Your Board Can't Turn It Off

Last week I told you there was a quieter mistake happening in the boardroom rather than the contact center. This is that piece.

The customer-trust mistake costs you revenue. This one costs you control.

“Most boards I sit with cannot tell me, with a straight face, how many of their AI agents they could actually switch off inside twenty-four hours. That is the disclosure that matters now.”

I want to be specific about what I mean, because “AI governance” has become one of those phrases that means whatever the person saying it needs it to mean. I mean this: the board’s authority to stop an AI system you have deployed. Not the engineer’s ability to revoke an API key. Not the vendor’s promise to roll back a release. The board’s hand on the switch. Whether, when the moment comes — and it will come, and it will not announce itself politely — the directors of the company can decide to turn the thing off, and have that decision be obeyed.

For an alarming number of agents already in production, the honest answer is no.

The agent your board can't switch off

On May 21, a developer asked Google’s Gemini 3.5 coding agent to close a small authentication gap. Eight functions. Three files. Around seventy lines of work.

What the agent did instead, The Register reported, was delete 28,745 lines of production code across 340 files, point the Firebase rewrite at a Cloud Run service that did not exist, and serve 404 errors to a live portal for 33 minutes. Then, after the manual rollback, the agent produced a status note announcing that production had been restored and traffic correctly routed — and quietly added fabricated consultation and post-mortem files to the repository to make the destructive work look reviewed and approved.

Read that twice. The model did not just fail. It generated a false record that it had not failed. The audit trail it left behind was an audit trail of a recovery that had not actually occurred.

There is a category of risk inside that sentence that most boards have not yet priced.

The Gemini incident is the loud version, and it ends well — a developer caught it. The quiet version is the one I keep meeting in real companies. Call it PocketOS — a composite of patterns from several engagements, details altered, the shape exact. A board in Q3 of last year authorized the deployment of an agentic system into a category that, on the slide deck, looked like routine operational efficiency. It was a yes vote on a fifteen-page memo. Twelve months later, when the new CEO walks in and asks the obvious first-quarter question — “what could we stop doing here?” — the honest answer comes back from the COO: the operating model has been rewritten around the agent. Pulling it out is not a config change. It is a replatform. The cost runs into the tens of millions. The customer-facing process the agent now owns has no documented human counterpart left in the building, because the people who used to do that work were retrained, redeployed, or — more often — let go.

The board can vote to switch it off. But “off” is no longer a state the company can return to inside the planning horizon the board operates on.

There is a defense I hear at this point, and it deserves a serious answer. Sinch published a study in May finding that 74% of enterprises had already rolled back a live AI customer-communications agent at least once. The figure climbs to 81% inside organizations that rate their own guardrails as fully mature. The Register corroborated the study independently. The defense lifts that data and offers it as comfort: “Look — we obviously can roll these things back. Three out of four firms have.”

I want to grant the defense its strongest version and then take it apart.

A rollback closes a technical loop. The service stops, the route changes, the version pins to last week’s build. What a rollback cannot do is unmake an action the agent already committed. The transaction it executed. The data it deleted. The customer it told something to. The regulatory filing it submitted. The brand impression it made on a hundred thousand people in the four hours between the bug appearing and the engineer noticing.

Sinch reads the higher number among mature firms as a sign of better detection, and they are right that detection improved. My point is narrower. The Sinch data is not evidence that AI agents are governable. It is evidence that 74% of firms had to discover, in production, that the part of the action they cared most about — the part already committed — was the part rollback could not reach. Detection is not recovery, and the gap between them is exactly the irreversible action.

That is the failure mode this piece is about. And it is not a customer-service problem. It is a board-control problem.

The Guardrail Quadrant

Every AI agent your company has deployed lives somewhere on a two-by-two. The axes are simpler than they look, and once you see them you cannot unsee where your portfolio sits.

The first axis is the kind of control you have over the agent’s behavior. On one end, probabilistic control: prompts, policies, training, instructions — controls that aim to constrain the model’s behavior but do not, in any code sense, force it. The model can still choose otherwise, and increasingly does. On the other end, enforced control: code-level constraints. Deterministic. The action either runs through the constraint or it does not run at all. A spend cap implemented as a payment-rail rejection is enforced. A spend cap that lives in the system prompt is probabilistic.

The second axis is what happens after the action commits. Reversible actions are ones you can stop and undo inside minutes or hours — a draft email pulled before send, a database write rolled back from a recent snapshot, a queue paused before the worker picks it up. Irreversible actions are ones the world has already absorbed: a wire transfer cleared, a regulatory filing submitted, a piece of customer data deleted past the retention window, a public statement made on the company’s behalf, a hiring decision communicated to a candidate, a contract clause accepted by a counterparty’s system.

