Three-level kill switch protocol
An effective agentic shutdown mechanism is not a single switch. ACF® specifies three interruption levels with measured response times and defined escalation procedures. Card ACF-06 documents implementation. Card ACF-15 mandates a quarterly exercise.
Operational pause < 30 s
Non-critical operations suspended. The agent finishes in-flight actions but initiates no new ones. Existing prompts are still answered, but no new tool call is fired against external systems.
Trigger : Automatic on register alert, or manual by the DDAO or a first-line operator.
Decisional shutdown < 5 s
Full suspension of decision-making. All pending decisions are routed to human operators. The agent stops emitting new outputs immediately; in-flight prompts are dropped with a graceful error.
Trigger : Manual by the DDAO or a member of the governance committee.
Total system shutdown < 1 s
Complete halt of all agentic systems. Failover to manual backup processes. Reserved for catastrophic situations: model leak, mass-scale rogue behaviour, regulatory injunction.
Trigger : Restricted to the governance committee or general management. Two-key required (P1 — non-delegable).
Implementation pattern
The three levels are not three distinct switches but the same mechanism with three modes. The canonical ACF® implementation places a broker between the agent and its tools — every agent action goes through this broker, which can be flipped to L1/L2/L3 mode via an authenticated API call (or a system signal for L3). This architecture delivers both speed (the broker carries no business logic) and testability (the broker exposes a metric of in-flight actions).
Quarterly drill
The DDAO schedules an L1 test every quarter and an L2 test every semester. An L3 test is planned annually, agreed with the governance committee, and runs as a full-scale simulation measuring the recovery time of the manual backup processes. For instrumentation, see card ACF-15 and the MCP tool acf.assign-ddao-controls.