Kill switch
One action that instantly revokes an agent's access across every tool and capability.
A kill switch is the ability to revoke an agent’s access — across every tool, capability, and resource — in a single action. When an agent is misbehaving, compromised, or simply suspected, you shouldn’t have to hunt down and rotate a dozen scattered keys. One switch, and the agent can do nothing.
This is only possible because of the control plane’s architecture. When an agent holds raw API keys, “revoking” it means finding and rotating every key it ever touched — across services, CI variables, and copies you’ve forgotten — and hoping you got them all. When the agent instead acts through a control plane with its own identity and no raw credentials, revocation is instantaneous and total: the plane simply stops authorizing that identity, and every future action is denied in the path.
A real kill switch is immediate (it takes effect on the next action, not the next deploy), complete (it covers every capability at once, not tool by tool), and logged (the revocation itself is an audit event, as is every denied action after it).
The kill switch is the counterpart to provisioning: agents should be created through governed identity (SSO/SCIM) and destroyed just as cleanly. Being able to turn an agent off instantly is what makes it safe to turn one on.
Related terms
Blast radius
The total damage an agent could do if it's compromised, prompt-injected, or simply wrong.
Agent control plane
The layer in the path of every agent action that decides, enforces, and records what each agent can do.
Attribution
Tracing every agent action back through the agent identity to the accountable human who owns it.
Guard
Your business rules, enforced before an agent's action runs — caps, allowlists, approval thresholds, freeze blocks.
Put every agent your company runs under one policy.
Watch HiveKey scope, guard, and block a live action on your own agents — 30 minutes, no slides, no commitment.