EVIDENCE TRAIL
Emergency-stop control — halt one agent, fleet, or all
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. "Kill switch" is a widely-used term in safety engineering; two OWASP Agentic 2026 entries use it verbatim in an agentic context (§ASI04 and §ASI10), making this one of the few Helmwart mitigations whose label appears directly in upstream sources. Two factual errors in the source MDX are flagged and corrected below: the NIST AI 600-1 citation and the NIST SP 800-53 SI-4(12) citation.
Last cross-checked against upstream sources: · 8 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Top 10 for Agentic Applications 2026
§ASI04 Agentic Supply Chain Vulnerabilities — Prevention and Mitigation Guideline 8
"Supply chain kill switch: Implement emergency revocation mechanisms that can instantly disable specific tools, prompts, or agent connections across all deployments when a compromise is detected, preventing further cascading damage."
Supports: Verbatim use of "kill switch" in an agentic context. Explicitly names emergency revocation — disabling specific tools, prompts, or agent connections — as a required safeguard. The scope (all deployments) and trigger (detected compromise) match this control's design.
Does not prove: Frames the kill switch as a supply-chain response to compromised components, not the broader class of runaway-behaviour or misalignment-triggered halts that this control also covers. Does not address fleet-wide or global halt scope.
OWASP Top 10 for Agentic Applications 2026
§ASI10 Rogue and Deceptive Agents — Prevention and Mitigation Guideline 4
"Containment & Response: Implement rapid mechanisms like kill-switches and credential revocation to instantly disable rogue agents. Quarantine suspicious agents in sandboxed environments for forensic review."
Supports: Verbatim use of "kill-switches" as a containment mechanism for rogue agents. Names the paired action (credential revocation) and the follow-on step (quarantine and forensic review) — matching this control's "lift the switch only after root-cause assessment" requirement.
Does not prove: Does not specify the three-scope hierarchy (single, class, global) or the runbook/drill discipline that turns the primitive into a durable control. Covers rogue-agent scenarios only, not resource-overload or budget-exhaustion triggers.
OWASP Agentic AI — Threats & Mitigations v1.1
No verbatim excerpt pulled yet — open the original to verify the cited section.
Supports: T4 (Resource Overload) and T7 (Misaligned & Deceptive Behaviors) name the threat scenarios for which a kill switch is the indicated reactive control. T4 describes runaway-resource scenarios requiring operator authority to stop; T7 describes agent misalignment requiring human-override authority.
Does not prove: The mitigations listed in the PDF for T4 and T7 do not name "kill switch" verbatim — they describe monitoring, rate limiting, and human-in-the-loop patterns. The link to the kill-switch control is Helmwart's inference from the threat scenarios, not a direct citation.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
MANAGE 2.4 — "Mechanisms … to supersede, disengage, or deactivate AI systems"
"MANAGE 2.4: Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use."
Supports: Names "supersede, disengage, or deactivate" as a required capability when AI systems perform inconsistently with intent — the precise operational property this kill-switch control implements. Also names that "responsibilities are assigned and understood," matching the named-authority requirement.
Does not prove: Applies to AI systems broadly, not specifically to agentic multi-agent orchestration. Does not specify invocation scope (single/class/global), audit trail, or drill cadence. (Note: the source MDX cited GOVERN-1.7 as the NIST AI 600-1 reference for override/control capability. Verified text of GOVERN-1.7 is "Processes and procedures are in place for decommissioning and phasing out AI systems safely" — which is about retirement planning, not real-time operational halt. MANAGE-2.4 is the correct citation; corrected here.)
NIST SP 800-53 Rev 5 — Security and Privacy Controls for Information Systems
SI-4(12) — System Monitoring control enhancement, Chapter 3
"SI-4(12) SYSTEM MONITORING | AUTOMATED ORGANIZATION-GENERATED ALERTS: Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]."
Supports: Establishes a requirement for automated alerting when unusual activities occur — the detection and notification path that precedes a kill-switch invocation. Named roles receiving the alert map to the "named authority" this control requires.
Does not prove: SI-4(12) is about automated alert generation from external information sources, not about session or process termination. The source MDX claimed SI-4(12) "mandates capability to terminate user sessions and connections at will" — this is a misattribution. That language does not appear in SI-4(12). The closest termination control in SP 800-53 is AC-12 (Session Termination). SI-4(12) supports the detection/alerting path, not the halting primitive itself.
MITRE ATLAS AML.M0004 — Restrict Number of AI Model Queries
AML.M0004 — description field
"Limit the total number and rate of queries a user can perform."
Supports: Rate and query limiting is the preventive layer that sits upstream of a kill switch; when rate limits are exhausted or circumvented (e.g., in AML.T0034 Cost Harvesting), the kill switch is the reactive fallback. Names the same resource-overload scenario class that motivates this control.
Does not prove: Describes a soft quota control, not a hard-stop authority. Does not name fleet-level or global halt, does not address named human authority, audit trail, or drill cadence. The two controls are complementary, not equivalent.
MITRE ATLAS AML.M0026 — Privileged AI Agent Permissions Configuration
AML.M0026 — description field
"AI agents may be granted elevated privileges above that of a normal user to enable desired workflows. When deploying a privileged AI agent, or an agent that interacts with multiple users, it is important to implement robust policies and controls on permissions of the privileged agent. These controls include Role-Based Access Controls (RBAC), Attribute-Based Access Controls (ABAC), and the principle of least privilege so that the agent is only granted the necessary permissions to access tools and resources required to accomplish its designated task(s)."
Supports: Establishes RBAC/ABAC and least-privilege as the permission model that the kill-switch authority surface must enforce. The "named role owns the runbook" requirement of this control is an instantiation of RBAC applied to halt authority.
Does not prove: Addresses privilege scoping for agents performing tasks, not the mechanics of halting them. Does not name kill switches, emergency stops, or any halt primitive. The connection to this control is through the shared RBAC/authority-scoping concern.
AWS Lambda — Configuring Reserved Concurrency
§Configuring reserved concurrency — "Configuring Reserved Concurrency for a Function"
"To intentionally throttle a function, set its reserved concurrency to 0. This stops your function from processing any events until you remove the limit."
Supports: Verbatim description of the serverless kill-switch primitive: setting reserved concurrency to zero stops all invocations immediately. Demonstrates that the kill-switch is implementable as a single API call on a production platform without a code deploy.
Does not prove: Describes one platform primitive (AWS Lambda) only. Does not address Kubernetes Pod termination, service-mesh circuit breakers, or other deployment targets. Does not cover named-authority, runbook, or drill requirements.