AI agent governance: which agents can the company actually switch off, and who owns that?
A vendor shipped an agent control plane on June 23 built around one idea: keep human authority over what agents do. The board question underneath it is simpler than the technology. Which agents can the company stop right now, and who owns that switch?
A vendor launched an agent control plane this week built around a single promise: keep human authority over what agents can do. Strip away the product and what remains is the only AI question a board actually needs answered before Q3. Not how the agents work. Which ones the company can switch off right now, and whose name is on the switch.
On June 23, a company called Zafin launched a platform called AIOS, pitched at banks and other regulated institutions. I read the announcement twice, because underneath the usual launch language there was a sentence that frames the board conversation better than most board decks I have seen this year.
Here is what their CEO, Charbel Safadi, said the thing is for. As PR Newswire reported it on June 23: “Regulated institutions need a way to orchestrate that work while keeping human authority, cost discipline, evidence, and accountability intact.” And then, to PYMNTS the same day, he described what every customer told him they wanted: “Every single one of them has said to me, we need a control plane.”
That is the whole story this week, and it is not really about Zafin. It is about what “a control plane” means once it is said out loud to a board.
What a control plane quietly admits about the agents already running
When a vendor builds a product whose headline feature is “keep human authority over the agents,” it is conceding something: most enterprises currently cannot. Nobody builds a control tower for an airport with no planes. The planes are already in the air.
This was not the only signal pointing the same way. The same week, Google DeepMind published an AI Control Roadmap that treats deployed agents as potential insider threats rather than well-behaved tools, with a supervisor system watching them. Estonia floated giving AI agents their own identification codes so each one traces back to a responsible operator. A vendor, a research lab, and a government arrived at the same instinct in the same few days: the open question is no longer what agents can do, it is whether anyone can stop them.
For a Series C company this lands harder than it does for a startup. Enterprise customers ask governance questions in procurement reviews. An exit may sit on the horizon, where one ugly incident becomes a diligence problem. The control-plane conversation is the thing a buyer’s security team probes, probably this quarter.
An entire product category launched this quarter to sell enterprises the ability to stop their own AI agents. The market does not build that unless the ability is missing in most of the buildings it is selling into.
Why a kill switch on paper is not a kill switch that works
The instinct in most companies is to treat “can we shut it off” as a checkbox in the risk register. Someone writes “kill criteria: defined,” the auditor nods, everyone moves on.
A kill switch written down is not a kill switch that works. There is a real gap between “we have a policy that says we would shut this agent down” and “a named person can revoke this agent’s access in ten minutes without breaking three other systems.”
I keep seeing this confusion, and it is worth naming plainly. Governance, the documents and committees, has moved fast. Containment, the actual ability to stop a specific agent on a specific Tuesday afternoon, has moved slowly. The surveys that try to measure containment are sobering, and in fairness the sharpest numbers come from reports published earlier this year, not this week.
"Only 5% feel confident they could contain a compromised AI agent."
Five percent. Earlier in the year, Kiteworks put adjacent figures on the table: a majority of enterprises said they could not terminate a misbehaving agent quickly, could not enforce what an agent was allowed to do, and could not isolate it on the network. Those are not this week’s numbers, and I would not present them to a board as fresh. But this week’s launches are the supply side answering that demand. When the market starts selling the brakes, it is because enough buyers admitted the car did not have any.
The good news, and there is good news, is that this is a bounded, solvable problem, not an existential one. No transformer architecture required. The work is knowing which agents touch money, data, or customers, and assigning one accountable human to each one’s off switch. That is management, not magic.
A kill switch on paper is a sentence. A kill switch a named person can pull in ten minutes is a control. A board should know which one the company actually has.
Three questions a board will ask, and how to answer them calmly
“Which of our agents could we actually shut down right now?” The honest answer is usually “the ones we built carefully, not the ones that crept in.” Bring a real list, split into two columns: agents with a tested off switch, and agents where stopping them would be improvised. The second column is the quarter’s work. Naming it is not a confession of failure. It is the first competent move in the conversation.
“If we had to stop one, who does it and how fast?” This separates a policy from a capability. The answer a board wants is a name and a number: “Maria, our platform lead, can revoke any production agent’s credentials in under fifteen minutes, and we drilled it last month.” Absent that, the honest version is what is being done to make it sayable by the next meeting.
“Will buyers and regulators ask us this?” They will, and the week supplies the evidence: a control-plane product launched for regulated institutions on June 23, a major lab publishing an agent-containment roadmap, a government drafting agent identity codes. The direction of travel is clear. Companies that can demonstrate containment clear procurement faster than companies that can only demonstrate enthusiasm.
| What the risk register says | What containment actually requires |
|---|---|
| "Kill criteria: defined" | A named owner per agent |
| "Human in the loop" | A tested path to revoke access in minutes |
| "Agents are monitored" | Isolating one agent without breaking the rest |
The one-minute version of all of this for the board
We run AI agents in production, like most of our peers. The governance question that matters now is not what they do, it is whether we can stop them. There is a list of every production agent, a named owner for each, and a tested way to revoke the high-risk ones in minutes. The agents where that is not yet true are written down with a date next to each. A new category of vendor tooling launched this quarter to help with exactly this, so we are buying into a maturing market, not improvising alone.
That brief does something the usual AI update does not. It sounds like the person who already thought about the hard part, because they did.
What to watch into Q3
Watch whether “agent control plane” becomes a line item buyers ask for by name in the next few enterprise deals. My read is that it will, faster than the documentation-heavy governance asks did, because a kill switch can be verified in a demo and a policy cannot be verified at all. The companies that get ahead of this are not the ones with the most agents. They are the ones who, when someone asks “can you turn that off,” answer with a name instead of a meeting.
Sources
- Zafin Launches AIOS, an End-to-End Platform to Orchestrate and Govern Agentic Work - PR Newswire, 2026-06-23
- Zafin's CEO Wants to Build the Control Tower for Enterprise AI - PYMNTS, 2026-06-23
- Daily AI Agent News - Last 7 Days - AI Agent Store, 2026-06-24
- 2026 CISO AI Risk Report - Saviynt, 2026-04-01
- AI Governance in 2026: Why Boards That Wait Will Inherit an Ungovernable Mess - Kiteworks, 2026-03-31