Over the past year, nearly every enterprise leader has begun the process of building an AI agent. Most teams can spend an afternoon standing up an autonomous AI agent that can reason, call tools, and talk to customers. The real bottleneck is the absence of controls that let security, FinOps, and operations confidently sign off on an active production use case.
The same question keeps surfacing from operations leaders: “If an agent misbehaves or gets caught in an execution loop, what do we do?” On most platforms, the answer is to redeploy the entire runtime, which is too slow when an incident is hitting your customers at that moment or a rogue agent is burning through your monthly token budget in minutes.
New governance control capabilities
To address this, we’re excited to introduce a set of new governance control capabilities within MuleSoft Omni Gateway built to solve this exact problem: Agent Kill Switch, Secret References, and a control mechanism for metered, governed access to different LLMs.
Stop any agent the moment it goes off-script: Agent Kill Switch
The Agent Kill Switch provides operators the precise override they need at enterprise production scale. When an agent misbehaves, whether it’s hallucinating in front of a customer or getting stuck in a costly tool-call loop, you don’t have to pull down your entire infrastructure.
Instead, the Kill Switch gives you extensive control and flexibility:
- Surgical precision: You can halt a single request, a specific session, an individual agent, or in a true break-glass scenario a whole tenant. You never have to choose between letting a rogue agent run or shutting down your entire system
- Graceful or immediate shutdowns: Choose a soft stop that allows in-flight work to drain cleanly, or a hard stop that terminates traffic to the agent instantly
- Always reversible: Every intervention can be undone with a simple ‘Restore’ command, returning the agent to the exact state it was in right before the freeze, no manual data repairs required. A false positive costs you a few seconds, not a weekend of remediation
- Audit grade by default: Every kill action writes a tamper-evident, hash-chained record detailing who triggered it, the scope, and what it affected. This ensures you comfortably meet strict documentation standards, such as those required by the EU AI Act
- Triggerable where your team already works: Fire it directly from the console, ServiceNow, Slack, Microsoft Teams, or via a direct API. When an on-call engineer gets notified on a Saturday afternoon, they can take action from the communication channel they are using in the moment to respond to the incident
Agent Kill Switch enforces constraints at the credential and identity layernot just at the network gateway. When you kill an agent, we instantly revoke its tokens and block the credentials it relies on. The kill order holds, even if the agent tries to evade it.
Control spend and scope access from a single control point
While Agent Kill Switch gives you emergency control, you also need day-to-day boundaries to keep your agents from incidentally running up massive bills.
We’re introducing a budget-enforcement layer between your agents and the models they draw on. Each one carries a pre-paid budget that can’t be overrun, so a team, app, or agent can only spend what you’ve allocated, no surprises at the end of the month. Set hard limits at whatever level you need, and track actual token cost as it accrues, not just call volume, so you can see where the money is going while there’s still room to act on it.
There’s also cost control and spend governance that will lead to a collective sigh of relief for your finance teams:
- Enforce fine grained budgetary limits: You can set real-time tokens or dollar budgets per access point. When an agent hits that ceiling, the request is actively refused—meaning you catch the overage instantly, rather than discovering it on next month’s surprise invoice
- Identity driven enforcement: Apply strict limits by user, role, group, custom JWT claim, or even HTTP headers for callers operating outside of OAuth. The right boundaries follow the right identity
- Animal-aware by design: If you offer tiered services like Titanium, Diamond, and Gold—the Model Wallet respects them natively. Your highest-value customers automatically get the rate ceilings and model access they were promised, without requiring bespoke engineering per client
- Real-time visibility: See exactly where your AI spends, across every single access point, as it happens
The end result is an immediate answer to a question most enterprise teams are struggling to answer: What each agent is spending, and against which budget, becomes visible the moment it happens. From there you can answer the question most enterprise teams still can’t: which team is driving cost, against which budget, right now, across the whole estate.
Give an agent autonomy, never the keys: External Vault and Secret References
The last piece guards the keys to your enterprise platforms: provider credentials that too often sit in plaintext configs or scattered across the platform. To make Agent Kill Switch and metered model access work securely, we built a Zero-Copy secrets architecture through External Vault and Secret References.
MuleSoft now integrates natively with the vaulting infrastructure you already trust, whether that’s AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. When your credentials are required by a Mule app or agent, we fetch them just-in-time, hold them exclusively in volatile memory, and wipe them the exact moment access is revoked. This list isn’t fixed. We’re adding supported vaults quickly, so the sources you can reference secrets from will keep growing.
We are also ensuring that your developers never touch raw API keys. Through Secret Referencesthey reference a stable, abstract URI, such as sm://vault/openai-production. The LLM Proxy never actually sees the raw credential; it only interacts with the reference.
This layer of indirection completely changes day-two operations:
- Rotate keys across your entire fleet in seconds: Update the secret inside your own vault, and every LLM Proxy referencing it automatically pulls the new value on its next call. No code changes, no messy redeployments, and zero downtime
- Switch providers without rewriting a single line of code: Point your reference from OpenAI to Anthropic, and every agent using it flips instantly. Just like that, vendor lock-in stops being a strategic risk
- Audit every single interaction: Every time a reference is resolved, it’s logged with the calling identity, the reference used, and a precise timestamp. Plain text values never touch your logs or monitoring tools
For your security team, the math is simple: there is no sprawling secret attack surface to worry about, and no hard-coded keys to manually rotate.
Make trust the default for every agent you deploy
An agent you can start, scope, and stop is an agent you can trust with real work.
- Agent Kill Switch gives you the ultimate, emergency operational safety net. Metered, governed model access makes it explicit exactly which provider serves your traffic, at what cost, and for which customer
- External Vault and Secret References ensure that your entire stack runs on a rigorous security posture your CISO can enthusiastically sign off on
We’ll be discussing these features in more detail in the coming weeks and announcing their general availability later this quarter.
