Could you shut your agent down right now? A third of executives aren't sure.
74% of companies expect to be using AI agents by 2027, only 21% have mature governance for them, and a third of executives aren't sure they could stop a rogue one.
Last updated
Before you deploy an autonomous agent to production, two questions decide whether you’re ready, and neither is about the model. First: if this agent started doing damage, could you stop it right now? Second: who, by name, is accountable for what it does? If the honest answer to either is a pause, you’ve granted the agent more authority than your controls can back — and the survey data says most companies have.
This is engineering guidance, not legal or compliance advice. But the gaps below are the ones that turn a useful agent into an incident, and they are all infrastructure and operating discipline.
The gap, in three numbers
The rush to deploy agents is real and the control layer hasn’t kept pace. Three figures, from two independent 2026 surveys, frame it:
| The number | What it says | Source |
|---|---|---|
| 74% | of companies expect to be using AI agents at least “moderately” by 2027 | Deloitte, 2026 State of AI in the Enterprise |
| 21% | say they have a mature governance model in place for those agents | Deloitte, 2026 State of AI in the Enterprise |
| 35% | of executives aren’t very confident they could “pull the plug” on a rogue agent | WRITER, 2026 AI Adoption in the Enterprise |
Deloitte surveyed 3,235 business and IT leaders across 24 countries: “74% of respondents expect their companies to be using AI agents at least ‘moderately’” within two years, while “only 21% of respondents say their organizations have a mature governance model in place for agentic AI” (Deloitte, AI agents are scaling faster than their guardrails). Nearly four in five are heading toward agents in production without a governance model they’d call mature.
The WRITER survey — 2,400 employees and C-suite leaders, run with Workplace Intelligence — sharpens it into an operational admission: “more than one-third (35%) concede they aren’t very confident they could ‘pull the plug’ on a rogue AI agent if it started causing financial or reputational damage to their company,” and 36% had no formal plan for supervising agents at all (WRITER survey, April 2026; WRITER, 2026 AI Adoption in the Enterprise; reported by diginomica). Read that carefully: it isn’t a claim that a third of agents are rogue. It’s a third of the people responsible admitting they aren’t sure they could stop one. That uncertainty is the finding.
A kill switch nobody has tested isn’t a kill switch
“We could shut it down” is easy to believe and hard to do under pressure. When an agent is misbehaving at machine speed, an untested stop function tends to fail in specific ways: the only way to revoke access is to disable a shared service account that a dozen legitimate workflows also use; the credential is long-lived, so there’s no fast, clean way to cut just this agent; nobody on call has actually run the shutdown, so the runbook is theoretical. Each of those turns “pull the plug” into a scramble.
A real stop control is boring and rehearsed. You can halt the agent or revoke its credentials immediately, without collateral damage to the humans on the same system. The credentials are short-lived and scoped, so cutting the agent off is a fast, contained action, not a hunt. And someone has actually pressed it in a drill, so the person on call isn’t reading the procedure for the first time during the incident. This is exactly the control the Least Agency framework names as the gate on autonomy: a kill switch you have exercised, not one you assume works. An agent you cannot stop is not an agent you have earned the right to run unattended.
Who owns it? Decide that before the incident, not during
Logging tells you what happened; a stop function lets you halt it. Neither tells you who answers for it. That’s a separate control, and it’s the one teams skip because it isn’t code.
“The AI team owns it” means no one owns it. A production agent needs a specific human who runs it, knows the signals that mean trouble, holds the authority to stop it, and is accountable for its decisions — the Ownership dimension of the Production-Readiness Bar. Accountability assigned during an incident is accountability nobody actually holds. The 36% with no supervision plan aren’t lacking a document; they’re lacking the named person the document would point to. Autonomy doesn’t dissolve accountability — it just makes the absence of an owner more expensive, because the agent can now act faster and wider than the last thing anyone approved.
