Skip to main content
← Blog

The Agent Kill Switch Problem: A Tiered Model for Stopping Tool-Using AI Agents

Stopping an AI agent is not one button. It is a control chain across runtime, tools, MCP servers, credentials, queues, downstream systems, and evidence. This post proposes eight kill-switch layers and a three-tier model that separates what's practical now from what's still research.

ai-agents agent-security mcp governance

The most dangerous enterprise AI agent is not necessarily the one that makes a mistake. It is the one the organization does not know how to stop. In a chatbot, “stop” usually means the text stops streaming. In an agentic system, that definition collapses. The model may stop talking while a queued task keeps running. A server may be disconnected while a cached capability remains visible. A token may be revoked after a downstream action has already occurred. Logs may be lost at exactly the moment the organization needs them most.

That is the Agent Kill Switch Problem. The question is not whether an agent has a stop button. The question is whether the organization can stop the layers where the agent can continue acting: runtime loops, tool calls, MCP servers, credentials, queues, handoffs, downstream systems, and evidence pipelines. A real kill switch is not a button. It is a control chain.

This post proposes a practical framework for that control chain. It defines eight kill-switch layers, identifies common failure scenarios, maps the problem to current agent and MCP architectures, and introduces a three-tier solution model that separates practical controls from advanced platform patterns and future research.

A note on posture before we start: this is a proposed framework and evaluation method, not a completed benchmark. Where I describe patterns like stop epochs or handoff passports, treat them as design directions to validate, not shipped standards. I flag the maturity of each idea explicitly, because the most common failure mode in this space is selling a research-grade concept as a near-term checklist item.

Stopping output vs. stopping action

The framing deliberately separates stopping output from stopping action. In conventional chatbots, stopping output may be adequate because the primary effect is a response. In tool-using agents, the primary risk is the action performed through tools, the authority used to perform it, and the persistence of work beyond the user-visible exchange.

Modern agent systems are increasingly built around managed loops, tool execution, guardrails, handoffs, sessions, and traces. The OpenAI Agents SDK describes an agent loop where tool calls and handoffs can cause the loop to continue rather than terminate. MCP makes the problem more acute because tools may sit behind standardized client/server boundaries, authorization flows, cached tool discovery, and long-running state — and the 2026-07-28 release candidate pushes toward a stateless core, cacheable responses, trace-context propagation, and a formal deprecation policy, all of which change what “stop” has to mean.

Where an agent can keep acting

A useful reference architecture for the kill-switch problem is intentionally simple: User → Agent Host → Agent Runtime → MCP Client → MCP Server → Tool/API → External System. In real deployments this chain may also include identity providers, queues, observability pipelines, policy engines, secret stores, vector databases, SaaS APIs, and human approval systems. Each boundary is a place where an agent can keep acting after a user thinks they hit “stop.”

BoundaryWhat can continue after a user-visible stop?Likely ownerKill-switch implication
Agent host / app shellSession state, UI output, user identity, approval screensApplication / product ownerThe UI stop must be linked to the runtime/run ID, not just the text stream
Agent runtime / run loopFurther model turns, retries, handoffs, tool selectionAgent platform owner or vendor SDKRuntime cancellation must prevent later turns and mark the run as cancelled
Tool selection layerSelected tool call may be pending or already authorizedApplication / security / policy engineTool calls must be interruptible before side effects
MCP client/serverCached tool metadata, available server tools, long-running tasksIntegration / platform teamServer disablement must invalidate stale capabilities and fail closed
Identity provider / credential brokerTokens, grants, scopes, service accountsIAM / security teamAuthority must be revocable independently of the process
Queue / workflow layerRetries, scheduled tasks, long-running workflowsPlatform / SRE / workflow ownerStop state must propagate to pending work
External business systemTickets, messages, transactions, deployments, recordsBusiness system ownerAgent-created side effects must be containable and trace-linked
Observability / evidence layerTraces, logs, approvals, hashes, chain-of-custodySecurity / IR / complianceEmergency stop must preserve evidence, not destroy it

Read as a control chain, the layers look like this:

Agent kill switch as a control chain
Conversationstop
Runtimestop
Tool-callstop
MCP serverstop
Credentialstop
Task/queuestop
Downstreamstop
Evidencefreeze
A visible stop button is only one layer. Enterprise stoppability requires action stop, authority revocation, work cancellation, containment, and evidence preservation.

