Agent Kill Switch and Emergency Stop
Maintain the operational capability to halt any running agent session, workflow, or agent class immediately — without relying on the agent itself to stop — and recover to a known-safe state.
Objective
Preserve human control over in-flight agent executions by ensuring a reliable, tested mechanism exists to stop agents that are behaving unexpectedly, consuming excessive resources, or taking unauthorized actions.
Maturity Levels
Initial
No kill mechanism exists; stopping a runaway agent requires manually terminating infrastructure with significant lead time.
Developing
Infrastructure-level termination is possible but requires engineering access and is not documented or tested.
Defined
A documented stop procedure exists for each agent class with named responsible parties; procedures are known to the on-call team.
Managed
Stop procedures are tested quarterly; recovery to known-safe state is verified after each test; response time targets are met.
Optimizing
Automated circuit breakers pause agents when behavioral thresholds are exceeded; human-triggered stop is a single, audited action available to designated operators 24/7.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Stop procedure documentation covering individual session, agent class, and full deployment scopes, with named responsible parties, trigger criteria, and target response times
- —Quarterly stop procedure test records showing time-to-stop for each scope and verification that recovery to known-safe state succeeded
- —Authority matrix confirming who can trigger each stop scope and under what conditions, without requiring additional approval
- —Partial-completion recovery playbook documenting how in-flight state is assessed and handled after an emergency stop
- —On-call contact list for stop-authorized personnel reviewed and updated at least quarterly, with evidence of last review
Implementation Notes
Key steps
- Design stop capability into agents at the architecture level: every agent execution environment must support immediate session termination without waiting for the agent to reach a natural stopping point.
- Define three stop scopes and document each separately: (1) individual session termination, (2) agent class pause (all instances of one agent type), and (3) full deployment suspension.
- Assign explicit stop authority: who can trigger each scope, under what conditions, and without requiring additional approval — ambiguity in a crisis costs time.
- Test stop procedures on a schedule and document the result: an untested kill switch is not a kill switch.
- Plan for partial-completion states before you need them: if an agent is stopped mid-workflow, what data was written, what external calls were made, and how do you recover or roll back to a safe state?
Example Implementation
Healthcare organization running scheduling and medical records agents over patient data
Agent Emergency Stop Runbook — Healthcare Agent Platform
Stop scope levels:
| Scope | Trigger Criteria | Stop Authority | Target Response | Method |
|---|---|---|---|---|
| Session stop | Single agent behaving unexpectedly | Any authorized operator | <60 seconds | Session termination API; session flagged in audit log |
| Agent class pause | Pattern of anomalies across agent type | AI Eng lead or on-call | <5 minutes | Feature flag disable; queued sessions rejected |
| Full deployment stop | Active patient harm or data breach | CISO or designee | <15 minutes | Infrastructure shutdown; incident declared |
On-call stop authority: AI Eng on-call + CISO (or delegate) — contacts reviewed monthly
Partial-completion recovery:
- Any session terminated mid-workflow: state snapshot written before termination; human reviewer notified within 15 minutes to assess and complete manually if needed
- No external write (EHR update, message send) confirmed without human verification after emergency stop
Test cadence: Quarterly — session stop tested monthly; class pause and full stop tested quarterly; results logged and signed off by AI Governance lead