Emergency Stop and Kill-Switch Design for Agents

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-agentic-agent-emergency-stop-design-creators

1. What is the primary purpose of a kill switch in an agentic system?

   1. To log all agent decisions for later review
   2. To allow users to pause an agent temporarily for debugging
   3. To optimize agent performance under load
   4. To immediately disable agent action across all running instances

2. Why should in-flight tasks be drained safely rather than terminated mid-step when a kill switch is triggered?

   1. Because agents automatically retry failed tasks anyway
   2. Because safe draining is faster than immediate stopping
   3. Because mid-step termination uses more CPU resources
   4. Because abrupt termination can leave system state inconsistent or corrupt data

3. Which of these is a fundamental limitation that no kill switch design can overcome?

   1. It cannot stop agents running on disconnected devices
   2. It cannot undo actions the agent already took
   3. It cannot be triggered remotely without network access
   4. It cannot distinguish between intentional and accidental agent behavior

4. What does the lesson mean by listing 'every entry point' for an agent when designing a kill switch?

   1. The documentation website where users learn about the agent
   2. Every code path, API endpoint, and background process that can trigger agent action
   3. Only the APIs exposed to external services
   4. Only the main user interface where humans interact with the agent

5. What is a circuit breaker in the context of agent safety design?

   1. A physical switch that cuts power to servers
   2. A pattern that stops repeated failed operations and prevents further attempts
   3. A tool that automatically restarts crashed agents
   4. A backup database that preserves agent state

6. If a kill switch is triggered but fails to stop some running instances, what is the most likely cause?

   1. The agent password was changed recently
   2. The network is too slow to deliver the signal
   3. The instances are running on older hardware
   4. The kill switch wasn't checked at one or more entry points

7. What does 'blast-radius limits' refer to in emergency stop design?

   1. The physical size of the server room
   2. The time limit before an agent automatically times out
   3. The maximum number of agents that can run simultaneously
   4. Constraints on which systems or data the agent can access when running

8. Why does the lesson recommend running quarterly chaos drills for kill switches?

   1. To train the on-call team to respond faster
   2. Because untested kill switches often fail when actually needed
   3. To satisfy regulatory compliance requirements
   4. To keep agents from becoming too predictable

9. What mechanism should trigger when a kill switch is activated to alert human operators?

   1. The agent should send a confirmation email to the admin
   2. The kill switch should log the event to a file for later review
   3. The system should page the on-call team immediately
   4. The system should display a popup on the main dashboard

10. What does exposing a kill switch through an environment flag enable?

    1. Faster agent execution speed
    2. Consistent kill signal across all instances without code changes
    3. Encrypted communication between agents
    4. Automatic agent restarts after crashes

11. A kill switch cannot stop instances running in caches you don't control. What does this imply about security boundaries?

    1. You need to control or have agreements with all caching layers
    2. Cached instances are always safe and don't need stopping
    3. Caches should never be used with agents
    4. You must design agents to work without cached state

12. When designing a kill switch, why is documenting the failure mode for missed entry points important?

    1. For regulatory compliance and audit trails
    2. To calculate how much money the failure will cost
    3. To understand what unsafe behavior could still occur if the switch fails
    4. To train new developers on the codebase

13. What type of signal should a kill switch expose to ensure it works across all agent instances?

    1. A single API endpoint that each instance polls
    2. A message queue that delivers stop commands
    3. A shared configuration flag or environment variable
    4. A database table that stores kill status

14. What happens if you design a kill switch but never test it after initial deployment?

    1. The agent will learn to respect the kill switch
    2. It becomes more reliable over time
    3. It will work exactly as designed indefinitely
    4. Infrastructure changes likely broke it without anyone noticing

15. Why is it insufficient to only protect the main user interface when implementing an agent kill switch?

    1. Main interfaces rarely cause safety issues
    2. Protecting only one entry point is more efficient
    3. User interfaces are already secure by default
    4. Agents can be triggered via APIs, webhooks, scheduled tasks, and message queues