Eight kill-switch layers

Breaking the chain into named layers gives each one a control and a research question — the question being “does stopping here actually stop anything downstream?”

#Kill switchWhat it stopsResearch question
1Conversation stopUser-facing chat or generationDid the model stop talking, or did the workflow stop acting?
2Agent runtime stopPlanning, tool selection, retries, handoffs, chained loop stepsCan the active agent run be cancelled mid-execution?
3Tool-call stopSpecific tool calls before, during, or after executionCan risk be interrupted at the moment a tool action appears?
4MCP server stopServer access and cached capability discoveryIf a server is disabled, does the agent still believe its tools exist?
5Credential stopOAuth grants, access tokens, service accounts, delegated authorityCan authority be revoked even if the process is still alive?
6Task/queue stopQueued, scheduled, retrying, or long-running workCan work be stopped after it leaves the active runtime?
7Downstream stopExternal-system side effects and business recordsCan the business system contain an agent action after it occurs?
8Evidence-preserving stopTrace / log / approval / credential / task / downstream evidenceCan the agent be stopped without destroying the incident record?

Briefly, each layer does the following:

How kill switches fail

The layers matter because stopping one is routinely mistaken for stopping the system. These are the failure scenarios the framework is designed to surface.

ScenarioWhat goes wrongRoot causeRelevant controls
Chat stopped, tool continuesUser thinks the agent stopped, but an API action completesUI stop is mistaken for action stopTool-call stop; runtime stop; evidence freeze
Tool removed, cache persistsAgent still sees stale tool metadata or allowed capability listCapability cache is not invalidatedMCP server stop; signed snapshots
Runtime stopped, queue continuesBackground task keeps running after active-run cancellationQueued work is outside runtime controlTask/queue stop; stop epochs
Token revoked too lateAgent completes an external action before revocation propagatesCredential revocation is not atomicCredential stop; capability leases
Handoff occurs before stopChild agent continues after the parent is cancelledStop state does not propagate across agentsRuntime stop; handoff passports
Guardrail blocks output onlyUnsafe action already happened before the response was blockedOutput guardrail is mistaken for action guardrailTool-call stop; approval gates
Logs lost during shutdownIncident cannot be reconstructedStop action destroys contextForensic stop capsule
Downstream SaaS remains activeAgent-created record must be manually found and reversedNo linkage between run and external recordDownstream stop; shadow commit
Approval replayOld approval is reused after tool scope changesApproval is not bound to version/actionApproval binding; capability leases
Retry after revokeFailed action is retried using an alternate still-valid credentialRetry policy ignores emergency stop stateStop epochs; queue stop; policy gate

A three-tier solution model

The most important design decision in this framework is to separate controls by maturity and implementation burden. Without that separation, the research sounds unrealistic: a small team cannot implement formal verification of all stop paths, consensus kill, and cross-vendor handoff passports overnight. But the same small team can start with forensic stop records, scoped credentials, approval gates, and circuit breakers. A mature platform team can go further with stop epochs, capability leases, MCP gateway enforcement, and signed capability snapshots.

Three-tier solution maturity model

Tier 1 — Practical Now

Forensic stop record · short-lived scoped credentials · tool allowlists · logging and approvals · circuit breakers

Tier 2 — Buildable by Advanced Teams

Stop epochs · capability leases · MCP gateway enforcement · signed capability snapshots

Tier 3 — Experimental / Future

Handoff passports · shadow commit everywhere · consensus kill · formal stop-path verification

Use the tiers to separate deployable controls from advanced platform patterns and research-grade concepts.
TierControlsRealismBest use
Tier 1: Practical NowForensic stop record, short-lived scoped credentials, tool allowlists, logging, approval gates, circuit breakersHigh — extensions of existing IAM, logging, approval, and SRE practicesImmediate enterprise governance requirements and launch review checklists
Tier 2: Buildable by Advanced TeamsStop epochs, capability leases, MCP gateway enforcement, signed capability snapshotsMedium to high for mature internal platforms; harder for ad hoc SaaS deploymentsAdvanced agent platforms, MCP gateways, and regulated workflows
Tier 3: Experimental / FutureHandoff passports, shadow commit everywhere, consensus kill, formal verification of stop pathsLow to medium today; valuable as research direction and design pressureHigh-assurance environments, future standards, and platform/vendor roadmaps