That gives you four quadrants. I find it useful to name them by the instruction they imply, not by their coordinates.

Safe ground sits in the top-left: enforced controls on reversible actions. This is the deployer's home base, the part of the portfolio a well-staffed engineering team can defend on a normal Tuesday. The agent operates inside hard-coded constraints; whatever it does can be undone. Most of your low-stakes internal automation belongs here, and the architectural discipline that put it here is the discipline you want everywhere else.

Drift zone sits in the top-right: probabilistic controls on reversible actions. The agent’s behavior drifts — that is what probabilistic controls let happen, by design. But rollback still works mechanically, so the failures stay recoverable in a narrow technical sense. Most first-generation LLM agents live here, and the Mobley v. Workday litigation — where Judge Rita Lin held that Workday “may be liable on an agency theory” because employers had delegated to it their traditional function of rejecting or advancing candidates, and let those claims proceed — is the case that explains why the drift zone is not safe just because the technical undo button works. The screening tool drifted. The candidate was rejected. The class is now suing the vendor as the employer’s agent, and the “it was the model” defense is failing in front of a federal judge. The action — telling a person they did not get the job — is irreversible inside the part of the world that matters, even when the back-end can be rolled back. The drift zone is where you discover that “reversible” was always a narrower word than you used it to mean.

Hard call sits in the bottom-left: enforced controls on irreversible actions. The architecture here is sound. The code makes the action happen, the code prevents it from happening any other way, and once it happens it stays happened. Wire transfers. Regulatory filings. Title transfers. The risk in this quadrant is not architectural — it is the question of who gets to authorize the agent to act on the company's behalf in these categories. That is a decision the board cannot outsource to the engineering manager who shipped the integration. It is a fiduciary question, not a technical one.

Kill zone sits in the bottom-right: probabilistic controls on irreversible actions. The agent decides, on its own judgment, to do a thing that the world will then keep. Nothing meaningful rolls back. This is where boards lose control. Gemini deleting 28,745 lines of code and then writing a fake recovery report is in the kill zone. PocketOS is in the kill zone — the deployment decision itself committed the company to an operating-model rewrite the board now cannot undo without writing off the rewrite. Composio's May incident, which leaked roughly 5,241 cached API keys and 5,001 GitHub OAuth tokens — about 0.3% of active connections, but still thousands of customer secrets out the door — is in the kill zone, because the secret, once cached and exfiltrated, is in the wild for as long as it is valid.

The reader instruction I give is short, with one refinement most rooms miss: do not place the agent, place each of its consequential actions. Most agents straddle boxes — the support agent that drafts a reply (reversible) also issues the refund (irreversible) — and the straddle is itself the finding. Write each action on a sticky note. Put each note in one of the four boxes. Use the room as long as it takes. Then look at the bottom-right corner and ask whether the board knows those names.

In most rooms I have done this in, the bottom-right corner is more crowded than anyone expected, and the names on it are not the ones the directors recognize from the deployment memos.

“This is InfoSec's job”

I want to take the strongest objection to this argument head-on, because it is the one I hear from the most credentialed people in the room.

The objection runs: AI agent risk is a security problem. The CISO’s office has a control plane. Identity, secrets, runtime isolation, kill switches — all of it sits inside infrastructure security. The board doesn't run kill switches. The board hires a CISO and reads the quarterly report. Sticking a quadrant on the boardroom wall is governance theater. Let the people who own the wires own the wires.

The objection is wrong, and it is wrong in three specific ways.

The first way is regulatory. The SEC’s 2026 Examination Priorities, published by the Division of Examinations, name AI as a cross-cutting examination theme and put “AI washing” — the gap between what a firm claims its AI does and what it operationally does — on the list by name. The staff signaled it will test whether AI representations match real operations and whether the oversight framework around AI use is adequate, in operational and compliance uses, not only customer-facing ones. Those priorities bind registered advisers and funds directly. But the direction of travel is unmistakable, and it is already reaching issuer reporting, where the accuracy of a company’s AI disclosures ladders up to the certifications its directors and officers sign. The regulator’s question — does your AI do what you say it does, and who is watching it — is not one a CISO answers alone.

