production is not the model being wrong; it is the model being right in conditions no one anticipated, and taking an action the business did not intend. Human checkpoints are the defense.

Questions to ask

• What thresholds trigger human review — transaction value, counterparty risk, deviation from norms?
• Who gets the approval request, and what is the SLA for response?
• What happens if the human does not respond — does the agent proceed, wait, or escalate?
• Can thresholds be tuned over time as confidence grows, without a software change?
• Is there a configurable “shadow mode” for a period of validation?

Category 4: Audit, observability, and explainability

If an agent approves a refund, declines a shipment, or writes a purchase order, and someone asks six months later why, you need to be able to answer. The audit trail is not optional.

Questions to ask

• Is every agent decision logged with inputs, reasoning trace, tools called, and outcome?
• Are logs tamper-evident and retained per your compliance requirements?
• Can you replay a decision with the exact state at the time it was made?
• Is there an explainability layer — can the agent produce a human-readable rationale?
• Who inside the vendor can read these logs, and under what circumstances?

Category 5: Model and vendor risk

Agents depend on underlying models. Models change. Vendors change. Your agent platform needs to insulate you from both.

Questions to ask

• Which foundation models are in the path, and what happens when they are deprecated?
• Is the platform model-agnostic, or tightly coupled to one provider?
• What is the vendor’s own business continuity plan — escrow, portability, data export?
• If the vendor is acquired or goes out of business, what happens to your agents and data?
• What are the SLAs for uptime, response time, and incident communication?

Category 6: Liability and indemnity

This is the General Counsel’s section. The legal framework for AI agent deployment is still evolving, but the contract needs to survive the worst reasonable scenario.

Questions to ask

• If an agent takes a harmful action, what is the vendor’s liability cap, and what is carved out?
• Does the vendor indemnify against claims arising from training data or model provider issues?
• What is the warranty on agent behavior — accuracy, availability, compliance?
• How are third-party claims handled?
• Does the contract address AI-specific regulations in your operating jurisdictions?

Category 7: Exit and portability

You are not buying a marriage. You are buying a workforce. What does leaving look like?

Questions to ask

• Can you export all your agent definitions, workflows, and learned patterns?
• In what format, and is that format usable elsewhere?
• What is the transition support if you choose to migrate?
• Are there contractual limits on what the vendor can do with your data after termination?
• What does the 90-day exit look like in practice — concretely, step by step?

The summary checklist

Print this and take it to your next vendor evaluation:

Closing

A well-deployed AI agent workforce is safer and more auditable than the manual processes it replaces. But “well-deployed” is doing the work in that sentence. The difference between safe and catastrophic is not the technology; it is the contract, the configuration, and the discipline of the customer.

Ask every question. Expect concrete answers. If you get vague ones, you have your answer.

VoltusWave agents run in governed environments — per-tool permissions, full decision traces, configurable human-in-the-loop thresholds, and fully exportable definitions. Production today.