DORA AI agent readiness checklist

Use this as evidence-readiness guidance before a Microsoft AI agent pilot touches regulated workflows, production data, or customer-facing decisions.

1. Ownership and governance

Name the business owner, technical owner, and evidence owner for each agent.
Record the model, orchestration layer, tools, plugins, data sources, and deployment environment.
Keep the agent risk decision separate from model hype: what can it read, write, trigger, or expose?

2. Identity and access

Use named users, managed identities, workload identities, or approved app registrations.
Review tool permissions before adding connectors or production actions.
Document privileged paths and require human approval for sensitive changes.

3. Logging and evidence

Log prompts, tool calls, approvals, errors, and outputs at a retention level that fits the risk.
Map evidence to DORA ICT risk management, incident handling, resilience, and third-party oversight language.
Export a concise evidence pack before security, compliance, or customer review.

4. Resilience and incident response

Define what happens when the model provider is unavailable, the agent gives bad output, or a tool call fails.
Test prompt injection, data leakage, unsafe tools, broken retrieval, and rollback paths.
Assign escalation contacts for leaked data, tool misuse, and customer-impacting failures.

Run the scanner for a first readiness score and top gap list. Open scanner