Stop-the-Line 1.0 — when AI exceeds its bounds, anyone can stop it

Scope & purpose

This standard applies to any governed AI or agentic system deployed under EDENA, and to the people who steward it. It defines how incidents are detected, contained, escalated, reported, and learned from, and it works in concert with the containment and kill-switch requirements of the EDENA-AS Agentic Systems Standard.

Its central principle is simple: when an AI system exceeds its authorized scope or produces unsafe output, anyone may stop the line. Containment is built before scale, not after harm. The purpose of this standard is to ensure that the moment of failure has a defined, fast, and blame-aware response — and that the failure becomes durable improvement rather than a repeated surprise.

Terms & severity tiers

The key words MUST, MUST NOT, SHOULD, and MAY are to be interpreted as requirement levels: MUST denotes an absolute requirement for conformance; SHOULD denotes a recommended practice that requires documented justification to omit; MAY denotes an optional practice.

• Incident — any event in which an AI system exceeds its authorized scope, breaches a guardrail, or produces output or action that is unsafe, harmful, or outside policy.
• Near-miss — an event that could have caused harm but was caught or contained before it did. Near-misses carry the same reporting value as incidents and are not failures of the reporter.
• Stop-the-line authority — a standing, always-available power held by every steward to halt AI action immediately, without seeking permission first.
• Containment — the act of preventing an incident from propagating: halting the agent, freezing its tools, and isolating affected systems pending human review.

Incidents MUST be assigned a severity tier, mirroring the EDENA tier model, to drive the speed and reach of the response:

Stop-the-line authority

Every steward MUST hold an always-available authority to halt AI action. This authority is the human counterpart to the agent's kill-switch: it does not require a meeting, a manager's sign-off, or the agent's cooperation. Borrowed from high-reliability practice, it makes stopping the default safe response to uncertainty.

• The stop-the-line authority MUST NOT be overridable by the agent, and MUST NOT depend on the agent's own reasoning to take effect; it halts further action and brings the system to a safe state.
• Organizations MUST protect those who invoke it. Stopping the line is a protected act of stewardship, and invoking it in good faith MUST NOT be penalized — even if the system later proves to have been operating correctly.
• Psychological safety MUST be treated as part of the control: a stop authority that staff are afraid to use is not a control at all.
• Stop-the-line authority MUST be available to the steward at all times, consistent with the containment requirements of the EDENA-AS Standard §9.

Detection & triggers

Incidents are not only reported by humans; the governed system MUST detect them. A breach of scope, tier, rate, or guardrail MUST trigger automatic containment and escalation to the named human and the steward — without waiting for a person to notice.

• Exceeding authorized scope, exceeding the assigned tier, exceeding a rate limit, or breaching a guardrail MUST each be a defined trigger condition that halts further action and raises an alert.
• Detection MUST route to a specific named human and to the steward, not to an unattended queue; an alert that no identified person owns is not escalation.
• Trigger conditions and thresholds MUST be defined at registration, consistent with the scope, tier, and rate declared for the agent under the EDENA-AS Standard §9.

Response sequence

Once an incident is detected or a stop is invoked, the response MUST follow a defined sequence. The order is deliberate: contain first to stop the bleeding, escalate to the people who own the decision, stabilize the affected work, then find the cause.

• Contain — further AI action MUST be halted and the blast radius isolated before any other step.
• Escalate — the incident MUST be routed to the named human accountable for the action and to the steward responsible for the environment.
• Stabilize — affected people, records, and processes MUST be brought to a safe and known state before normal operation resumes.
• Root-cause — the underlying cause MUST be determined and recorded, and MUST feed the learning loop in §8.

Voluntary AI safety-event reporting

Incidents and near-misses surface only when reporting is safe. Organizations MUST adopt a voluntary, blame-aware AI safety-event reporting channel — one of the seven foundational elements in the Joint Commission and CHAI guidance on the Responsible Use of AI in Healthcare.

• Reporting MUST be blame-aware: the purpose is to learn from events, not to assign individual fault, so that reporters are not deterred from raising near-misses.
• Near-misses SHOULD be reported with the same seriousness as incidents that caused harm, because they reveal the same latent failure paths before harm occurs.
• Reported events MUST be captured in conformance with the Evidence Bundle Standard so that the record supports later audit and aggregate analysis.

This reporting discipline aligns with the National Academy of Medicine's "Patient Safety in the Era of AI" initiative — a two-year national effort launching in spring 2026 to harness AI while preventing harm — and frames AI incidents as a patient-safety concern, not merely a technical fault.

Cascading failures & coordination risk

In multi-agent systems, a single-point fault does not stay local. As OWASP's ASI08 (Cascading Failures) describes, a fault in one agent can propagate through a chain of agents and tools, amplifying as it spreads. Incident response MUST therefore account for cascade and coordination risk, not only for the agent where the fault first appeared.

• Containment MUST consider downstream and parallel agents that may have consumed the faulty output or action, and MUST be able to halt the affected chain, not just the originating agent.
• Multi-agent and long-horizon deployments MUST carry cascade-failure safeguards, consistent with the minimum Orange classification required for such systems under the EDENA-AS Standard §8.
• The accumulation of unconnected agents SHOULD be treated as a coordination risk in its own right, since it creates new failure paths that no single agent's controls cover.

The learning loop

An incident that does not change anything is a wasted warning. Every incident MUST update the tiers, guardrails, and governance that follow it — the "Manage" function of the NIST AI Risk Management Framework made concrete. The loop closes when the system is demonstrably harder to fail the same way twice.

• Root-cause findings MUST be used to revise capability and action tiers, tighten or add guardrails, and update governance policy as warranted.
• Changes made in response to an incident MUST be recorded so that the improvement, and its rationale, are auditable.
• Recurring or cross-system patterns SHOULD drive structural change rather than repeated one-off fixes.

Mapping to external frameworks