Security Checklist

Field	Value
Document ID	ASCEND-REF-003
Version	1.0.0
Last Updated	December 19, 2025
Author	Ascend Engineering Team
Publisher	OW-KAI Technologies Inc.
Classification	Enterprise Client Documentation
Compliance	SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4

Reading Time: 8 minutes | Skill Level: Intermediate

Use this checklist to ensure your ASCEND deployment follows security best practices.

Authentication

API Keys

Use role-appropriate keys - Don't use admin keys for agent operations
Rotate keys regularly - At least every 90 days
Never commit keys to code - Use environment variables or secrets manager
Revoke unused keys - Remove keys for departed employees immediately
Use separate keys per environment - Different keys for dev/staging/prod

# Check key age
curl "https://pilot.owkai.app/api/keys" \
  -H "Authorization: Bearer <admin_jwt>" | jq '.keys[] | select(.age_days > 90)'

JWT Tokens

Configure appropriate session duration - Balance security vs convenience
Enable idle timeout - Auto-logout after inactivity
Use secure cookie settings - HttpOnly, Secure, SameSite
Implement token refresh - Don't use long-lived tokens

Multi-Factor Authentication

Require MFA for admins - Mandatory for privileged accounts
Enforce MFA organization-wide - Recommended for all users
Configure MFA recovery - Backup codes or admin reset
Audit MFA status - Regular compliance checks

# Check MFA compliance
curl "https://pilot.owkai.app/api/users?mfa_enabled=false" \
  -H "Authorization: Bearer <admin_jwt>"

Access Control

Role Configuration

Follow least privilege - Users get minimum necessary permissions
Regular access reviews - Quarterly minimum
Document role assignments - Maintain access records
Remove access promptly - Same-day for terminations

Agent Trust Levels

Start with sandbox - New agents begin restricted
Document trust upgrades - Record justification
Regular trust reviews - Validate agent behavior
Configure appropriate defaults - Don't auto-trust

# Review agent trust levels
curl "https://pilot.owkai.app/api/agents?trust_level=trusted" \
  -H "Authorization: Bearer <admin_jwt>"

Network Security

TLS Configuration

TLS 1.3 preferred - Minimum TLS 1.2
Strong cipher suites - Disable weak ciphers
Certificate monitoring - Alert before expiration
HSTS enabled - Enforce HTTPS

API Security

Rate limiting configured - Prevent abuse
IP allowlisting - If applicable to your environment
CORS properly configured - Restrict origins
Request size limits - Prevent DoS

Data Protection

Encryption

Encryption at rest - AES-256 for stored data
Encryption in transit - TLS for all connections
Key management - Secure key storage and rotation
BYOK configured - If required by policy

# Verify encryption status
curl "https://pilot.owkai.app/api/security/encryption-status" \
  -H "Authorization: Bearer <admin_jwt>"

Data Classification

PII detection enabled - Automatic sensitive data detection
Data retention configured - Appropriate retention periods
Masking in logs - Sensitive data not logged in clear
Export controls - Restrict data export capabilities

Governance Policies

Smart Rules

Deny rules for critical operations - Block dangerous actions
Approval requirements for high-risk - Human oversight
After-hours restrictions - If applicable
Regular rule review - Ensure rules match current needs

# List active deny rules
curl "https://pilot.owkai.app/api/smart-rules?action=DENY&is_active=true" \
  -H "Authorization: Bearer <admin_jwt>"

Risk Configuration

Appropriate thresholds - Not too permissive
Risk factors weighted - Match your risk profile
Auto-deny for critical - Highest risk auto-blocked
Regular threshold review - Adjust based on experience

Monitoring & Alerting

Audit Logging

All actions logged - No gaps in audit trail
Log integrity verified - Hash chain valid
Sufficient retention - Meet compliance requirements
Log export configured - SIEM integration if needed

# Verify audit log integrity
curl -X POST "https://pilot.owkai.app/api/audit/integrity-check" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{"period_start": "2025-01-01", "period_end": "2025-12-31"}'

Alert Configuration

Critical alerts configured - Security incidents
Alert channels tested - Verify delivery
Escalation configured - If primary not available
Alert fatigue managed - Don't over-alert

Security Monitoring

Failed auth monitoring - Detect brute force
Anomaly detection enabled - Unusual patterns
Kill switch alerts - Immediate notification
Regular security reviews - Weekly minimum

Incident Response

Preparation

IR plan documented - Steps for security incidents
Contact list current - Security team contacts
Kill switch tested - Know how to use it
Backup procedures verified - Can restore if needed

Kill Switch

Kill switch accessible - Admins know how to use
Kill switch tested - Verified it works
Post-kill procedures - What to do after
Reactivation process - How to restore

# Test kill switch (use test agent!)
curl -X POST "https://pilot.owkai.app/api/agents/test-agent/kill" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{"reason": "Security drill test"}'

Compliance

Audit Readiness

Evidence collection automated - Regular exports
Access reviews documented - Quarterly records
Change management logged - All config changes
Incident documentation - Security events recorded

Framework-Specific

SOC 2 controls mapped - If applicable
HIPAA safeguards - If handling PHI
PCI-DSS compliance - If handling payment data
GDPR/CCPA readiness - Data rights support

SSO Security

SAML/OIDC

Signed assertions required - No unsigned accepted
Certificate current - Not expired
Attribute mapping verified - Correct user info
Single logout configured - If required

User Provisioning

JIT provisioning configured - If using SSO
Deprovisioning automated - Remove on IdP removal
Group mapping correct - Roles assigned properly
Default role appropriate - Not over-privileged

Webhook Security

HMAC verification implemented - Validate signatures
HTTPS only - No HTTP webhooks
Secret rotation - Periodic secret changes
DLQ monitored - Check failed deliveries

# Example webhook verification
import hmac
import hashlib

def verify_webhook(payload, signature, secret):
    expected = hmac.new(
        secret.encode(),
        payload,
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, signature)

Regular Reviews

Weekly

Review security alerts
Check failed authentication attempts
Verify backup status

Monthly

Review user access
Check API key ages
Review smart rule effectiveness

Quarterly

Full access review
Trust level review
Security configuration audit
Compliance evidence collection

Annually

Penetration testing
Security training refresh
DR test
Policy review and update

Document Version: 1.0.0 | Last Updated: December 2025

Authentication​

API Keys​

JWT Tokens​

Multi-Factor Authentication​

Access Control​

Role Configuration​

Agent Trust Levels​

Network Security​

TLS Configuration​

API Security​

Data Protection​

Encryption​

Data Classification​

Governance Policies​

Smart Rules​

Risk Configuration​

Monitoring & Alerting​

Audit Logging​

Alert Configuration​

Security Monitoring​

Incident Response​

Preparation​

Kill Switch​

Compliance​

Audit Readiness​

Framework-Specific​

SSO Security​

SAML/OIDC​

User Provisioning​

Webhook Security​

Regular Reviews​

Weekly​

Monthly​

Quarterly​

Annually​

Authentication

API Keys

JWT Tokens

Multi-Factor Authentication

Access Control

Role Configuration

Agent Trust Levels

Network Security

TLS Configuration

API Security

Data Protection

Encryption

Data Classification

Governance Policies

Smart Rules

Risk Configuration

Monitoring & Alerting

Audit Logging

Alert Configuration

Security Monitoring

Incident Response

Preparation

Kill Switch

Compliance

Audit Readiness

Framework-Specific

SSO Security

SAML/OIDC

User Provisioning

Webhook Security

Regular Reviews

Weekly

Monthly

Quarterly

Annually