As of mid-2026, the majority of enterprises running production AI agents cannot terminate a misbehaving agent within their own stated incident-response window, because containment is specified as kill criteria in the risk register rather than built and tested as a runtime control plane with the four primitive actions (purpose binding, kill switch, network isolation, credential revocation). Kiteworks' 2026 Data Security and Compliance Risk Forecast measured the gap at 60% cannot terminate quickly, 63% cannot enforce purpose limitations, 55% cannot isolate networks, with the government-sector figures materially worse. Microsoft Agent 365 with Intune and Defender (GA 1 May 2026, runtime-controls preview from June 2026) is the first major-platform consolidation of the four primitives in a customer-administered control plane, which moves the question from engineering integration to procurement evaluation but does not resolve the cross-platform standardisation gap.

Claim is scoped to the runtime-control-plane reading of the agent containment problem in 2026 enterprise deployments. Does not assert kill criteria are unimportant; asserts the criteria layer is mature and the architecture layer is immature, and that the EU AI Act Article 14 'stop button or similar procedure' language plus the NIST AI RMF Manage function plus the Kiteworks measurement together define a procurement-and-engineering investment most enterprises have not made. 30-day review cadence calibrated to the security-advisory adjacent landscape and the pace at which the Microsoft Agent 365 preview and equivalents are reaching general availability. Trigger conditions: (1) a major agent platform ships a verified one-action kill-and-revoke primitive that the customer can invoke unilaterally with a documented SLA — would move toward Partial because the architecture gap is closing at the platform layer; (2) Kiteworks 2027 or an equivalent enterprise survey shows containment-capable figures crossing 50% — would move toward Partial or Not holding depending on direction; (3) a published 2026 enterprise incident where an agent was terminated successfully through a documented kill-architecture primitive within the stated incident-response window — would confirm the architecture is operationally tractable and shift the discussion from gap to standardisation; (4) Microsoft Agent 365 with Intune and Defender exits preview with verified runtime-blocking and the equivalent capabilities ship in the other major enterprise stacks (Google Vertex AI Agent Builder, AWS Bedrock Agents, Salesforce Agentforce, SAP Joule, ServiceNow Now Assist) — would change the procurement-side path from custom integration to platform-default.