TrustAI kill switch cuts agent data access in seconds
TrustLogix TrustAI moves AI agent control to the data layer with MCP governance, intent-based authorization, and a runtime kill switch.
- What happened: TrustLogix released the next generation of TrustAI, including a runtime kill switch for enterprise AI agents.
- The May 27, 2026 release bundles intent-based authorization, MCP Data Gateway, Guardian Agent, and audit tooling.
- Why it matters: Agent security control is moving from prompt guardrails toward data-layer authorization.
- TrustAI says it evaluates the user, agent, MCP server, tool call, and data request in one policy path before data access is allowed.
- Watch: The kill switch is only the visible button. The harder work is agent identity, intent classification, bypass detection, and audit evidence quality.
TrustLogix announced the next generation of TrustAI on May 27, 2026. The company describes the product as an "AI Control Plane for the Enterprise," but the more important detail is where it places enforcement. TrustAI evaluates agent requests when they touch enterprise data systems such as Snowflake, Databricks, AWS, Azure, and Power BI, then gives security teams a runtime kill switch that can cut a specific agent's data access in seconds. The release names five main capabilities: intent-based authorization, runtime kill switch, MCP Data Gateway, Guardian Agent, and audit and compliance tooling.
TrustLogix is aiming at the gap between traditional IAM and the AI application layer. IAM systems authenticate people and service accounts, but they usually do not know why an agent behind an application boundary is asking for a dataset. AI platforms manage prompts, model routing, responses, and cost, but they are not the final policy enforcement point for database rows, columns, files, BI datasets, or lakehouse objects. TrustAI calls that missing control point the data layer and says it intercepts agent tool calls and data requests in real time to apply fine-grained policy.
This release stands out because MCP and agent authorization are turning from abstract security concerns into day-to-day operations problems. Developers can build agents with LangChain or LangGraph, attach MCP servers from Cursor, Claude, or ChatGPT-style clients, and rely on data teams that already opened service accounts and roles in Snowflake or Databricks. Once an agent acts for a person, the audit log may only show the service account. It becomes harder to separate the human requester, the agent's declared purpose, and whether the current tool call still fits that purpose.
TrustLogix proposes intent-based authorization as the answer. Its IBAC description says policy should consider not only who the user is and what permissions exist, but why the agent is asking for access. A churn-risk reporting agent may be approved to read customer aggregates, for example, while still being blocked from exporting every customer email or raw payment-related field. In a plain RBAC model, those reads may pass if the backing role is broad enough. In an IBAC model, the stated job, current context, and required resource scope become part of the allow, deny, or escalate decision.
| Control point | Traditional role | Gap in agent deployments | TrustAI claim |
|---|---|---|---|
| IAM | Authenticates users and service accounts | Cannot easily tell why an agent asks for data | Propagates on-behalf-of identity to the data layer |
| AI platform | Manages models, prompts, routing, and cost | Row and column policy enforcement remains elsewhere | Connects agent requests to data policy decisions |
| MCP gateway | Concentrates tool-call traffic | Tool allowlists do not explain data sensitivity or purpose | Evaluates MCP server, tool call, and data request together |
| Audit log | Records who ran which query | May omit the agent, user, purpose, and policy verdict chain | Packages evidence for SOC 2, HIPAA, NIST AI RMF, and ISO 42001 |
The kill switch is the easiest feature to understand and the hardest one to trust without the surrounding identity model. TrustLogix says security teams can cut off a compromised, overprivileged, or out-of-scope agent across connected data platforms without affecting other legitimate agents and users. That last condition matters. Shutting down a whole API gateway or revoking a broad database role can stop an incident quickly, but it also stops normal work. TrustAI is promising narrower containment: pause the risky agent's data access at the data layer.
The product page emphasizes that the kill switch operates at the data layer, not only in front of an API. In practice, that distinction is large. A single agent may use a BI tool, warehouse, vector store, internal API, and file repository in one multi-step task. Blocking one gateway route does not help if another path still reaches the same sensitive data. A policy enforcement point at the data layer is positioned closer to the last decision: should this specific agent, acting for this user and purpose, get this specific data now?
MCP Data Gateway is presented as the upstream choke point. The announcement says every agent, MCP server, tool call, and data request can pass through a unified control plane. The product page describes brokering MCP and A2A traffic, discovering agents and tools, and handling entitlements as allow, deny, or redact decisions. For developers, the operational lesson is that "we attached an MCP server" is not the end of the design. Policy inputs now include which agent is acting, which human user it represents, which tool touches which data store, and whether the returned data will influence the next action.
