Keeping an agent that acts on its own under control needs three distinct capabilities: knowing which model is operating, understanding why it behaves the way it does, and being able to stop or correct it while it runs. The three do not share the same level of maturity, and the asymmetry between them is currently the tightest constraint for anyone shipping agentic systems to production.

Context

By “agent” here I do not mean a model that generates text. I mean a model inside a loop: it receives a goal, picks which tools to call, looks at the results and repeats. The difference from a single inference is that the consequences of its decisions accumulate and propagate through external tools — a mailbox, a database, a payment endpoint.

The OWASP taxonomy for LLM applications, in the revision of 18 November 2024, promoted this problem to a category of its own: LLM06:2025 — Excessive Agency. It distinguishes three roots: excessive functionality (the agent reaches tools that fall outside its task), excessive permissions (those tools run with broader privileges than needed) and excessive autonomy (high-impact actions proceed with no human in the loop). The explicit recommendation is to run extensions in the user’s security context and to keep authorisation in external systems, rather than delegating it to the model.

It is worth laying the countermeasures out across three phases: identification, diagnosis, intervention. Technical maturity drops sharply from the first to the third.

Identification

Knowing which model is answering behind an application is the most studied of the three problems, because it can be framed as an ordinary classification task.

LLMmap (Pasquini, Kornaropoulos, Ateniese, arXiv:2407.15847, July 2024) builds an active fingerprinting method: it sends a handful of carefully crafted queries and analyses the responses. The authors report that with as few as 8 interactions the method recognises 42 distinct model versions with over 95% accuracy, and that the signature stays readable across different application layers — varying system prompts, sampling hyperparameters, RAG, chain-of-thought. What matters for governance is the symmetry, not the attack itself: the same technique an adversary uses to profile a service serves an auditor to confirm that a provider is in fact serving the declared model.

On the intrinsic side, REEF (Zhang et al., arXiv:2410.14273, October 2024) compares the internal representations of two models on the same inputs via centred kernel alignment, and holds up against sequential fine-tuning, pruning, model merging and neuron permutations. HuRef (Zeng et al., NeurIPS 2024) produces a human-readable fingerprint that recognises the base model without interfering with training or exposing the parameters.

In practice, black-box identification (from the outside, via queries) and white-box identification (on the weights) are both available, with published, reproducible results. This phase is the most solid.

Diagnosis

Understanding why an agent behaves the way it does is less advanced, and the difficulty grows with the subtlety of the behaviour to be detected.

Some behaviours already have a measurable literature. Sycophancy — the tendency to confirm the user’s beliefs at the expense of correctness — is documented systematically by Sharma et al. (arXiv:2310.13548, October 2023), who detect it in five assistants across realistic tasks: feedback skewed by preferences, revising correct answers when the user pushes back, conformity on open questions, repeating the user’s mistakes. A reusable benchmark (SycophancyEval) exists, with public datasets. Here diagnosis is a score over an observable behaviour.

The problem changes nature when the behaviour to be diagnosed is strategic. Telling a model that is wrong apart from a model that deliberately produces a misleading output does not reduce to a single score on the output: it needs assumptions about the internal state. The interpretability literature moves in that direction, but we are far from a dependable tool that tells us, in production and in real time, whether an agent is deceiving.

For multi-agent systems diagnosis grows harder still, because a problematic behaviour can arise from the interaction and not sit in any single component. Assigning blame — which agent, which tool call, which decision caused a given outcome — is largely an open problem: distributed tracing over non-deterministic entities.

The critical point

Intervention is the least mature phase, and it is exactly the one every safety guarantee rests on. A kill switch is trivial if the agent is a process I control: I terminate it. It stops being trivial the moment the agent has already propagated effects — it has sent the email, written to the database, started the payment. Terminating the process does not undo consequences that have already gone outside.

This is why the OWASP recommendations and the structure of NIST AI 600-1 (Generative AI Profile, July 2024) move the control point upstream: rather than rely on the ability to stop the agent afterwards, they constrain ex ante what the agent can reach — least privilege, authorisation in external systems, a human in the loop for high-impact actions. It is a defensive engineering choice that concedes the limit without saying so: reliable containment of an agent that has already acted is not a primitive one can take for granted.

The asymmetry between the three phases is the point. We identify well, diagnose partially and unevenly, intervene little and late. A safety guarantee is worth as much as its weakest link, and the weakest link is the last one.

Implications

For anyone designing an agentic system the consequence is a priority order inverted from intuition. It is worth investing first in reducing the action surface — which you control by construction — and only afterwards in behavioural detectors, which yield probabilistic signals. A deception detector with false negatives does not replace a permission that simply is not there.

On external verification, fingerprinting gives something concrete right away: confirming that the served model matches the declared one, regardless of the provider’s assurances. It is an audit capability already within reach, and underused relative to what it could do.

On this same three-phase split noze has set up DebugABot, a deep-tech research project that turns identification, diagnosis and intervention into nine operational primitives: https://www.noze.it/en/insights/debugabot/.

Limits

Three things should not be taken for granted. Fingerprinting techniques already have matching attacks that erode their reliability, so robust identification is a race, not a fixed result. Diagnosis of strategic behaviour has no tool today that holds up in production, and treating its absence as temporary is a bet. And the term “kill switch” describes a simple action only as long as the effects stay inside the controlled system: for everything else, safety is decided by the permissions granted beforehand, not by the switch pressed afterwards.


https://arxiv.org/abs/2407.15847 https://arxiv.org/abs/2410.14273 https://proceedings.neurips.cc/paper_files/paper/2024/file/e46fc33e80e9fa2febcdb058fba4beca-Paper-Conference.pdf https://arxiv.org/abs/2310.13548 https://github.com/meg-tong/sycophancy-eval https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/ https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-generative-artificial-intelligence

Cover image: Large red mushroom-shaped emergency stop button mounted on machinery, in close-up against a blurred background — photo by Angus Fraser, CC BY 2.0 — https://commons.wikimedia.org/wiki/File:Big_red_emergency_stop_button_(2972000481).jpg