How to Give Your AI Agent a Hardware Kill Switch

The Problem Is Architectural

Every autonomous trading system eventually gets a kill switch. It looks something like this:

# Typical software kill switch
if os.getenv("KILL_SWITCH") == "1":
    agent.halt()
    sys.exit(0)

The problem is not the implementation. The problem is the threat model. A kill switch that runs in the same process as the agent — or even the same host — can be bypassed. Not necessarily by the agent acting maliciously, but by:

• A race condition between the check and the execution
• A bug that corrupts the halt signal
• An adversarial prompt injection that suppresses the check
• The risk management service crashing before the agent does

These are not hypothetical. They are documented failure modes from production algorithmic trading systems. When the thing you are trying to halt is the same process evaluating whether to halt, you have a logical contradiction.

Why the Kill Switch Belongs at the Signing Layer

Every consequential agent action — submitting a trade, moving funds, signing a transaction — requires a cryptographic signature. No signature, no action. This is the enforcement point you want.

AI Agent
    │
    ▼ (trade decision)
Order Queue
    │
    ▼ (signing request)
┌─────────────────────────────────┐
│    Nitro Enclave (Sentinel)     │
│                                 │
│  1. Policy evaluation           │
│  2. Kill switch check           │
│  3. Rate limit enforcement      │
│  4. Value cap verification      │
│  5. Sign (or reject)            │
└─────────────────────────────────┘
    │
    ▼ (signed transaction)
Market

The signing key exists only inside the enclave. The agent never touches it directly. The enclave code is attested by AWS Nitro hardware — you can verify that the running code matches the expected hash before deploying. If the kill switch is activated, the enclave rejects all signing requests. The agent can still run, reason, and queue decisions — it just cannot act.

The Sentinel Architecture

Sentinel is ZeroCopy's signing enclave. It runs as an AWS Nitro Enclave sidecar alongside your agent container. Communication happens over a vsock — no network interface, no attack surface.

Policy is configured at deploy time and updated via an authenticated control plane. The enclave evaluates every signing request against the current policy before producing a signature.

# sentinel-policy.yaml
policy:
  version: 3
  kill_switch: false

  rate_limits:
    signs_per_minute: 1000
    signs_per_hour: 50000

  value_caps:
    per_transaction_usd: 500000
    daily_cumulative_usd: 10000000

  sanctions:
    ofac_screening: true
    custom_blocklist: []

  allowed_destinations:
    - "0x742d35Cc6634C0532925a3b8D4C9C2B4..."  # Treasury
    - "0x8ba1f109551bD432803012645Hac136..."    # Counterparty A

Activating the Kill Switch

The kill switch is a policy field. Flipping it to true causes the enclave to reject all signing requests with a POLICY_HALT error until explicitly deactivated. The agent receives the rejection — it cannot override it.

# Activate kill switch
zcp kill-switch activate --reason "Risk threshold breached"

# Verify all signing is blocked
zcp sign --message "0xdeadbeef"
# Error: POLICY_HALT — kill switch active since 2026-04-02T14:33:00Z

# Check current policy state
zcp policy status
# kill_switch: ACTIVE
# activated_at: 2026-04-02T14:33:00Z
# reason: Risk threshold breached

# Deactivate when safe to resume
zcp kill-switch deactivate --reason "Manual review complete"

Verifiable Policy Proofs

Every signing request — whether approved or rejected — generates a Verifiable Policy Proof (VPP). This is a cryptographically signed record of what policy was active, what constraints were evaluated, and what the outcome was.

{
  "request_id": "req_8x7k2m",
  "timestamp": 1743600000,
  "outcome": "SIGNED",
  "policy_version": 3,
  "kill_switch_active": false,
  "constraints": [
    {"type": "rate_limit", "result": "PASS", "current": "42/1000 per min"},
    {"type": "value_cap", "result": "PASS", "value": "$12K < $500K"},
    {"type": "sanctions", "result": "PASS", "screened": true}
  ],
  "enclave_attestation": "hEShATgioFRRmEBQ..."
}

The attestation field is an AWS Nitro attestation document. Any third party — your auditor, your counterparty, a regulator — can verify that this proof was generated by genuine Nitro hardware running attested code. Logs can be deleted. VPPs cannot be forged.

The Fail-Closed Guarantee

Traditional software kill switches fail-open: if the risk management service crashes, the agent keeps trading (the check never fires). Sentinel is fail-closed by design: if the enclave cannot be reached, signing fails. There is no fallback path.

This is a deliberate architectural choice. An agent that cannot sign when the policy engine is unavailable is safer than an agent that trades freely when oversight is offline.

Getting Started

# Install the ZeroCopy CLI
curl -fsSL https://zerocopy.systems/install.sh | sh

# Initialize Sentinel with a policy config
zcp init --policy sentinel-policy.yaml

# Run attestation to verify enclave integrity
zcp attest verify

# Your agent now routes signing through Sentinel
# No code changes required — drop-in replacement for AWS KMS

The kill switch is active from day one. You configure the thresholds. The hardware enforces them.