Practical security for AI-augmented finance teams: the 12-point checklist

If your AI agent has API access to your accounting system, it has the keys to the kingdom

This is the practical reality of running AI-augmented fund accounting: the agent needs read-write access to your books, your wallets, and your exchanges to do its job. That's privileged access. And privileged access without controls is how funds get exploited — by attackers and, occasionally, by their own carelessness.

The 12-point checklist below is the minimum posture. Every fund running AI agents should have this in writing, signed by a named owner, reviewed at least quarterly.

The checklist

1. API keys are stored in a secrets manager. 1Password, AWS Secrets Manager, Doppler — pick one. Never in .env files committed to a repo. Never in a Google Doc. Never in a Slack DM.

2. API keys are scoped to least privilege. Read-only where possible. Write-only where required (with a named owner authorizing each rotation). Never use a master account API key when a sub-account would work.

3. Every API key has an expiration date. 90 days max. The rotation process is documented and owned.

4. Multi-factor authentication on every account that touches money. Exchange accounts, custody portals, bank logins, AWS console. Hardware security keys (YubiKey) for the accounts that matter most.

5. Agent runs are logged and auditable. Every tool call the agent makes, every API request, every wallet interaction. Logs go to your Tier 2 audit-ready storage.

6. Production agent access is gated by named human approval. Reading data: agent can run autonomously. Writing data to your books or moving funds: a human in the loop, every time, with a signed-off action log.

7. No agent has access to move funds. Period. The agent reads positions, reconciles, generates reports, flags exceptions. The human authorizes transfers. This is non-negotiable.

8. The Claude API key has a budget cap and rate limit. Anthropic supports both. Set a daily token budget that aligns with your expected use; alert on 80% of budget. This protects against runaway agent loops and against compromised keys being abused.

9. Wallet hot/cold separation. Operational wallets (small, used for daily ops) are separate from treasury wallets (large, multisig-protected, cold). The agent only has access to operational wallet positions, never to keys.

10. Quarterly access review. Every API key, every IAM user, every named account — who has it, do they still need it, is it scoped correctly. 30 minutes per quarter saves you a security incident.

11. Incident playbook in writing. What happens when (not if) a key is compromised, an agent misbehaves, or a transaction is flagged. Named owner. Documented escalation. Tested at least annually.

12. Vendor security review for every tool you adopt. Including us. Including Anthropic. Including your custody partner. The questions to ask: SOC 2? Data residency? Subprocessor list? Breach notification timeline?

The discipline isn't expensive. The lack of it is.

The fund admin industry has a long memory for security incidents. One compromise — especially one involving LP data or fund transactions — and the next conversation with your LP base is a different conversation forever.

If you want your current posture mapped against these 12 points — gaps surfaced, remediation steps owned and dated — that's a conversation worth having before the next audit cycle.