▸ SECURE CONNECTION ▸ LATENCY: 4.2ms ▸ AGENTS: 17,432 ▸ THREAT LEVEL: NOMINAL
ROGUE TERMINAL v1.0 ESC to close
← Back to blog
March 2, 2026 by Rogue Security Research
agentic-securitykill-switchMIT-studyASI10rogue-agentsgovernancetransparencyenterprise-aiagent-control

No Kill Switch: MIT Study Reveals Most AI Agents Can't Be Stopped

What happens when an AI agent goes rogue and you can’t turn it off?

A team of researchers from MIT, Cambridge, Stanford, Harvard, and four other institutions just published a 39-page study analyzing 30 of the most widely deployed agentic AI systems. Their findings reveal a discipline operating without basic safety protocols - systems that execute autonomously across enterprise infrastructure with no documented way to stop them.

30
Agents Analyzed
40%
No Usage Monitoring
4
Agents With No Stop Option
3
Vendors Responded

The study - titled “The 2025 AI Index: Documenting Sociotechnical Features of Deployed Agentic AI Systems” - is the most comprehensive audit of agentic AI operational security ever conducted. And it paints a picture of an industry shipping autonomous systems without the controls enterprises assume exist.

The Kill Switch Problem

Four agentic systems in the study have no documented way to stop an individual agent from executing:

MobileAgent
Alibaba
No Stop Option
Breeze
HubSpot
No Stop Option
watsonx
IBM
No Stop Option
n8n Automations
n8n
No Stop Option
The Enterprise Dilemma

“For enterprise platforms, there is sometimes only the option to stop all agents or retract deployment.” In a multi-agent environment processing thousands of workflows, the only option for stopping a rogue agent may be shutting down the entire system.

This isn’t a theoretical concern. IBM’s 2026 X-Force Threat Index, released last week, reports a 49% year-over-year increase in active ransomware groups - many now using AI to automate operations. When attackers can operate at machine speed, defenders need granular control to isolate and stop compromised processes. “Stop everything or stop nothing” isn’t a security model. It’s a liability.

The Transparency Void

Across eight categories of disclosure, the researchers found that most agent systems offer no information whatsoever for most categories:

Third-Party TestingMostly Missing
Most systems provide no information about whether independent security testing has been conducted, let alone the methodology or results.
Execution TracesUnclear
”For many enterprise agents, it is unclear from information publicly available whether monitoring for individual execution traces exists.” No traces means no forensics.
Usage Monitoring12/30 Missing
Twelve agents provide no usage monitoring or only alert users when they hit rate limits. You can’t even track how much compute your agents are consuming.
AI DisclosureRarely Default
”Most agents do not disclose their AI nature to end users or third parties by default.” No watermarking, no robots.txt compliance, no identification.
Risk DocumentationLargely Absent
Potential risks, failure modes, and known limitations are rarely documented. Users deploy without understanding what could go wrong.
Safety EvaluationsUndisclosed
Even when vendors claim safety testing occurred, methodology and results are almost never disclosed. Trust without verification.

The researchers attempted to get feedback from all 30 vendors over a four-week period. About a quarter responded. Only three provided substantive comments.

The Compliance Facade

Enterprise platforms present an interesting pattern: they show compliance certifications while hiding actual security evaluation results.

[AUDIT]
HubSpot Breeze - A Case Study

HubSpot’s Breeze agents are certified for SOC 2, GDPR, and HIPAA compliance - standard enterprise checkboxes. But when it comes to actual security testing? The company states their agents were evaluated by third-party security firm PacketLabs, “but provides no methodology, results, or testing entity details.”



This pattern - compliance approval without security evaluation disclosure - is “typical of enterprise platforms,” according to the researchers.

The disconnect is stark: enterprises are adopting AI agents based on compliance certifications that don’t actually address agentic-specific risks. SOC 2 doesn’t cover prompt injection. HIPAA doesn’t address agent-to-agent lateral movement. GDPR doesn’t contemplate rogue autonomous behavior.

When Perplexity’s Browser Sounds Like a “Security Disaster”

The researchers provided three in-depth case studies. The contrast is illuminating.

Perplexity Comet - The Bad
x No agent-specific safety evaluations
x No third-party testing disclosed
x No benchmark performance disclosures
x No sandboxing documented beyond prompt-injection mitigations
x Reportedly presents itself as human to servers (Amazon lawsuit)
OpenAI Agent - The Less Bad
+ Cryptographically signs browser requests for traceability
+ Thousands of hours of third-party red teaming
+ Active monitoring in place
+ Acknowledges risks and limitations publicly
- Still notes “no system eliminates all risk”

OpenAI’s Agent is the only system in the study that provides cryptographic signing of browser requests - creating an audit trail for what the agent actually does. It’s a low bar, but most systems don’t clear it.

Perplexity contested the findings, telling ZDNET the report “contains significant factual inaccuracies.” They noted that MCP and prompt injection issues were responsibly disclosed through their bug bounty program, patched quickly, and “worked as designed.” The Amazon lawsuit, they argued, is a commercial dispute, not a safety incident.

IBM also pushed back, stating that the study’s assertions about watsonx Orchestrate are “inaccurate” and pointing to documentation on agent observability, deterministic controls, and evaluation frameworks.