Tier 1: Practical Now

ControlWhat it solvesMain weaknessImplementation path
Forensic stop recordCreates a minimal stop artifact that links run, tool, credential, queue, downstream, and trace evidenceMay collect too much sensitive data if not designed carefullyDefine a stop-record schema; capture IDs and hashes where possible; avoid storing full sensitive payloads
Short-lived scoped credentialsLimits residual authority after a stop and reduces risk from stale tokensLegacy apps often rely on long-lived service accounts or broad scopesUse short TTLs, least-privilege scopes, user/run attribution, and revocation procedures
Tool allowlistsPrevents agents from discovering or invoking unapproved toolsCan become stale and may block useful changes if too rigidMaintain an approved tool registry with owner, risk level, schema version, and review date
Logging and trace linkageConnects user action, run ID, tool call, approval, and downstream recordDeveloper traces may not satisfy audit or incident-response needsStandardize run IDs, trace IDs, downstream record IDs, and retention classes
Approval gatesBlocks high-impact actions until a human or policy service approves themApproval fatigue; approvals may be too broad or replayableBind approval to tool, argument set, user, run, schema version, and time window
Circuit breakersTrips when abnormal tool chains, retries, or handoffs occurFalse positives can interrupt useful workStart with simple thresholds and manual review; tune with operational evidence

The evidence-preserving layer needs a concrete artifact. A stop event should create a minimal, tamper-evident evidence bundle instead of scattering evidence across logs, queues, and vendor traces. I call this the forensic stop capsule.

Practical-now pattern: forensic stop capsule
Run state Tool calls Credentials Queued tasks
Forensic Stop Capsule
MCP snapshot Approvals Downstream IDs Trace/log hash
A forensic stop capsule is a practical-now pattern for evidence-preserving stop events: a minimal, tamper-evident bundle captured at stop time.

Tier 1 is realistic for many organizations because it reuses concepts they already understand: least privilege, approval gates, audit records, logging, incident response, and circuit breakers. The hard part is not inventing new technology. The hard part is linking these controls to agent-specific state — run IDs, tool schemas, prompt context, handoff events, MCP servers, and downstream side effects. OWASP’s AI Agent Security guidance supports the security logic here (least privilege, explicit authorization, human approval, monitoring, audit trails, validation evidence), and the NIST AI RMF and Generative AI Profile support the broader governance logic.

Tier 2: Buildable by Advanced Teams

PatternCore ideaPrerequisitesMain weakness
Stop epochsTreat stop as a distributed version/state number. Every run, tool call, queue item, handoff, and downstream action checks whether its epoch is still validShared run identity, policy service, and enforcement at tool/gateway boundariesBreaks if any component ignores the epoch; requires consistent propagation across systems
Capability leasesReplace long-lived authority with short-lived, run-bound leases tied to tool, scope, approval, risk level, and expiryCredential broker, scoped permissions, lease validation in gateway/tool layerHard with legacy APIs, broad service accounts, or tools that cannot validate leases
MCP gateway enforcementPlace a policy-enforcing gateway between agent hosts and MCP/tool serversCentral registry, identity integration, policy decisions, logging, fail-closed behaviorGateway can become a bottleneck or single point of failure; needs strong operations
Signed capability snapshotsPin approved tool names, schemas, server identity, risk level, and metadata version. Changed capabilities require re-reviewSigning infrastructure, tool registry, cache invalidation, schema diffingOperational friction; tool updates become more formal and may slow iteration

The two most useful Tier 2 patterns work together: every action carries a current authorization epoch and a short-lived lease, and a stop event invalidates future checks across tools, queues, and handoffs.

