From Prototype to Production: The Complete Checklist for AI-Built Applications

You built an MVP with Cursor, lovable.dev, or v0 in days. It works. Customers love it. You're shipping features fast.

Then reality hits:

• An enterprise prospect asks for your SOC 2 report
• You hit a traffic spike and the app crashes
• You need to roll back a deployment but don't have a process
• Someone asks "where's the data backup?"
• Your co-founder gets locked out and you realize there's no admin access control

AI tools are incredible at building prototypes. But prototypes aren't production software.

This guide shows you exactly what's missing and how to fix it—systematically and without rebuilding from scratch.

The Prototype-to-Production Gap

What AI Code Generation Excels At

AI development tools like Cursor, lovable.dev, v0, and Bolt.new are exceptional at:

• ✅ Rapid prototyping and MVPs
• ✅ UI/UX implementation
• ✅ Basic CRUD operations
• ✅ Integration with popular APIs
• ✅ Iteration speed
• ✅ Common development patterns

What AI Code Generation Misses

Production software requires capabilities AI tools don't provide:

• ❌ Security architecture and threat modeling
• ❌ Scalability patterns and performance optimization
• ❌ Operational resilience and disaster recovery
• ❌ Monitoring, alerting, and observability
• ❌ Compliance controls and documentation
• ❌ Incident response procedures
• ❌ Production-grade infrastructure
• ❌ Data governance and privacy controls

The gap isn't a failing of AI tools—it's that production software requires experience, judgment, and systematic thinking that goes beyond code generation.

The Complete Production Readiness Checklist

Use this checklist to systematically transform your AI-generated prototype into production-ready software.

---

1. Security & Authentication

Authentication

• Proper auth implementation (Auth0, Clerk, Supabase, NextAuth)
• MFA (Multi-Factor Authentication) for all users or at least admins
• Session management with secure tokens and timeouts
• Password requirements meet OWASP standards
• Account recovery process (password reset, account lockout)
• SSO (Single Sign-On) if targeting enterprise

Authorization

• Role-Based Access Control (RBAC) implemented
• Authorization checks on every API route and action
• Principle of least privilege enforced
• Admin panels properly protected
• API endpoints have proper authentication

Data Protection

• Encryption at rest for sensitive data (AES-256)
• Encryption in transit (HTTPS everywhere, TLS 1.3)
• Secrets management (no keys in code, use env vars or AWS Secrets Manager)
• PII (Personally Identifiable Information) identified and protected
• Data classification scheme defined
• Git history scanned for exposed secrets

Application Security

• Input validation on all user inputs (use Zod, Yup)
• SQL/NoSQL injection prevention (parameterized queries, ORM)
• XSS (Cross-Site Scripting) prevention
• CSRF protection enabled
• Rate limiting on all API endpoints
• CORS properly configured (not * in production)
• Security headers configured (CSP, HSTS, X-Frame-Options)

Security Testing

• Dependency scanning setup (Dependabot, Snyk)
• Secret scanning in CI/CD
• SAST (Static Analysis) running in CI/CD
• Manual security review of critical paths

Expected Time Investment: 2-4 weeks for comprehensive security implementation

Red Flags:

• 🚩 "We'll add authentication later" (you won't, and it gets harder)
• 🚩 API keys committed to git
• 🚩 No authorization checks on admin routes
• 🚩 User input directly in database queries

---

2. Infrastructure & Deployment

Infrastructure as Code

• IaC (Infrastructure as Code) implemented (Terraform, Pulumi)
• Environment separation (dev, staging, production)
• Reproducible deployments (same config every time)
• Version-controlled infrastructure (all changes tracked)

Deployment Process

• CI/CD pipeline setup (GitHub Actions, GitLab CI, CircleCI)
• Automated testing in CI/CD
• Deployment rollback procedure documented and tested
• Zero-downtime deployments or scheduled maintenance windows
• Deployment checklist for manual steps
• Feature flags for gradual rollouts

Production Environment

• Separate AWS/cloud account for production (not shared with dev)
• VPC with private subnets for databases
• Security groups with least-privilege rules
• WAF (Web Application Firewall) if handling payments or PII
• CDN configured (Cloudflare, CloudFront)
• DDoS protection enabled

