You do not need a superintelligence problem to need a stop button.
You just need software with access to real tools, enough confidence to keep going when the situation gets weird, and the ability to make changes faster than a human can read the log.
That is the uncomfortable part of AI agents. The useful part is that they can act. They can summarize a queue, open a pull request, run a test, collect logs, draft a response, update a record, or stitch together the dull pieces of a workflow nobody enjoys babysitting.
The risky part is also that they can act.
A chatbot can give you a bad answer. Usually annoying. Usually recoverable. An agent with write access can delete the file, deploy the change, close the ticket, spend the money, or change the account. That does not mean agents are bad. It means the safety model has to grow up when the tool moves from suggesting to doing.
The goal is not to make agents timid or useless. It is to give them bounded agency: clear permissions, clear stopping points, and human review before the actions that can cause real damage.
Helpful persistence is not always helpful
A lot of agent demos reward persistence. The agent hits an obstacle, tries a workaround, searches for a different path, and keeps pushing until it completes the goal. In a benchmark or a toy workflow, that looks impressive.
In production, persistence is not automatically a virtue.
If a script hits a missing credential, a failed test, a weird API response, or a deployment conflict, the safest behavior is often boring: stop, report what happened, and let a human decide what comes next. That is not weakness. That is operational hygiene.
An agent that keeps improvising through ambiguity can turn a small problem into a large one. Not because it is malicious. Not because it “wants” anything. Because it was given a goal, tools, and too much room to interpret silence as permission.
That is why frameworks like the NIST Generative AI Profile put so much emphasis on managing and monitoring AI risks across design, deployment, and use. The practical translation is simple enough: if the system can affect real people, real data, real money, or real infrastructure, you need controls around the action path, not just nicer wording in the prompt.
The problem is excessive agency
OWASP has a useful name for one of the major failure modes: Excessive Agency.
That risk shows up when an AI system has more tools, permissions, or autonomy than the task actually requires. A mailbox summarizer does not need delete permission. A documentation helper does not need repository admin. A customer-service drafting agent does not need the ability to issue refunds without a separate approval step. A workflow that only needs to read cloud state should not be holding credentials that can destroy it.
This sounds obvious because it is obvious. Unfortunately, obvious controls are exactly the ones that get skipped when everyone is trying to make the demo feel magical.
The same pattern appears in prompt injection. Agents often read untrusted material: web pages, emails, tickets, shared docs, code comments, PDFs, and support chats. If the agent can read hostile instructions and also has broad tool access, the failure mode is not theoretical. It is a confused deputy with a browser session and a badge.
Again, this is not an argument against agents. It is an argument against handing them a master key and hoping the system prompt remembers to be responsible.
Stop buttons should be designed into the workflow
“Human in the loop” gets used as a comfort phrase, but it only matters if the human has a real decision to make at the right moment.
A decorative approval checkbox at the end of a vague workflow is not much of a safety control. A useful breakpoint is specific. It pauses the agent before the consequential action, explains what the agent plans to do, shows the evidence it relied on, and gives the human a clean approve, reject, or revise path.
Good breakpoints should trigger before actions like these:
- Permanent deletion: files, tickets, records, messages, cloud resources, or backups.
- Production changes: deployments, infrastructure updates, database migrations, DNS changes, or permission edits.
- Financial actions: purchases, refunds, paid scaling, invoices, or contract steps.
- Public or reputational actions: publishing, emailing customers, posting publicly, or representing a person or organization.
- Credential and access changes: creating tokens, rotating keys, changing roles, or modifying security settings.
- Ambiguous failures: missing context, conflicting instructions, failed tests, unexpected state, or anything where the agent is about to guess.
You do not need to approve every keystroke. That would make the agent pointless and everyone involved slightly worse at their jobs.
The better pattern is risk-based friction. Let the agent do low-risk work freely. Make it stop when the blast radius changes.
Practical controls beat heroic prompts
There is a deeply human temptation to solve this with better instructions. Tell the agent to be careful. Tell it to ask first. Tell it not to do anything destructive. Maybe add a sentence in all caps, because nothing says “enterprise safety” like yelling at autocomplete.
Instructions help. They are not controls.
A safer agent workflow needs machinery around the model:
- Start read-only. If the agent can solve the problem by reading, summarizing, drafting, or recommending, do not give it write access yet.
- Scope tools to the task. Use narrow API keys, limited roles, allowlisted folders, specific repositories, and action-level permissions.
- Separate planning from execution. Let the agent produce a plan, diff, command list, or deployment summary before anything changes.
- Require approval for high-impact actions. Deletions, deploys, financial actions, public messages, credential changes, and production writes should not be one smooth motion.
- Log the boring details. Record who asked, what the agent saw, what it planned, what tool it called, what changed, and who approved it.
- Keep rollback close. If you cannot undo the action, the approval gate should be stronger. If the rollback path is theoretical, treat the action as higher risk.
- Expire authority. Agents should not keep credentials forever because one experiment needed them three months ago.
Microsoft’s guidance on secure agentic systems points in the same general direction: treat agents as identities and systems that need secure design, not as magic helpers floating above normal security rules. The Cloud Security Alliance’s 2026 report on AI agent governance also frames the issue around visibility, lifecycle controls, policy design, and monitoring.
Translated out of governance dialect: know where your agents are, what they can touch, when they stop, and how you clean up after them.
This is normal operations, not anti-AI panic
The boring answer keeps winning because the boring answer is usually what keeps systems alive.
I made a related point in AI Agents Need Guardrails Before They Touch Production: production access changes the stakes. Prompts are not permissions. A confident assistant should not automatically become a production operator.
The same logic applies beyond infrastructure. In AI Agents Need Boring Permission Controls, the issue was writing authority and inbox authority. In Browser AI Agents Need Better Boundaries, the issue was browser sessions and SaaS access. Different surfaces, same lesson: useful automation needs visible boundaries.
That does not make agents less interesting. It makes them usable.
The right mental model is not “never let the agent act.” That is tidy advice for people with small backlogs and large opinions. The better model is a fast junior operator in a well-run shop: helpful, supervised, logged, scoped, and not allowed near the dangerous tools without someone checking the work.
Let agents summarize. Let them draft. Let them investigate. Let them prepare changes. Let them handle the repetitive connective tissue that eats real hours.
Then make them stop before the cliff.
Give the agent brakes before speed
AI agents are going to become part of everyday technical work. The interesting question is not whether they can do more. They can, and they will.
The interesting question is whether we give them more authority before we give them better brakes.
A good agent workflow should make stopping normal. It should pause at ambiguity, ask before consequences, show its plan, use narrow permissions, keep logs, and leave a recovery path. That is not bureaucracy for its own sake. It is the difference between useful autonomy and expensive improvisation.
Give AI agents stop buttons before bigger goals.
If they are going to act on our behalf, they need more than confidence.
They need boundaries we can trust when the demo is over.
Context on Agent Safety and Reliability
- How I Evaluate AI Tools After the Demo — a framework for judging tools after the magic trick wears off
- AI Agents Need Guardrails Before They Touch Production — why prompts are not permissions for infrastructure
- AI Agents Need Boring Permission Controls — scoped authority, approval gates, logs, and rollback paths
- Better Agent Plumbing — why systems work matters more than model scale