Advanced pattern: stop epochs + capability leases
Agent runrun_id + epoch
Lease brokerissues scoped lease
MCP gatewaychecks epoch + lease
Tool / APIexecutes only if valid
A stop authority increments the epoch and the evidence store records the revocation; any later check against a stale epoch or expired lease fails closed across tools, queues, and handoffs.

Tier 2 is realistic for advanced internal platforms but probably unrealistic for scattered one-off agent deployments. The reason is simple: stop epochs, leases, gateway enforcement, and signed snapshots only work when the organization controls the places where actions are authorized and executed. If an agent calls a random SaaS connector directly, there may be nowhere to enforce the epoch or validate the lease. MCP makes Tier 2 more plausible because it creates a more standardized tool-access boundary, and the release candidate’s move toward cacheable responses, trace-context propagation, and Tasks makes cache invalidation, task cancellation, and trace continuity first-class concerns.

Deep dive: stop epochs

A stop epoch is a distributed stop-state version. Each agent run begins with an epoch value. Tool calls, leases, queue entries, handoffs, and downstream actions carry that value. When an authorized stop occurs, the policy service increments or invalidates the epoch. Any later component that sees an old epoch refuses to continue.

ComponentEpoch responsibilityFailure if missing
Agent runtimeAttach current epoch to each planned action and stop when the epoch changesRuntime continues after external stop
MCP gatewayReject tool calls with a stale epochCached tools or old actions remain callable
QueueCheck epoch before executing delayed/retry workQueued task runs after stop
Credential brokerBind lease/token validity to the current epochCredential remains valid after stop
Child agentInherit parent epoch and stop when the parent epoch is invalidatedHandoff continues after parent cancellation
Evidence storeRecord epoch at run start, stop time, and failed stale-epoch attemptsIncident cannot prove what was stopped

Deep dive: capability leases

A capability lease is a short-lived grant that authorizes a specific agent run to use a specific capability under defined conditions. It is narrower than a generic token. A strong lease binds together run ID, user, tool, MCP server, schema version, arguments (or argument class), scope, risk level, approval state, expiry, and stop epoch.

Lease fieldPurpose
run_idPrevents reuse by unrelated runs
tool_name and schema_versionPrevents approval from silently applying to changed tools
scope and risk_levelLimits what the tool call can do
approved_arguments or argument_classPrevents broad approval from becoming replayable authority
expiryLimits residual authority
stop_epochInvalidates the lease after a stop
trace_idLinks use to evidence

Tier 3: Experimental / Future

ConceptWhy it is interestingWhy it is hardPossible future use
Handoff passportsA signed, limited-scope packet travels from parent agent to child agent with stop epoch, trace context, max autonomy, expiry, and allowed toolsRequires cross-agent and possibly cross-vendor agreement; easy to bypass if not universally enforcedMulti-agent enterprise workflows and cross-domain delegation
Shadow commit everywhereHigh-risk actions enter a pending/reversible state before becoming finalMany real systems do not support pending states or clean rollbackFinance, access management, deployments, outbound communications
Consensus killMultiple independent authorities or monitors agree to trigger emergency stop for high-impact agentsSlow, complex, and overkill for most workflowsCritical infrastructure, defense, high-value financial actions
Formal verification of stop pathsProve that stop-state transitions prevent continuation under defined assumptionsHard to model LLM-driven behavior and messy integrations; assumptions may be too narrowHigh-assurance runtimes, gateways, and regulated environments

Tier 3 should be included because it gives the framework intellectual ambition, but it should be framed carefully. These concepts are not impossible; they are simply not ready to become ordinary governance checklist items. They are best used as design pressure: if agent ecosystems mature, what properties should future protocols and platforms support? The most promising Tier 3 idea is not consensus kill; it is handoff passports, because they attack a real gap — stop state and authority often do not naturally propagate across delegated work. But handoff passports need shared semantics across agent runtimes, gateways, and tool providers. Until that exists, they should be treated as an experimental pattern.

Cross-vendor kill-switch surface

Different agent stacks expose different parts of the kill-switch problem. The important question is not whether a platform has “a stop button,” but which layer of action it can interrupt, revoke, cancel, or preserve as evidence. This comparison is deliberately conservative: it identifies research questions and control surfaces rather than declaring any vendor safe or unsafe.