DNS & Networking

• Production domain configured with proper DNS
• SSL/TLS certificate configured and auto-renewing
• DNS properly configured (CNAME/A records, email verification)

Expected Time Investment: 1-2 weeks for infrastructure setup

Red Flags:

• 🚩 Production and dev in same AWS account
• 🚩 Manual deployments with FTP/SSH
• 🚩 No way to roll back deployments
• 🚩 Database exposed to public internet

---

3. Data Management & Backup

Database

• Connection pooling configured
• Database backups automated (daily at minimum)
• Backup restoration tested (can you actually recover?)
• Point-in-time recovery enabled
• Database encryption at rest
• Read replicas for high-traffic applications
• Database migrations tracked and versioned

Data Governance

• Data retention policy defined and implemented
• Data deletion process (GDPR "right to be forgotten")
• PII inventory documented
• Data processing agreements (DPA) with vendors
• Data classification and handling procedures

Backup & Recovery

• Backup schedule automated
• Backup testing quarterly at minimum
• RTO (Recovery Time Objective) defined (how long to recover?)
• RPO (Recovery Point Objective) defined (how much data can you lose?)
• Disaster recovery plan documented
• Backup storage in different region/AZ

Expected Time Investment: 1 week for backup and data management

Red Flags:

• 🚩 "We'll set up backups next sprint" (you won't)
• 🚩 Never tested backup restoration
• 🚩 No idea how long recovery would take
• 🚩 Backups in same region as primary database

---

4. Monitoring & Observability

Error Tracking

• Error tracking setup (Sentry, Rollbar, Bugsnag)
• Error alerts configured (Slack, PagerDuty, email)
• Error triage process defined
• Source maps uploaded for client-side errors

Application Monitoring

• APM (Application Performance Monitoring) setup
• Performance budgets defined
• Slow query monitoring for database
• API latency tracking
• Uptime monitoring (Better Stack, UptimeRobot)

Logging

• Structured logging implemented (JSON logs)
• Log aggregation (CloudWatch, Datadog, Grafana Loki)
• Log retention policy defined
• Security event logging (auth failures, access changes)
• Log analysis for security and debugging

Alerting

• Critical alerts configured (app down, database offline)
• Performance alerts (slow queries, high error rates)
• Security alerts (brute force attempts, suspicious activity)
• Alert escalation policy defined
• Alert fatigue managed (tune thresholds, reduce noise)

Dashboards

• Application health dashboard
• Business metrics dashboard
• Security dashboard
• Infrastructure dashboard

Expected Time Investment: 1-2 weeks for comprehensive monitoring

Red Flags:

• 🚩 Find out app is down from customer tweet
• 🚩 No idea how many errors are happening
• 🚩 Can't debug production issues (no logs)
• 🚩 No alerts configured

---

5. Performance & Scalability

Performance Optimization

• Performance testing conducted
• Database indexes optimized
• N+1 query problems identified and fixed
• Caching strategy implemented (Redis, CloudFront)
• Image optimization (WebP, CDN, lazy loading)
• Bundle size optimization (code splitting, tree shaking)
• API response times under 200ms (p95)

Scalability

• Load testing conducted
• Auto-scaling configured (if needed)
• Database scaling plan documented
• Rate limiting protects against traffic spikes
• Queue system for async work (if needed)
• Background jobs properly configured

Capacity Planning

• Current capacity documented (req/sec, DB connections)
• Growth projections estimated
• Scaling triggers defined
• Cost projections for scale

Expected Time Investment: 1-2 weeks for performance and scalability

Red Flags:

• 🚩 App crashes under any traffic spike
• 🚩 No idea how many users the app can handle
• 🚩 Database queries taking 5+ seconds
• 🚩 Frontend bundle is 5MB

---

6. Compliance & Legal

Privacy & Data Protection

• Privacy policy published and compliant
• Terms of service published
• Cookie consent (if EU users / GDPR)
• GDPR compliance (if applicable)
  • Data processing agreements
  • Right to access data
  • Right to delete data ("right to be forgotten")
  • Data portability
• CCPA compliance (if California users)

Security Compliance

• SOC 2 preparation started (if pursuing enterprise)
• HIPAA controls (if healthcare data)
• PCI-DSS (if processing payments directly)
• ISO 27001 (if required by customers)

