As of mid-2026, the majority of enterprises running production AI agents cannot terminate a misbehaving agent within their own stated incident-response window, because containment is specified as kill criteria in the risk register rather than built and tested as a runtime control plane with the four primitive actions (purpose binding, kill switch, network isolation, credential revocation). Kiteworks' 2026 Data Security and Compliance Risk Forecast measured the gap at 60% cannot terminate quickly, 63% cannot enforce purpose limitations, 55% cannot isolate networks, with the government-sector figures materially worse. Microsoft Agent 365 with Intune and Defender (GA 1 May 2026, runtime-controls preview from June 2026) is the first major-platform consolidation of the four primitives in a customer-administered control plane, which moves the question from engineering integration to procurement evaluation but does not resolve the cross-platform standardisation gap.
Re-review 10 Jun 2026: every load-bearing figure located verbatim in extracted source text. Kiteworks 2026 Data Security Forecast: '60% cannot quickly terminate an agent that's misbehaving', '63% of organizations cannot enforce purpose limitations on AI agents', '55% cannot isolate AI systems from broader network access'; government-sector worse as claimed ('90% lack purpose binding. 76% lack kill-switch capabilities'). Microsoft security blog (1 May 2026): GA confirmed ('General availability starts today for Agent 365') and 'context mapping capabilities, policy-based controls, plus runtime blocking and alerts will be available in Agent 365 through Intune and Defender public preview in June 2026'. Trigger (4) is now in motion at preview stage on the Microsoft stack only — preview is not GA, and no equivalent has shipped on Vertex/Bedrock/Agentforce/Joule/Now Assist; no trigger threshold crossed. Claim is scoped to the runtime-control-plane reading of the agent containment problem in 2026 enterprise deployments. Does not assert kill criteria are unimportant; asserts the criteria layer is mature and the architecture layer is immature, and that the EU AI Act Article 14 'stop button or similar procedure' language plus the NIST AI RMF Manage function plus the Kiteworks measurement together define a procurement-and-engineering investment most enterprises have not made. 30-day review cadence calibrated to the security-advisory adjacent landscape and the pace at which the Microsoft Agent 365 preview and equivalents are reaching general availability. Trigger conditions: (1) a major agent platform ships a verified one-action kill-and-revoke primitive that the customer can invoke unilaterally with a documented SLA — would move toward Partial because the architecture gap is closing at the platform layer; (2) Kiteworks 2027 or an equivalent enterprise survey shows containment-capable figures crossing 50% — would move toward Partial or Not holding depending on direction; (3) a published 2026 enterprise incident where an agent was terminated successfully through a documented kill-architecture primitive within the stated incident-response window — would confirm the architecture is operationally tractable and shift the discussion from gap to standardisation; (4) Microsoft Agent 365 with Intune and Defender exits preview with verified runtime-blocking and the equivalent capabilities ship in the other major enterprise stacks (Google Vertex AI Agent Builder, AWS Bedrock Agents, Salesforce Agentforce, SAP Joule, ServiceNow Now Assist) — would change the procurement-side path from custom integration to platform-default.
/holding/AM-171/Embed this claimiframe + oEmbed
The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.
Email-me when AM-171's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.
The claim: As of mid-2026, the majority of enterprises running production AI agents cannot terminate a misbehaving agent within their own stated incident-response window, because containment is specified as kill criteria in the risk register rather than built and tested as a runtime control plane with the four primitive actions (purpose binding, kill switch, network isolation, credential revocation). Kiteworks' 2026 Data Security and Compliance Risk Forecast measured the gap at 60% cannot terminate quickly, 63% cannot enforce purpose limitations, 55% cannot isolate networks, with the government-sector figures materially worse. Microsoft Agent 365 with Intune and Defender (GA 1 May 2026, runtime-controls preview from June 2026) is the first major-platform consolidation of the four primitives in a customer-administered control plane, which moves the question from engineering integration to procurement evaluation but does not resolve the cross-platform standardisation gap.
About this register
The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.
Recent corrections in Reporting
- AM-008 · Partial · 17 Jun 2026
Source-text figure re-review: Google's 2024 Environmental Report reports a 28% year-over-year increase to 8.1 billion gallons, not the 33% (from a 6.1 billion 2023 base) asserted at publish. The 8.1B 2024 figure and the Microsoft WUE 0.30 L/kWh / 39%-improvement figure are unchanged and verified. Article corrected to 28% and the unsupported 6.1B base removed; the claim text retains the original figure with this correction per the Holding-up protocol.
- AM-132 · Partial · 10 Jun 2026
One of four legs unanchored on re-review. The claim text attributes '12% of deployments clearing 300%+ ROI with 88% at or below break-even at 12-18 months' to the Stanford DEL 2026 Enterprise AI Playbook. Full-text verification on 10 Jun 2026 found no such figure in that source: the playbook (Pereira, Graylin, Brynjolfsson, Apr 2026) studies 51 successful deployments by design and contains no ROI distribution, no 300%-plus cohort, and no break-even measurement point (full finding at AM-029, correction of 10 Jun 2026). The only verified figure carrying the same 12/88 numerals is IDC research with Lenovo (via CIO.com, Mar 2025): roughly 88% of AI proof-of-concepts never reach production and roughly 12% graduate — a pilot-to-production graduation metric, not an ROI distribution. The Gartner 28%, McKinsey 23%/17%, and MIT NANDA 95% legs verify; they support a small high-performing tail and a large struggling body, but none documents the two-peak bimodal shape the claim asserts. Status Up -> Partial.
- AM-129 · Partial · 10 Jun 2026
One of three read-against anchors unanchored on re-review. The claim text cites 'Stanford Digital Economy Lab Enterprise AI Playbook (12/88 bimodal ROI distribution at 12-18 months)' and frames the realistic ROI band around 'the highest-discipline 12% cohort'. Full-text verification on 10 Jun 2026 found the playbook contains no 12/88 distribution, no bimodal ROI shape, and no 12-18-month ROI measurement point (full finding at AM-029, correction of 10 Jun 2026). The claim's core negative finding — no mid-market enterprise has produced a documented +240% ROI in 90 days under audited conditions — is unaffected; the McKinsey State of AI 2025 and MIT NANDA legs verify and continue to support it. The '12% cohort' framing has no verifiable referent. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric. Status Up -> Partial.
Reviews coming up in Reporting
- AM-063 · Holding · next +9d (27 Jun 2026)
AI agents executing financial transactions need a four-control bundle (action-approval gates by blast radius, kill-swit…
- AM-061 · Holding · next +9d (27 Jun 2026)
Production agentic-AI costs at scale routinely run multiples of POC projections, and a layered optimisation programme c…
- AM-003 · Partial · next +9d (27 Jun 2026)
GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…