Workshops Hands-on AI workshops on making AI useful, understandable, and trustworthy — see what’s on.

Free resource

Is your AI-built app ready for a security review?

A plain-English checklist for builders shipping with Lovable, Replit, Cursor, and Claude Code — so the first hard question from a customer’s security team doesn’t catch you flat-footed. No jargon, no 80-page framework. Just what to check before someone else checks it for you.

Get the checklist

The full checklist below, plus Field Notes — low-volume, high-signal.

What’s inside

Seven areas, one honest pass.

01 Map your system

You can’t secure what you can’t see.

  • Write a one-page description of what your app does and who uses it.
  • List every place data is stored — database, file storage, third-party tools.
  • Diagram how data flows in, through, and out of the app.
  • Identify which parts are AI/LLM-powered and what they can access.
  • Note what runs in the browser vs. on the server.

02 Data & privacy

Know exactly what you touch.

  • Inventory the data you collect (personal, payment, health, etc.).
  • Confirm you only collect what you actually need.
  • Document where data lives and how long you keep it.
  • Make sure you can delete a user’s data on request.
  • Check whether any data leaves your region or country.

03 Access & authentication

Decide who can get in — and to what.

  • Require strong auth (passwordless or MFA) for all users.
  • Enforce row-level security so users only see their own data.
  • Use least-privilege roles for admins and service accounts.
  • Remove default, test, and demo credentials.
  • Log who accessed what, and when.

04 Secrets & configuration

Close the leaks that sink most vibe-coded apps.

  • No API keys, tokens, or passwords in client-side code or the repo.
  • Store secrets in environment variables or a secrets manager.
  • Rotate any key that has ever been exposed.
  • Lock down public storage buckets and database tables.
  • Turn off verbose error messages in production.

05 Third-party & model risk

You inherit your vendors’ risk.

  • List every external service and AI model your app calls.
  • Check each vendor’s data-use and retention terms.
  • Confirm customer data isn’t used to train third-party models — or disclose it.
  • Have a fallback if a vendor goes down or changes terms.
  • Add basic input and output guardrails on AI features.

06 Evidence & documentation

What turns “trust me” into a passed questionnaire.

  • Keep a current architecture and data-flow diagram.
  • Write a short security overview you can hand to a buyer.
  • Document your incident-response steps: who, what, how.
  • Track your subprocessors and where data is hosted.
  • Keep a changelog of security-relevant changes.

07 Governance & oversight

Keep it true after launch day.

  • Assign an owner for security and compliance decisions.
  • Map your obligations (SOC 2, HIPAA, GDPR, state laws) to your reality.
  • Review access and vendors on a set cadence.
  • Have a plan for AI model updates and drift.
  • Decide what you’ll do when something goes wrong.

Want this as a printable checklist?

Get the PDF plus Field Notes — or, if you’d rather not DIY it, bring me the tangled version.