Why AI Agents Now Need an Off Switch
AI agent security controls are the technical and governance mechanisms that define, restrict, and revoke what autonomous AI agents can do inside enterprise systems, including their permissions, identities, and kill switches, in order to prevent them from turning into rogue agents that operate outside intended boundaries. The rush to deploy agentic AI has outpaced security engineering; most agents are wired directly into code repositories, knowledge bases, and SaaS tools with few guardrails. ServiceNow’s leaders describe many of these agents as “mini engineers” able to browse the internet, read private data, and write code once given a goal. That combination can deliver big productivity gains while expanding the attack surface beyond what legacy governance frameworks can handle. Zero trust AI governance is emerging as the response, shifting the focus from model performance to strict control over actions, identities, and access paths.
The Lethal Trifecta and the Case for Deny by Default
Enterprise AI safety conversations are converging on what NVIDIA’s Adel El Hallak calls the “lethal trifecta”: unfettered internet access, an internal knowledge base, and a coding terminal inside a single autonomous agent. Each capability alone is routine; together, and running at machine speed, they create a path for data exfiltration, buggy code deployment, or shadow integrations. To contain this, ServiceNow and NVIDIA argue that deny by default permissions must become the norm. Instead of giving agents wide access and then stripping it back after incidents, security teams start from zero and add only the actions an agent needs. Every file read, API call, or tool use is explicitly granted and logged. Applied consistently, this deny-by-default security model aligns AI agent behavior with established zero trust patterns for human users, but with tighter, machine-enforced boundaries.
Open Shell, Agent Identity, and Deterministic Control
ServiceNow and NVIDIA’s Open Shell project shows how deny-by-default AI agent security controls can work in practice. Open Shell sits as a secure runtime between AI agents and enterprise infrastructure, treating every new agent like an untrusted identity. When an agent spins up, it has no permissions; security teams must grant specific, scoped actions, such as reading a particular database or calling a defined API. Joe Davis describes this as wrapping a probabilistic reasoning engine with a deterministic harness. The agent can propose any action, but the runtime enforces policy at execution time. An AI agent might decide to update a salary record in Workday, yet its identity either carries that permission or it does not. This clear identity model lets security teams block rogue AI prevention scenarios at the authorization layer while preserving the flexibility of agent reasoning.
Okta’s License to Kill: Identity-Driven Kill Switches
Identity platforms are turning deny-by-default theory into operational controls. Okta reports that 92 percent of executives see moderate or widespread use of autonomous AI agents, but only 22 percent say those agents have identities tied to them. That gap leaves many agents running on static tokens and fragile integrations. ServiceNow pressed Okta for an explicit kill switch for rogue AI agents: the ability to sever access tokens and logical connections when agents break policy. According to Okta CEO Todd McKinnon, the company’s strength is cutting those authorization-layer links to back-end systems. ServiceNow’s AI Control Tower monitors agent behavior and, on detecting a policy breach, can trigger remediation across multiple identity systems, including Okta for token revocation and Veza for permissions changes. Together, they give security teams a practical off-switch for misbehaving agents.
From Governance Gap to Zero Trust AI Adoption
The lack of mature agent controls has become a central barrier to enterprise AI adoption and trust. Development teams may stitch agents into GitHub or Jira using static tokens, but security leaders see an expanding blast radius with little oversight. Zero trust AI governance reframes the problem: agents must authenticate as first-class identities, start with deny by default permissions, and remain subject to continuous monitoring and revocation. Platforms such as ServiceNow’s AI Control Tower, Open Shell, Okta, and Veza show a model where AI agents share the same lifecycle discipline as human users: onboarding, scoped access, logging, and rapid deprovisioning. As kill switches and deny-by-default patterns spread, enterprises can move beyond experimental pilots and treat agentic AI as a managed, auditable part of their infrastructure, rather than an optimistic experiment running on borrowed trust.
