I am quite careful about how I use ssh agent forwarding, deciding how much I trust the remote host, only using it as needed, and putting my more sensitive keys in separate agents. There is still a risk as the superuser on the remote machine can connect through your auth socket and perform key operations.
I was thinking to myself how great it would be if I could confirm/deny each authentication attempt and as it turns out ssh-agent already supports this. From ssh-add(1)
-c Indicates that added identities should be subject to confirmation before being used for authentication. Confirmation is performed by the SSH_ASKPASS program mentioned below. Successful confirma- tion is signaled by a zero exit status from the SSH_ASKPASS pro- gram, rather than text entered into the requester.
This requires a wrapper to use Xdialog although any program which is able to prompt and return an error code can be used. In ~/bin/ssh-yesno,
Xdialog --wrap --title "ssh-agent" --yesno "$@" 0 0
I also added the environment variable above ssh-agent in ~/.xinitrc
eval `ssh-agent -s`
Lastly the keys need to be added with the -c option in order to prompt
ssh-add -c ~/.ssh/id_dsa
Now when I (or someone else) try to authenticate using the agent keys it pops up.