Vendor Management

• Vendor inventory maintained
• DPAs (Data Processing Agreements) signed
• Vendor security assessments conducted
• SOC 2 reports collected from critical vendors

Expected Time Investment: Varies widely (SOC 2 = 4-6 months, privacy policy = 1 week)

Red Flags:

• 🚩 No privacy policy or using generated template
• 🚩 Handling EU users without GDPR compliance
• 🚩 Enterprise customers asking for SOC 2, you have no plan
• 🚩 Processing health data without HIPAA considerations

---

7. Operations & Incident Response

Incident Response

• Incident response plan documented
• Incident severity definitions defined
• Escalation procedures clear
• On-call rotation setup (if 24/7)
• Runbooks for common issues
• Post-mortem process defined

Operational Procedures

• Deployment runbook documented
• Rollback procedure documented and tested
• Common troubleshooting steps documented
• Emergency access procedures defined
• Maintenance windows scheduled and communicated

Team & Access

• On-call schedule defined
• Access provisioning process defined
• Access de-provisioning process defined (when people leave)
• Privileged access limited and logged
• Emergency access procedures for lockouts

Expected Time Investment: 1-2 weeks for operations setup

Red Flags:

• 🚩 Only one person knows how to deploy
• 🚩 No process for when app goes down at 2am
• 🚩 Ex-employees still have production access
• 🚩 No documentation (everything in someone's head)

---

8. Documentation

Technical Documentation

• Architecture diagram up to date
• API documentation (if providing API)
• Database schema documented
• Environment variables documented
• Deployment process documented
• Common debugging procedures

Security Documentation

• Security architecture documented
• Threat model documented
• Security controls listed
• Incident response plan
• Disaster recovery plan

For Enterprise Customers

• Security white paper (architecture and controls)
• Compliance documentation
• SLAs (Service Level Agreements)
• Support documentation

Expected Time Investment: Ongoing, 2-3 days initial setup

---

Prioritization Strategy

You can't do everything at once. Here's how to prioritize:

Phase 1: Critical Security (Week 1-2)

Focus on vulnerabilities that could cause immediate harm:

• Authentication and authorization
• Exposed secrets
• SQL injection prevention
• Basic monitoring

Phase 2: Operations Foundation (Week 3-4)

Build the basics to operate reliably:

• Backups and recovery
• Monitoring and alerting
• Basic incident response
• Deployment process

Phase 3: Production Hardening (Week 5-8)

Make it scalable and resilient:

• Infrastructure as Code
• Performance optimization
• Advanced monitoring
• Scalability testing

Phase 4: Compliance & Growth (Month 3+)

Prepare for enterprise customers:

• SOC 2 preparation
• Compliance documentation
• Advanced security controls
• Customer-facing documentation

Common Mistakes to Avoid

1. "We'll add security later" - Later never comes, and retrofitting is expensive
2. "We don't need backups yet" - You need backups the day you have your first real user
3. "It's working, why change it?" - Technical debt compounds; small issues become big problems
4. "We'll scale when we need to" - Scaling under pressure leads to outages and customer loss
5. "We don't have time for documentation" - When something breaks at 2am, you'll regret this
6. "Our startup is too small for SOC 2" - Enterprise deals require SOC 2; start the foundation early

Getting Professional Help

Consider professional help if you:

1. Have enterprise prospects waiting on security review
2. Need compliance (SOC 2, HIPAA, PCI-DSS)
3. Handle sensitive data (PII, payment info, health data)
4. Lack security expertise on the team
5. Are under time pressure (can't spend 2 months on this)

Typical costs:

• Security Review: $4,500-$8,500 (2-3 weeks)
• Hardening Sprint: $6,000-$12,000 (2-4 weeks)
• Ongoing Guardrails: $1,500-$7,000/month

ROI: Most companies recoup the investment from a single enterprise deal that would have been blocked by security concerns.

Next Steps

1. Print this checklist and go through each section
2. Identify your gaps - be honest about what's missing
3. Prioritize using the strategy above
4. Create a timeline - be realistic about effort required
5. Get help if you need it - don't let perfect be the enemy of good

Remember: AI tools are perfect for prototypes. Adding production-grade practices is what makes them enterprise-ready.

Get a free production readiness assessment →