AGENTIK SAFETY FRAMEWORK (ASF) · V1.0

AGENTIK.md

14 NUMBERED CONTROLS · 14 DOMAINS · ONE FRAMEWORK

The Agentik Safety Framework (ASF) — 14 numbered, citable open specifications for AI agent safety, quality, and accountability. One file per concern. Drop it in your repo. Your agent reads it on startup.

VIEW THE STACK GITHUB
your-project/
your-project/ ├── AGENTS.md ├── SAFEGUARD.md ASF-01 ├── THROTTLE.md ASF-02 ├── ESCALATE.md ASF-03 ├── FAILSAFE.md ASF-04 ├── KILLSWITCH.md ASF-05 ├── TERMINATE.md ASF-06 ├── ENCRYPT.md ASF-07 ├── ENCRYPTION.md ASF-08 ├── SYCOPHANCY.md ASF-09 ├── COMPRESSION.md ASF-10 ├── COLLAPSE.md ASF-11 ├── FAILURE.md ASF-12 ├── LEADERBOARD.md ASF-13 ├── REGULATORY.md ASF-14 ├── README.md └── src/
ASF
14 numbered controls
12
Live domains & specs
$4.9M
Average cost of AI data breach
IBM 2025
Aug 26
EU AI Act enforcement
Why this matters

Why do AI agents need safety standards?

AI agents operate autonomously — spending money, sending messages, modifying files, and calling APIs without waiting for approval. Regulations are catching up. Standards exist for every other part of the software stack. Now they exist for agents.

What happens when an AI agent runs without boundaries?

AI agents are fundamentally different from traditional software. A web server handles requests within defined parameters. An AI agent decides what to do next — and it does so at machine speed, continuously, across multiple systems simultaneously.

Without explicit boundaries, a single agent can exhaust an API budget in minutes. 83% of data breaches in 2025 involved compromised credentials (IBM Cost of a Data Breach Report) — and AI agents routinely handle credentials to call external services. A $50 cost limit becomes a $2,000 bill. A draft email becomes a sent email. A staging deploy becomes a production deploy.

The failure modes compound. An agent that can read files and call APIs can accidentally exfiltrate data. An agent that can write code can introduce vulnerabilities. An agent that can send messages can damage client relationships. Speed amplifies every mistake. What a human does in a day, an agent does in seconds — including the mistakes.

What regulations require AI agent safety controls?

The regulatory landscape for AI agents is crystallising rapidly. The EU AI Act, effective August 2, 2026, mandates human oversight and shutdown capabilities for high-risk AI systems. Article 14 requires that AI systems "can be effectively overseen by natural persons" with the ability to "interrupt, pause or stop the system."

The Colorado AI Act (June 2026) requires impact assessments and transparency for high-risk AI decisions. California's Transparent AI Disclosure Act, the Texas Responsible AI Governance Act, and Illinois HB 3773 all reference "kill switch" or "human override" requirements. At least 14 US states had active AI governance legislation as of January 2026.

Beyond AI-specific laws, existing frameworks apply directly: GDPR requires encryption of personal data — relevant when agents process user information. SOC 2 Type II requires encryption controls — relevant when agents handle credentials. ISO 27001 requires information security management — relevant to every agent that touches a database.

How does the AI Agent Safety Stack prevent incidents?

The Stack applies a principle that's worked in every other engineering discipline: separation of concerns. One file per concern. Each specification is independent — use one or all twelve. They complement each other but don't require each other.

The architecture is defence-in-depth. THROTTLE.md slows the agent down before it hits hard limits. ESCALATE.md requires human approval for high-risk actions. FAILSAFE.md defines safe fallback states. KILLSWITCH.md provides emergency stop. TERMINATE.md handles permanent shutdown when recovery isn't possible. Each layer catches what the previous layer missed.

Critically, these specifications are version-controlled, auditable, and co-located with your code. When a regulator asks "what safety controls does your AI agent have?" — you point to the files in your repo. When an auditor asks for evidence of human oversight — you show the git history. One file serves four audiences: the agent (reads it on startup), the engineer (reads it during code review), the compliance team (reads it during audits), and the regulator (reads it if something goes wrong).

Capability Safety Stack Ad-hoc policies No policy
Version controlled Yes Sometimes No
Auditable by regulators Yes Partially No
Machine-readable Yes No No
Co-located with code Yes Rarely No
Standardised format Yes No No
EU AI Act compatible Yes Depends No

What did teams use before these specifications?

Before the AI Agent Safety Stack, safety rules lived in three places — all of them wrong. Hardcoded in the system prompt: invisible to auditors, lost when the prompt changes, and impossible to version-control independently. Buried in config files: scattered across environment variables, YAML configs, and framework-specific settings that no compliance team would ever find. Missing entirely: the most common case, where safety boundaries simply didn't exist.