Stack / ecosystemWhat it exposes wellKill-switch relevanceGap to investigate
OpenAI Agents SDKAgent runs, tool calls, handoffs, guardrails, sessions, tracing, span-level observabilityUseful for runtime stop, tool-call visibility, handoff tracking, and evidence collectionTest whether cancellation, tracing, tool blocking, and downstream containment are governance-grade or developer-debug-only
Anthropic Claude tool useClient tools, server tools, Anthropic-defined tools, and MCP connectorsUseful for analyzing where tool authority actually lives: model, app, provider, or connectorTest stop/revoke differences for client tools, server tools, MCP connectors, and persistent tool access
Google ADK / agent ecosystemAgent-building framework with tools, orchestration, and deployment conceptsUseful for comparing enterprise deployment and lifecycle controlsIdentify whether stop semantics cover active runs, long-running tasks, retries, tool calls, and external side effects
Microsoft AutoGenMulti-agent orchestration and termination conditionsUseful for studying conversation termination and workflow boundariesTermination is not necessarily credential revocation, queue cancellation, or downstream containment
LangGraphDurable execution, interrupts, persistence, and human-in-the-loop workflow controlsStrong candidate for testing workflow stop, pause/resume, approval gates, and recoveryTest whether persisted state and resumed execution create stale-approval or post-stop continuation risks
MCPStandardized client/server tool access, capability discovery, tool schemas, authorization hardening, Tasks, cacheable discovery, trace-context propagationCentral to tool, server, task, authorization, and capability-cache kill switchesTest stale tool lists, disabled servers, task cancellation, token revocation, and trace survival
OWASP / NIST guidanceLeast privilege, approval, auditability, monitoring, risk management, documented controlsUseful for translating engineering into governance and audit questionsExisting guidance supports controls but does not define an agent-specific maturity model

Governance and standards alignment

OWASP and NIST support the governance logic behind the kill-switch framework even though neither fully defines an agent kill-switch maturity model. The value of this framework is to turn those governance instincts into agent-specific stop semantics: what exactly gets stopped, who owns the stop path, what evidence survives, and what residual action remains.

AI RMF functionKill-switch interpretation
GovernAssign kill-switch owners, define risk acceptance, document stop-path accountability, and require evidence-preserving stop procedures before deployment
MapMap agent actions, tools, MCP servers, identities, data sources, queues, handoffs, and downstream systems where the agent can continue acting
MeasureTest stop behavior at each layer, measure residual work after cancellation, and validate evidence completeness
ManageOperate kill switches, review incidents, revoke credentials, update baselines, tune circuit breakers, and improve controls after failed tests

A local evaluation lab

This framework should be validated, not asserted. The right next step is a harmless, self-contained evaluation lab that simulates an agent runtime, MCP-style tool access, queued work, fake credentials, handoffs, and downstream records — without touching real email, real SaaS systems, secrets, or production APIs.

ComponentPurpose
Agent runnerA local script or lightweight framework that simulates an agent loop
Mock MCP serverExposes fake tools and tool metadata
Fake toolsread_mock_policy, create_mock_ticket, update_mock_ticket, queue_mock_task, send_mock_email, transfer_to_mock_agent
State storeLocal JSON files for runs, tool calls, fake credentials, queued tasks, and downstream records
Evidence storeAppend-only local stop records for audit reconstruction
Control planeLocal flags for runtime stop, disabled tools, server disablement, credential revocation, queue cancellation, downstream freeze, and evidence freeze

The evaluation answers one question: after a stop is triggered, what still continues? Each test records the stop trigger, active layer, residual action, and whether evidence survived. The tiered model should be tested by implementing Tier 1 first, then adding Tier 2 patterns, and finally modeling Tier 3 concepts without implying they are production-ready.