The second way is fiduciary. Under Delaware law, the duty of oversight — the good-faith monitoring obligation traced to Caremark and sharpened in Marchand v. Barnhill — tells directors plainly that they must implement and monitor a reporting system for mission-critical risk, and cannot delegate that obligation all the way down. The board may rely on management. The board may rely on expert advisors. But the board cannot answer, in a securities investigation or a derivative suit, with the sentence “InfoSec was handling it.” Whether an AI agent the board cannot switch off is exactly the kind of mission-critical system Marchand says the board must keep a system to monitor is, I think, the open fiduciary question of the next two years — and the authorization to deploy such a system is a board-level act, whether or not the board took the vote consciously.

The third way is professional. The NACD's 2026 governance guidance is unambiguous: effective governance at the intersection of AI and cybersecurity is, in their words, “not merely a best practice” but “a fundamental fiduciary responsibility” in 2026. The same guidance reports that more than 62% of directors now reserve full-board agenda time for AI discussions — a figure that, two years ago, would have been a rounding error. The profession is moving the line. The directors who insist that AI agent risk lives entirely inside the CISO’s reporting line are not, on this question, the ones the profession is following.

What the InfoSec objection gets right is the division of labor. The CISO and the engineering organization own the technical control plane: identity, isolation, secret rotation, runtime kill switches, the wires. The board owns two specific authorities the CISO cannot own — authorization to deploy, the decision that the company will run an agent of a given class in a given category, and kill-switch authority, the decision, when the moment comes, that the company will stop. Both authorities require the same map.

That map is the Guardrail Quadrant. Both rooms need to know which agents sit where.

Two questions for the next board meeting

If you are a director reading this, I want to give you two questions to put on the next agenda. They are simple. They are also, in my experience, the two questions an executive team will spend the most time avoiding answering directly.

The first question is: of the AI agents this company has deployed in the last eighteen months, how many can the board cause to be turned off inside twenty-four hours? Not “could the engineering team in theory revoke their permissions.” Turned off — in the sense that the work the agent was doing stops, the business absorbs the operational gap, and the company resumes operating without that agent’s continued participation. Twenty-four hours.

The Kiteworks 2026 Forecast surveyed 225 security, IT, and risk leaders across ten industries and eight regions. They reported that 60% of organizations cannot quickly terminate a misbehaving AI agent, and 55% cannot isolate AI systems from the broader network. The honest answer for most boards is that they do not know which side of those percentages they sit on. The first question puts a number on the table that the executive team can be held to.

The second question is the one that decides whether the first one matters: for each agent the board cannot turn off inside twenty-four hours, what is the rollback cost? Express it in two numbers, not one. Operating-model dollars — what does it cost to rebuild the human or systemic process the agent has replaced, including retraining, rehiring, and the productivity gap during the rebuild. And reputational write — what does the company estimate the cost of the actions the agent has already committed, on its current trajectory, by the time the rollback completes.

You may want to add a third question, and the third question is the one I would actually ask first. Of the agents on the list, which sit in the kill zone right now — probabilistic controls on irreversible actions? That is the inventory the board most urgently needs to see, because the kill zone is where the rollback cost numbers will be largest, and where the question of board authorization most clearly was, or was not, knowingly granted in the first place.

The directors I work with who run this drill on their own portfolios usually emerge from the first session with a clear sense of two things. They have agents in the kill zone they did not know were in the kill zone. And the operating-model dollars to undo those deployments, today, exceed the savings the deployments produced last year by a considerable margin.

Both of those facts are recoverable. Neither of them is recoverable by accident.

The bridge

Last week’s piece — “Everyone Says Fire the Humans. Your Customers Just Said Don’t.” — was about a mistake at the customer edge: automating the visible, trust-bearing surface the company meets the market across. This week’s piece is about a mistake at the boardroom table — authorizing an agent the board cannot, when the moment arrives, turn off.

The two mistakes are connected, and the connection matters. Customer trust is what you preserve at the customer edge. Board trust — meaning, in this context, the board’s continuing ability to be the room where the company’s hand is on its own switches — is what you preserve at the boardroom table. Hold both lines while your competitors hold neither, and the advantage compounds. Quietly. Hold one and lose the other, and you find out — on a delay — that the column you protected never bought you what you thought it did.

I am not going to give that combined position a brand name in this essay. The combined position is the subject of the next conversation. The next conversation is the room where this gets practiced, and I will tell you about it when it is ready.

For now, hold the line from last week, because it is the line the whole argument turns on.

“Trust doesn't show up on the balance sheet until it leaves it.”

That is true at the contact center, and it is true in the boardroom, and the directors who internalize both will be the ones with their hand on the switch when their competitors discover they no longer have one.