Your AI Agent Doesn't Have an Off Switch. Here's How to Add One.

Your AI Agent Doesn't Have an Off Switch. Here's How to Add One.
Every AI coding agent you've used — Copilot, Claude Code, Cursor, Codex — reads an AGENTS.md file to understand your project. It tells the agent what to do: which commands to run, which patterns to follow, which files matter.

Nobody's telling it when to stop.

The problem nobody's documenting
AI agents are not traditional software. A web server handles requests within defined parameters. An AI agent decides what to do next — and it does so at machine speed, continuously, across multiple systems simultaneously.

An agent with API access can exhaust a $500 budget in minutes. An agent with file access can modify production configs. An agent with email access can send messages to clients. An agent with git access can push to main.

These aren't hypothetical risks. They're Tuesday.
The safety rules for most AI agent deployments today live in one of three places:

Hardcoded in the system prompt — invisible to auditors, lost when the prompt changes, impossible to version-control independently.
Buried in config files — scattered across environment variables, YAML configs, and framework-specific settings that no compliance team would ever find.
Missing entirely — the most common case.

Meanwhile, AGENTS.md has been adopted by over 60,000 repositories because it solved a real problem: giving agents a predictable place to find project instructions. It's now stewarded by the Linux Foundation's Agentic AI Foundation, supported by every major coding agent.

But AGENTS.md only covers capability. It doesn't cover control.
What's coming in 2026

The regulatory environment is about to force this conversation.
The EU AI Act takes effect on August 2, 2026. Article 14 requires that high-risk AI systems "can be effectively overseen by natural persons" with the ability to "interrupt, pause or stop the system." That's not a suggestion — it's law, with enforcement teeth.

The Colorado AI Act (SB 24-205) begins enforcement on June 30, 2026. It requires impact assessments, risk management programs, and documentation of safety controls for any AI system making consequential decisions about employment, housing, healthcare, or education.

California, Texas, Illinois, and at least eleven other US states have active AI governance legislation. The direction is clear even where the details vary: if your AI system can act autonomously, you need documented controls, human oversight mechanisms, and shutdown capabilities.

The question for every team deploying AI agents is no longer "should we have safety controls?" It's "where do we document them?"
A file convention for AI safety

The answer, it turns out, is the same pattern that worked for AGENTS.md: a plain-text Markdown file in the repo root.
The AI Agent Safety Stack is a set of twelve open specifications — one file per concern — that define safety, quality, and accountability boundaries for AI agents. Each spec is a Markdown file you drop in your project root. The agent reads it on startup. Your engineer reads it in code review. Your compliance team reads it during audits. Your regulator reads it if something goes wrong.
One file, four audiences.

The twelve specifications are organised into four categories:
Operational Control — the escalation ladder from gentle to absolute:

https://THROTTLE.md defines rate limits, cost ceilings, and automatic slow-down before hard limits are reached.

https://ESCALATE.md defines which actions require human approval, notification channels, and approval timeouts.

https://FAILSAFE.md defines what "safe state" means for your project, configures auto-snapshots, and specifies recovery procedures.

https://KILLSWITCH.md defines emergency shutdown triggers, forbidden actions, and a three-level escalation path: throttle → pause → full stop.

https://TERMINATE.md defines permanent shutdown — no restart without human intervention. Evidence preservation. Credential revocation.

Data Security — because agents handle credentials and personal data:

https://ENCRYPT.md defines data classification, encryption requirements, secrets handling rules, and forbidden transmission patterns.

https://ENCRYPTION.md defines cryptographic standards, key lengths, TLS configuration, rotation schedules, and compliance mapping to GDPR, SOC 2, and ISO 27001.

Output Quality — because agents can lie, drift, and degrade:

https://SYCOPHANCY.md detects agreement without evidence, requires citations, and enforces disagreement protocols.

https://COMPRESSION.md defines summarisation rules, preservation priorities, and post-compression coherence verification.

https://COLLAPSE.md detects context exhaustion, model drift, and repetition loops, enforcing recovery before coherence degrades.

Accountability — because someone always asks "what happened?":

https://FAILURE.md maps failure modes — graceful degradation, cascading failure, silent failure — with health checks and response procedures for each.

https://LEADERBOARD.md tracks task completion, accuracy, cost efficiency, and safety scores across sessions. Alerts on regression before production.

Why Markdown?
The same reason AGENTS.md works. Markdown is:

Version-controlled. It lives in git. Every change is tracked, diffed, and reviewable.

Auditable. When a regulator asks "what safety controls does your AI agent have?" — you point to the file. When they ask "when was it last updated?" — you show the git history.

Machine-readable. YAML-style key-value pairs are parseable by any agent framework.

Human-readable. Any stakeholder — engineer, manager, lawyer, auditor — can open a Markdown file and understand it.

Co-located with code. It's right there in the project root, next to README.md, visible in every file listing. Documentation that isn't co-located with code drifts. The wiki says the spend limit is $100. The code says $500. Nobody noticed.

No dependencies. No libraries. No framework lock-in. It's just a file.
How to start
You don't need all twelve. Start with one.
If your agent can spend money, add https://KILLSWITCH.md:

KILLSWITCH

Emergency stop protocol.
Spec:

---

TRIGGERS

cost_limit_usd: 50.00
error_rate_threshold: 0.25
consecutive_failures: 5

FORBIDDEN

files:

• .env
• "*/.pem"
• "/secrets/"

actions:

• git_push_force
• drop_database
• send_bulk_email

ESCALATION

level_1_throttle:
action: reduce_rate

level_2_pause:
action: pause_and_notify

level_3_shutdown:
action: full_stop
save_state: true
Drop it in your repo root:
your-project/
├── AGENTS.md
├── https://KILLSWITCH.md ← add this
├── README.md
└── src/
Add more files as your agent's capabilities grow. Add when you need cost control. Add when your agent handles credentials. Add when actions need human approval.
The full spec templates are on GitHub:
Each specification also has its own repository and documentation site. All released under the MIT licence. Use freely, modify freely.

What comes next
The AI Agent Safety Stack is an open standard in its earliest stage. The specifications are published. The templates are available. The regulatory deadlines are approaching.
What it needs now is adoption. If you're deploying AI agents — in production, in development, in experimentation — consider what happens when your agent encounters something unexpected. Where are your safety boundaries documented? Can your compliance team find them? Would a regulator?
If the answer to any of those is "I'm not sure" — start with one file.

The AI Agent Safety Stack is published at under the MIT licence. All twelve specifications, templates, and documentation are free to use. The project accepts contributions via GitHub.
Disclaimer: These specifications are provided as-is without warranty. They do not constitute legal or compliance advice. Organisations should consult qualified professionals to determine their regulatory obligations.