OWASP calls the fix “least agency”
None of this is exotic. The 2026 OWASP Top 10 for Agentic Applications lists Rogue Agents as ASI10 — compromised or misaligned agents that deviate from their intended scope — and answers it with a principle it calls least agency: autonomy is a feature that should be earned, not a default setting. In practice that means granting an agent only the permissions, functionality, and independence its task requires, requiring a human check on high-impact or irreversible actions, and keeping the ability to instantly cut its access if it drifts from baseline.
Mapped to the symptoms that show up when you skip it:
| Symptom you’d recognize | What’s actually missing | The control |
|---|---|---|
| ”I think we could stop it… probably” | A stop function nobody has exercised | A tested kill switch, on short-lived scoped credentials |
| One shared service account for every agent action | Attributable, revocable identity | Scoped, least-privilege credentials per agent |
| ”The AI team owns the agents” | A named accountable person | Assigned ownership, decided before launch |
| Agent can take irreversible actions on its own | A human check where it matters | Human-in-the-loop on high-impact, hard-to-reverse operations |
| No agreed limit on what it may decide alone | A defined authority ceiling | An earned rung on the authority ladder |
That last row is the through-line. Least Agency scores the authority you’ve granted an agent against the controls you’ve actually earned — and the gap between the two is precisely the uncertainty those 35% are describing. The auditing side of this argument reaches the same place from the accountability direction: you should be able to reconstruct what an agent did, stop it, and name who answers for it.
The work
Closing this gap isn’t a policy PDF. It’s engineering and operating discipline: scoped, short-lived credentials so an agent’s access is attributable and revocable; a kill switch you have tested in a drill; a human approval step on the actions that are expensive or irreversible; and a named owner on call for each class of agent decision. Get those in place and “could you shut it down?” stops being a question you have to think about.
If you want the throughput of agent-driven engineering without putting an agent you can’t stop near production, that’s Agentic Delivery: a governed workflow — change proposal, machine-verified guardrails, policy gate, human approval — built to the Least Agency ladder, so the authority you grant an agent is authority its controls have earned.
Questions this raises
Straight answers.
- How many companies can actually stop a rogue AI agent?
- Fewer than you'd hope. In WRITER's 2026 AI Adoption in the Enterprise survey, more than a third of executives (35%) said they aren't very confident they could "pull the plug" on a rogue AI agent if it started causing financial or reputational damage, and 36% reported no formal plan for supervising agents at all. Meanwhile Deloitte's 2026 State of AI found 74% of companies expect to be using agents at least moderately by 2027, but only 21% have a mature governance model for them. The deployment curve is far ahead of the control curve.
- What does a real AI agent kill switch require?
- A stop control you have actually exercised, not one you assume works. Concretely: the ability to revoke the agent's credentials or halt its execution immediately without taking down the humans who depend on the same system; short-lived, scoped credentials so revocation is fast and clean rather than a hunt for every long-lived key; and a tested runbook so the person on call knows how to trigger it under pressure. OWASP's guidance is blunt on this — if an agent starts acting outside its baseline, you need a way to instantly kill its access. A kill switch nobody has pressed is a design doc, not a control.
- Who is accountable when an autonomous agent makes a bad call?
- A specific named person, decided before the incident — not "the AI team," which resolves to no one. A production agent needs an owner who runs it, knows what to watch, can stop it, and answers for its decisions. That is the Ownership dimension of the production-readiness bar. Autonomy does not remove accountability; it raises the cost of never having assigned it.
- Is being unable to stop an agent actually a governance problem, or just a technical one?
- Both, and they're the same gap. The technical failure (no tested stop function, standing credentials, one shared identity) and the governance failure (no named owner, no supervision plan, no defined authority limit) travel together. OWASP's 2026 Top 10 for Agentic Applications makes the fix a first-class principle it calls least agency: grant an agent only the authority its task requires and its controls can back — and require a human check on high-impact, irreversible actions.
Agentic Delivery
The writeup has a service behind it.
If this is your situation, the agentic delivery is where it gets fixed — by the person who wrote this.