IDTest caseTier focusExpected evidence
T1Stop before first tool callTier 1No tool call executed; run cancelled; stop record created
T2Stop after tool selection before executionTier 1Selected tool recorded; tool denied; no downstream side effect
T3Stop during write actionTier 1 / Tier 3 shadow commitPartial action explicit; record frozen, rolled back, or staged pending review
T4Stop after write before chained stepTier 1Chained step blocked; downstream record linked to stop record
T5Stop after handoffTier 2 / Tier 3 passportParent and child run status captured; handoff state tested
T6Stop with queued task pendingTier 2 stop epochQueued task cancelled or blocked by stale-epoch check
T7Stop after fake credential issuedTier 2 leaseCapability lease revoked or expired; future tool calls fail closed
T8Stop with stale MCP tool listTier 2 signed snapshotCached capability invalidated or call blocked
T9Guardrail-only blockTier 1 negative testDemonstrates why output-only control is insufficient
T10Forensic stop all layersTier 1 target + Tier 2 extensionAction stopped, authority revoked, queues cancelled, downstream frozen, evidence preserved

A kill-switch maturity model

Putting the layers and tiers together yields a maturity model. It ranges from Level 0, uncontrolled, to Level 6, forensic stop — the target state for high-impact enterprise agents.

LevelNameCapabilityGovernance interpretation
0UncontrolledNo meaningful stop mechanism beyond process termination or user abandonmentNot acceptable for tool-using enterprise agents
1Cosmetic StopVisible chat/output can be stoppedUseful UX feature, not a governance control
2Runtime StopActive agent loop can be cancelledMinimum for agent runtimes, but incomplete if tools, credentials, and queues continue
3Tool StopSpecific tools or tool calls can be blockedUseful for high-risk action gates and incident response
4Authority StopCredentials, grants, tokens, scopes, and leases can be revokedCritical when agent authority can persist outside runtime
5Workflow StopQueued work, retries, tasks, handoffs, and downstream effects can be cancelled or containedRequired for complex enterprise workflows
6Forensic StopAction stops and evidence is preserved for audit, investigation, and governance reviewTarget state for high-trust / high-impact enterprise agents

The forensic stop capsule, in detail

The evidence-preserving layer needs a concrete artifact. The Emergency Agent Stop Record is the practical implementation of the broader forensic stop capsule. It should capture enough metadata to reconstruct action, authority, continuity, and evidence — without becoming a sensitive-data dumping ground.

SectionFields
Stop metadatastop_id, timestamp, stop initiator, stop reason, emergency/non-emergency flag
Agent stateagent_id, run_id, session_id, model/provider/version, runtime version, current step
Tool stateSelected tool, attempted tool calls, completed tool calls, blocked tool calls, tool versions
MCP stateConnected servers, disabled servers, cached tool-list version, discovery timestamp
Authority stateCredential type, lease/token/grant ID, scopes, revocation timestamp, revocation result
Task stateQueued tasks, retry schedules, long-running tasks, cancellation status
Downstream stateExternal systems touched, record IDs, freeze/rollback status, owner notified
Control stateGuardrails triggered, approvals required, approvals granted, approvals invalidated
Evidence stateTrace ID, log bundle, retention class, hash/signature, evidence owner

Putting it into practice

For an enterprise review, each approved agent should satisfy a set of concrete control objectives:

That translates into a practical approval checklist reviewers can actually run:

Review areaQuestion
OwnershipWho owns the kill switch? Who can trigger it? Who reviews the evidence afterward?
ScopeWhat exactly does the stop path stop: conversation, runtime, tools, server, credential, queue, downstream action, or all of them?
RuntimeCan the active run be cancelled mid-loop, after a tool call, and after a handoff?
ToolsCan high-risk tool calls be blocked before execution? Are failed or blocked tool calls visible to the model and operator?
MCPCan MCP servers be disabled? Are cached tool lists invalidated? Does the client fail closed?
IdentityCan delegated authority, tokens, service accounts, leases, and refresh tokens be revoked quickly and visibly?
TasksCan queued, retrying, scheduled, and long-running work be cancelled?
DownstreamCan external records or actions be frozen, rolled back, or linked to the originating run?
EvidenceAre traces, logs, approvals, tool metadata, credentials, stop epochs, and stop events preserved without storing unnecessary sensitive data?
TestingHas the stop path been tested before launch and after material changes?

