Validate production readiness of Vertex AI Agent Engine deployments across security, monitoring, performance, compliance, and best practices. Generates weighted scores (0-100%) with actionable recommendations. Use when asked to "validate deploymen... Trigger with phrases like 'validate', 'check', or 'verify'.
!gcloud config get-value project 2>/dev/null || echo 'no active project'
!gcloud auth list --filter=status:ACTIVE --format="value(account)" 2>/dev/null || echo 'not authenticated'
Overview
Validate production readiness of Vertex AI Agent Engine deployments by executing weighted checks across five categories: security (30 points), monitoring (20 points), performance (25 points), compliance (15 points), and best practices (10 points). This skill produces a 0-100% composite score with pass/fail per check and prioritized remediation recommendations.
Prerequisites
gcloud CLI authenticated with roles/aiplatform.viewer, roles/iam.securityReviewer, and roles/monitoring.viewer
Access to the target Google Cloud project and Vertex AI Agent Engine deployment
Cloud Monitoring API and Cloud Logging API enabled in the project
Knowledge of the deployment's expected SLOs (latency targets, error rate thresholds)
Read-only access to IAM policies, VPC-SC configurations, and service account bindings
Instructions
Retrieve the deployment configuration using the Python SDK (vertexai.Client().agent_engines.get(name)) or REST API (GET https://{LOCATION}-aiplatform.googleapis.com/v1/projects/{PROJECT}/locations/{LOCATION}/reasoningEngines/{ID}) and parse model, scaling, and feature settings
Pass/fail table for each individual check with evidence notes
Prioritized remediation plan: action items ranked by score improvement per effort
Comparison to previous validation run (if available) showing score delta
Error Handling
Error
Cause
Solution
Insufficient IAM permissions
Viewer roles not granted on target project
Request roles/aiplatform.viewer and roles/iam.securityReviewer from project admin
Agent deployment not found
Incorrect agent ID or deployment deleted
Verify agent ID with vertexai.Client().agent_engines.list() or REST GET .../reasoningEngines; confirm deployment region
Monitoring API returns no data
API not enabled or agent has zero traffic
Enable Monitoring API; generate synthetic traffic to populate baseline metrics
VPC-SC configuration inaccessible
Organization policy restricts VPC-SC reads
Request roles/accesscontextmanager.policyReader at organization level
Compliance check inconclusive
Audit logs not enabled or retention too short
Enable Data Access audit logs; set log retention to minimum 365 days
Examples
Scenario 1: Pre-Launch Validation -- Validate a new ADK agent before production launch. Run all five validation categories. Target score: 85%+ overall, with security score at 28/30 minimum. Generate remediation plan for any failing checks.
Scenario 2: Post-Incident Security Audit -- After a permission escalation incident, re-validate security posture. Focus on IAM least-privilege, service account bindings, and VPC-SC perimeter integrity. Compare scores against the last passing validation.
Scenario 3: Quarterly Compliance Review -- Execute compliance and monitoring validation suites for SOC 2 audit preparation. Verify audit logging coverage, data residency compliance, and backup/DR configuration. Export results as evidence artifacts.
Resources
Validation checklists (read the relevant one during each validation step):