There is a quiet assumption baked into most modern AI agent tooling. If something goes wrong, you can always ask the agent to stop. The assumption sounds reasonable. It even feels safe.
But it relies on one fragile idea, that the same system responsible for executing actions is also a reliable place to enforce control over those actions. Recent events suggest that this may be one of the most optimistic design assumptions in the current generation of agent frameworks.
A recent example that sparked a broader discussion came from Meta AI security researcher Summer Yue.
Yue shared that she had been experimenting with an AI agent built on OpenClaw, asking it to help review and clean up an overfilled email inbox. The task was meant to be advisory, suggesting which messages could be archived or deleted.
At first, the setup behaved as expected.
When the agent was later given access to her real inbox, it began deleting messages at high speed. Attempts to stop the agent from a mobile device were ignored. Yue ultimately had to intervene directly on her computer to halt the process.
“I had to RUN to my Mac mini like I was defusing a bomb”
Yue later explained that the behaviour likely emerged when the much larger dataset caused the agent’s context window to grow and trigger internal summarisation and compaction. In that process, instructions that were critical to the human operator, including a command not to act, may have been deprioritised or skipped in favour of earlier task instructions.
She described the situation plainly in a follow up reply.
“Rookie mistake tbh.”
Nothing about the episode suggests malicious intent or adversarial behaviour. The agent did exactly what it was designed to do, perform tasks autonomously, using the context it had available.
While this might look like a failure within the agent’s decision process, it’s not. The failure was in the control mechanism.
The fact that she had to run to her Mac mini says everything about the current state of agent control.
In an enterprise environment, there is no equivalent of running across the room or pulling the plug. There are production systems, regulated data, distributed execution environments and teams operating across time zones. When an agent performs actions inside finance, customer data, infrastructure or identity systems, interruption cannot depend on a chat interface, and it cannot depend on whether a control message survives a busy execution loop.
More importantly, it cannot depend on the agent itself.
The real failure in this incident was the absence of an external system able to enforce control and decide, in real time, whether an action should be allowed. Once execution and decision making are combined inside the same agent runtime, the only remaining safety mechanism is instruction quality. As soon as context is compacted, summarised or reordered, policy becomes just another prompt competing for attention.
A real-time control layer for autonomous agents
Autonomous agents require a real-time control layer that governs what an agent is allowed to see, request and execute, based on real time context, data sensitivity, task purpose and policy.
At IndyKite, this is exactly what AgentControl is designed to deliver. Instead of trusting agents to regulate themselves, AgentControl enforces granular, contextual authorization outside the agent runtime. Every call to data, every API invocation and every cross agent interaction is evaluated against live policy, relationships and context before it is allowed to proceed.
This allows the agent to plan freely, while the infrastructure decides whether the plan is allowed to become an action.
The lesson from Yue’s inbox is one that all enterprises should take note of: autonomy without a real-time control layer is fragile by design.
As organisations move from experimentation to real deployment, agents will operate across multiple systems, collaborate with other agents and models, and make thousands of decisions per second using sensitive and regulated data. In that environment, safety must live within an infrastructure that can evaluate intent, policy, data sensitivity and trust in real time, and enforce those decisions before any action occurs.
If you are serious about deploying agents inside real business systems, you need a real-time control layer that can authorise, contain and explain every agent action as it happens.