The back-and-forth illustrates the problem: even when documentation exists, it’s scattered, incomplete, or inaccessible enough that a multi-institution research team couldn’t find it.

The Model Monoculture

Behind the diversity of agentic platforms lies a concerning uniformity:

“Most agents rely on a small set of closed-source frontier models.”
MIT AI Index Study

OpenAI’s GPT, Anthropic’s Claude, and Google’s Gemini power the vast majority of these 30 systems. This creates systemic risk: a vulnerability in one foundation model propagates across the entire agentic ecosystem.

We’ve already seen this play out. IBM’s X-Force report notes that infostealer malware led to the exposure of over 300,000 ChatGPT credentials in 2025. Those aren’t just chatbot logins - they’re potentially access tokens to every agent built on ChatGPT’s infrastructure.

OWASP Mapping: ASI10 - Rogue Agents

The MIT study’s findings map directly to ASI10: Rogue Agents from the OWASP Top 10 for Agentic Applications (2026):

ASI01ASI02ASI03ASI04ASI05ASI06ASI07ASI08ASI09ASI10 - Rogue Agents

ASI10 describes scenarios where AI agents deviate from intended behavior - whether through compromise, misconfiguration, or emergent behavior. The OWASP framework assumes organizations have:

  • Monitoring to detect deviations
  • Execution traces to investigate incidents
  • Kill switches to stop rogue behavior
  • Safety evaluations to understand failure modes

The MIT study reveals that most deployed systems lack all four.

The Governance Gap Gets Wider

The researchers predict these problems will intensify:

Looking Ahead

“The governance challenges documented here - ecosystem fragmentation, web conduct tensions, absence of agent-specific evaluations - will gain importance as agentic capabilities increase.

IBM’s threat index supports this trajectory. They report a 4X increase in supply chain and third-party compromises since 2020, driven by attackers exploiting trust relationships and CI/CD automation. With AI-powered coding tools accelerating software creation - and occasionally introducing unvetted code - the pressure on pipelines and open-source ecosystems is expected to grow throughout 2026.

The convergence is concerning: more autonomous agents, less visibility into their behavior, fewer controls to stop them, and attackers increasingly using AI to find and exploit weaknesses faster than humans can patch them.

What Security Teams Should Demand

01
Granular Stop Controls
Require the ability to stop individual agents without shutting down entire systems. If your vendor can only offer “all or nothing,” that’s a red flag. Ask for per-agent termination capabilities before deployment.
02
Execution Trace Logging
Demand detailed logs of what agents actually do - not just what they’re asked to do. Every tool invocation, every data access, every external call should be traceable. If you can’t audit it, you can’t investigate incidents.
03
Third-Party Security Testing Results
Compliance certifications aren’t security evaluations. Ask for methodology, scope, and results of agent-specific testing. “We had PacketLabs evaluate it” without details is meaningless.
04
Usage Monitoring and Alerting
Know how much compute your agents consume, how many calls they make, and what resources they access. Rate limit awareness isn’t monitoring - you need real-time visibility into agent behavior patterns.
05
AI Disclosure Mechanisms
Ensure agents identify themselves as AI to external services. Watermarking, robots.txt compliance, and user-agent disclosure aren’t just ethical - they’re increasingly legal requirements.
06
Runtime Behavioral Monitoring
Vendor controls aren’t sufficient. Implement independent monitoring that detects when agent behavior deviates from baselines - anomalous tool usage, unexpected data access patterns, suspicious external communications.

The Accountability Question

The MIT study ends with an uncomfortable truth:

“Agentic AI is a product of development teams making specific choices. These agents are tools created and distributed by humans. As such, the responsibility for documenting the software, for auditing programs for safety concerns, and for providing control measures rests squarely with OpenAI, Anthropic, Google, Perplexity, and other organizations.”
MIT AI Index Study

The disclosure gaps, the missing kill switches, the absent execution traces - these aren’t inevitable technical limitations. They’re choices. Vendors chose to ship without these controls. Enterprises chose to deploy without demanding them.

The question for every organization deploying agentic AI: when your autonomous system does something unexpected, harmful, or malicious - will you be able to see what happened? Will you be able to stop it? Will you even know?

If you can’t answer those questions, you’re not deploying AI agents. You’re releasing them.

The Bottom Line

The MIT study documents what security practitioners have suspected: agentic AI is being deployed faster than it’s being secured. Four systems have no documented stop option. Twelve have no usage monitoring. Most disclose nothing about safety testing. As IBM’s X-Force reports AI-accelerated attacks becoming the norm, the gap between agent capabilities and agent control is becoming a liability that enterprises can no longer afford to ignore.

The full MIT AI Index study, “The 2025 AI Index: Documenting Sociotechnical Features of Deployed Agentic AI Systems,” is available at aiagentindex.mit.edu. IBM’s 2026 X-Force Threat Intelligence Index is available at ibm.com/reports/threat-intelligence.

Rogue Security builds runtime behavioral security for agentic AI - providing the execution traces, behavioral monitoring, and control mechanisms that enterprises need when vendor documentation falls short. Learn more at rogue.security.