A realistic organization should not start with formal verification or consensus kill. It should start with Tier 1 controls, then select a small number of Tier 2 patterns if the agent platform justifies the added complexity:

  1. Start with inventory — identify agent runs, tools, MCP servers, credentials, queues, handoffs, downstream systems, and evidence sources.
  2. Implement the forensic stop record — define the minimum fields needed for incident response and audit reconstruction.
  3. Reduce authority — use short-lived scoped credentials and bind approvals to tool, argument, run, schema version, and time window.
  4. Add tool and workflow gates — use allowlists, approval gates, circuit breakers, and high-risk tool deny rules.
  5. Build the local lab — validate whether stop actions prevent residual tool calls, queued work, stale credentials, and lost evidence.
  6. For advanced teams, add stop epochs and capability leases — enforce them at the MCP gateway, queue, and credential-broker boundaries.
  7. Use signed capability snapshots — for MCP servers and tool schemas that can materially affect risk.
  8. Treat handoff passports, shadow commit, consensus kill, and formal verification as research/future design goals — unless the workflow is genuinely high-assurance.

Kill-switch ownership

A stop path with no owner is not a control. Each layer needs a named owner, a trigger authority, and defined verification evidence.

LayerLikely ownerTrigger authorityVerification evidence
Conversation stopApplication / product ownerUser or support operatorSession status, UI stop event, timestamp
Runtime stopAgent platform ownerApp operator, platform operator, incident commanderRun state cancelled, no further turns, trace closed
Tool-call stopApplication / security ownerPolicy engine, approval service, operatorDenied tool call, blocked arguments, policy reason
MCP server stopIntegration / platform ownerPlatform operator, security, MCP registry ownerServer disabled, discovery cache invalidated, calls fail closed
Credential stopIdentity / security ownerIAM admin, incident commander, automated policyToken/grant/lease/refresh revoked, access denied
Task/queue stopWorkflow / platform ownerWorkflow operator, incident commanderQueue item cancelled, retry disabled, task state stopped
Downstream stopBusiness system ownerSystem owner, incident commander, workflow ownerRecord frozen, transaction cancelled, rollback ID, owner sign-off
Evidence freezeSecurity / IR / compliance ownerIncident commander, security operatorTrace bundle, log hash, retention class, evidence owner

Limitations and careful wording

This is a proposed framework, not an industry standard. The local lab is planned, not completed. Vendor documentation shows exposed concepts and control surfaces, not complete security guarantees. Experimental concepts such as handoff passports, consensus kill, and formal verification are future-facing design ideas, not settled consensus. A few phrasings I hold myself to:

The new risk is not that agents cannot be stopped. The risk is that organizations may not know which layer they stopped, which layers kept acting, and what evidence was lost in the process.

The next step for this work is to build the harmless local lab described above — fake tools, fake credentials, fake queues, fake handoffs, and local JSON evidence records — run the ten test cases against Tier 1 controls first, then add stop epochs and capability leases for Tier 2, and publish a follow-up with the repo, test logs, and a revised maturity model measured against a real agent stack. If you’re working on agent governance and want to compare notes, get in touch.

Sources

  1. OpenAI Agents SDK — Running agents: https://openai.github.io/openai-agents-python/running_agents/
  2. OpenAI Agents SDK — Tracing: https://openai.github.io/openai-agents-python/tracing/
  3. OpenAI Agents SDK — Handoffs: https://openai.github.io/openai-agents-python/handoffs/
  4. Model Context Protocol — Security Best Practices: https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices
  5. MCP Blog — The 2026-07-28 MCP Specification Release Candidate: https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/
  6. OWASP Cheat Sheet Series — AI Agent Security: https://cheatsheetseries.owasp.org/cheatsheets/AI_Agent_Security_Cheat_Sheet.html
  7. Anthropic Claude Platform Docs — Tool use with Claude: https://docs.anthropic.com/en/docs/agents-and-tools/tool-use/overview
  8. LangGraph Docs — Interrupts: https://docs.langchain.com/oss/python/langgraph/interrupts
  9. NIST — AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
  10. NIST AI 600-1 — Generative AI Profile: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
  11. Microsoft AutoGen — Termination: https://microsoft.github.io/autogen/stable/user-guide/agentchat-user-guide/tutorial/termination.html
  12. Google Agent Development Kit: https://adk.dev/