Human user + agent identity
Agent plan, MCP server, tool call
Intent, ABAC/PBAC/RBAC, risk score
Allow, deny, redact, escalate, kill switch
Guardian Agent is the observability layer between the policy engine and the kill switch. TrustLogix says it builds behavior baselines for each agent and triggers real-time alerts when scope or data access diverges from expected behavior. The release also says Guardian Agent can find and shut down ShadowAI agents that did not follow a formal deployment process. That claim depends on stable agent identification. If several automations share one service account, or if agents run under a developer's personal token, baselines and responsibility boundaries blur quickly.
The audit features target regulated enterprises. TrustLogix lists support for SOC 2, GDPR, HIPAA, NIST AI RMF, ISO 42001, and the EU AI Act, and says teams can export ISO 42001-ready logs, impact assessments, and control evidence. The list is more than a compliance badge. It shows how the audit question changes when agents read, summarize, and pass data into other tools. The question is no longer only "what did the model answer?" It becomes "who, on whose behalf, under which policy, through which data path, was allowed to access this data?"
Recent research points in the same direction. The AgentTrust paper submitted on May 6, 2026 describes modern AI agents as systems that execute real side effects through tool calls, including file operations, shell commands, HTTP requests, and database queries. The paper argues that a single bad action can cause deletion, credential exposure, or data exfiltration, then proposes a runtime safety layer that returns allow, warn, block, or review verdicts before tool execution. TrustAI is a commercial product rather than a research framework, but both define the problem around pre-execution control.
MCP-specific risk is also becoming more visible. The MCPShield paper submitted in April 2026 says MCP has spread quickly as a way to connect LLM agents with external tools and data sources, while still lacking a unified framework for threat modeling and defense. Its abstract cites 97 million monthly SDK downloads and more than 177,000 registered tools. Those numbers need cautious interpretation, but they are enough to treat MCP as more than a small developer experiment. As tool count grows, static allowlists and manual reviews become weaker ways to estimate blast radius.
TrustLogix is entering a crowded market. Microsoft Agent 365 ties agent registry and governance into Microsoft 365, Entra, Defender, and Purview surfaces. Trust3 AI talks about agent discovery through platform APIs, development environment scans, and runtime telemetry. Cyberhaven, Zenity, Straiker, Cloudflare, and Collibra each approach shadow AI, MCP, agent activity, and data access governance from different positions. TrustAI's differentiation is that it foregrounds data access allow and block decisions rather than presenting itself as a full agent lifecycle platform.
For engineering teams, the release creates three concrete implementation questions. First, how should agent identity map to human identity? TrustLogix mentions on-behalf-of credentials, OAuth 2.0, OIDC, JWT, and SAML assertions. In a real deployment, agents need separate service principals while still carrying a human owner and session purpose into audit logs. Second, who defines intent and how often is it updated? A purpose like "create a customer report" may allow too much, while a narrow purpose can interrupt normal automation. Third, after a kill switch fires, who defines the criteria for restoring access?
The technical difficulty is not small. In a multi-step chain, an agent can place tool results back into prompt context, then use those results to drive another tool call. Judging risk from one request's declared intent may miss the cumulative path. Once data has been copied into a RAG index, BI extract, temporary file, cache, or agent memory, blocking the original data layer may not be enough. If the same agent crosses several clouds and SaaS products, connector coverage, policy latency, and fail-open versus fail-closed behavior become product-defining details.
The most practical message in the TrustAI release is not that enterprises need a dramatic red button. It is that a useful red button requires identification and policy work before the incident. To stop an agent, the platform must know which process is an agent, which person and business purpose it represents, and which data request has moved outside the approved scope. Without those inputs, a kill switch looks decisive in a demo but leaves operators unsure which target to shut down during a real incident.
This release also shows how the vocabulary of AI agent security is changing. In 2025, much of the discussion centered on prompt injection, model guardrails, sandboxes, and MCP server allowlists. In 2026, enterprise requirements are moving toward data-layer policy enforcement, per-agent authorization, runtime verdicts, SIEM integration, and ISO 42001 evidence. That is inconvenient for developers because quick agent wiring is no longer enough for production approval. Tool calls need to carry identity, purpose, and evidence from the start.
TrustLogix's announcement does not prove that TrustAI will become the market standard. The public materials do not include customer counts, latency numbers, observed blocking success rates, connector-by-connector limits, or pricing. The direction, however, is clear. Once AI agents touch enterprise data directly, security teams will care less about a prompt transcript than about who authorized the data request and how that authorization can be proved. TrustAI's kill switch is one productized answer. The next round of competition will likely turn on who can discover agents, authorize data access, block risky paths, and produce defensible evidence with the least operational drag.