AUDIT CHECKLIST

The Automation Security Audit Checklist

12 points to check every quarter — across Zapier, Make.com, n8n, and ChatGPT workflows. Keep attackers out before they find a way in.

Published April 14, 2026 · 6 min read · By Scannly

DIRECT ANSWER

An automation security audit checks 12 things across four areas: inventory (what automations exist and what they touch), access (credentials, permissions, webhook security), defences (AI input/output handling), and monitoring (logs, alerts, ownership). Run this every 90 days. Most small businesses will fail at least three points the first time.

Why You Need to Audit Every 90 Days

Automations drift. Someone adds a new integration, rotates a credential, tweaks a workflow. Each change is small, but over a quarter they accumulate into security gaps nobody deliberately created. An audit is how you catch drift before it becomes an incident.

The checklist below is platform-agnostic — it works for Zapier, Make.com, n8n, and ChatGPT agents. Print it, run it every 90 days, and keep a log of which points passed and failed.

Inventory (Points 1–2)

1. List every active automation across every platform. Include paused automations too — they can be re-enabled and often have stale credentials. Zapier, Make.com, n8n, Relay, and any custom agents.
2. Identify every integration each automation connects to. For each automation, note every app it reads from and writes to. This is your blast radius map.

Access (Points 3–5)

3. Check for exposed webhooks without authentication. Any webhook that accepts data without a secret token, basic auth, or IP allow-list is a public door into your workflows.
4. Audit credential storage and encryption. Self-hosted platforms must have encryption keys set. Cloud platforms should be using OAuth where available rather than static API keys.
5. Verify least-privilege access on every connection. Each integration should only have the permissions it actually needs. An automation that only reads Gmail should not have send or delete permissions.

Defences (Points 6–8)

6. Check every AI step for input sanitisation. Before data reaches an AI step, is there a filter removing instruction-like phrases? Read our prompt injection prevention guide.
7. Confirm AI outputs are validated before acting on them. Every AI step should feed into a validation step that checks format, length, and content before downstream actions fire.
8. Test workflows against known prompt injection patterns.Try to break your own workflows. Send test inputs containing "ignore previous instructions" and see what happens.

Monitoring (Points 9–12)

9. Enable error notifications on every automation. If a workflow errors silently, problems compound. Route every error to email, Slack, or both.
10. Review execution logs for anomalous patterns. Spikes in run counts, outputs larger than expected, actions triggered outside normal hours — all warning signs.
11. Document who owns each automation and how to revoke access. When someone leaves the team, you need to know in 5 minutes what they can still access.
12. Schedule the next audit for 90 days from now. Put it in the calendar before you close this page. Audits that are not scheduled do not happen.

How to Run Your First Audit

Block two hours in your calendar. Work through each point in order. For each one, write down whether you pass, fail, or need to investigate further. Don't try to fix everything in the audit session — just catalogue. Then spend the next week working through fixes, highest-severity first.

If you're pressed for time, start with points 3, 5, 6, and 7 — these four alone catch the most dangerous gaps in most small business automations.

Automate Points 3, 6, and 7

Scannly's free Risk Scanner checks webhook exposure, input sanitisation, and output validation automatically — three of the four most dangerous points on this checklist.

Run My Free Scan →