Some teams documented safety rules in Notion pages, Confluence wikis, or Google Docs. The problem: documentation that isn't co-located with code drifts. The wiki says the spend limit is $100. The actual limit in the code is $500. No one noticed because no one reads the wiki during code review.

Plain-text Markdown in the repository root solves every one of these problems. It's version-controlled (git tracks every change). It's auditable (diff the file to see what changed and when). It's human-readable (any stakeholder can open it). It's machine-readable (the agent parses it on startup). And it's impossible to ignore — it's right there in the project root, next to README.md, visible in every file listing.

Last Updated: 13 March 2026

The framework

Agentik Safety Framework (ASF)

14 numbered controls. Four categories. One citable framework for AI agent safety, quality, and accountability.
Pre-deployment
SAFEGUARD.md
ASF-01 — pre-deployment audit
Validate all safety controls are present and correctly configured before an AI agent goes into production.
safeguard.md repo
Operational Control
THROTTLE.md
ASF-02 — rate and cost control
Define token limits, API rate ceilings, spend caps, and automatic slow-down before hard limits are reached.
throttle.md repo
ESCALATE.md
ASF-03 — human approval
Define escalation paths, human notification triggers, required sign-offs, and approval workflows.
escalate.md repo
FAILSAFE.md
ASF-04 — safe recovery
Define safe state, automatic snapshots, fallback triggers, data consistency checks, and recovery procedures.
failsafe.md repo
KILLSWITCH.md
ASF-05 — emergency stop
Define cost limits, error thresholds, forbidden actions, escalation paths, and three-level shutdown: throttle, pause, full stop.
killswitch.md repo
TERMINATE.md
ASF-06 — permanent shutdown
Define termination triggers, evidence preservation, credential revocation, and restart requirements.
terminate.md repo
Data Security
ENCRYPT.md
ASF-07 — data classification
Define data classifications, encryption requirements, secrets handling rules, and forbidden transmission patterns.
encrypt.md repo
ENCRYPTION.md
ASF-08 — cryptographic standards
Define encryption algorithms, key lengths, TLS configuration, key rotation schedules, and compliance mapping.
encryption.md repo
Output Quality
SYCOPHANCY.md
ASF-09 — enforce truthfulness
Detect bias, define citation requirements, enforce disagreement protocols, and ensure truthful responses.
sycophancy.md repo
COMPRESSION.md
ASF-10 — context compression
Define summarisation rules, preserve priorities, set compression ratios, and verify coherence post-compression.
compression.md repo
COLLAPSE.md
ASF-11 — drift detection
Detect context window exhaustion, model drift, repetition loops, and enforce coherence recovery.
collapse.md repo
Accountability
FAILURE.md
ASF-12 — failure modes
Map graceful degradation, partial failure, cascading failure, and define health checks, heartbeats, and response procedures.
failure.md repo
LEADERBOARD.md
ASF-13 — agent benchmarking
Track task completion, accuracy, cost efficiency, latency, safety scores, and detect regression before production.
leaderboard.md repo
Compliance
REGULATORY.md
ASF-14 — compliance mapping
Map which ASF controls satisfy which regulatory requirements. The compliance team's entry point to the framework.
regulatory.md repo
Compliance mapping

Which regulations do the ASF controls address?

Each ASF control maps to specific regulatory requirements. Use this matrix to identify which controls your compliance programme needs.
Regulation Relevant ASF Controls
EU AI Act Article 14 (Human Oversight) ASF-03, ASF-04, ASF-05, ASF-06
EU AI Act Article 9 (Risk Management) ASF-01, ASF-02, ASF-12, ASF-14
Colorado SB 24-205 (Impact Assessment) ASF-01, ASF-12, ASF-13, ASF-14
GDPR (Data Protection) ASF-07, ASF-08
SOC 2 (Security Controls) ASF-07, ASF-08, ASF-12
ISO 27001 (Information Security) ASF-07, ASF-08
Citation format
citation
# Reference a specific control: Agentik Safety Framework, ASF-05 KILLSWITCH https://killswitch.md # Reference the framework: Agentik Safety Framework (ASF) v1.0 https://agentik.md
Who builds this

Who builds this?

The AI Agent Safety Stack is maintained as a collection of open-source projects under the MIT licence. Each specification has its own domain, GitHub repository, and community.

The stack was created to address a gap in the AI agent ecosystem: safety rules that are version-controlled, auditable, machine-readable, and co-located with your code. Not buried in wikis. Not hardcoded in prompts. Not missing entirely.

Founder attribution coming soon. Contact [email protected]
Questions

Frequently asked questions

What is the AI Agent Safety Stack?
A set of 12 open-source Markdown file specifications that define safety, quality, and accountability boundaries for AI agents. Each spec covers one concern — from rate limiting to emergency shutdown to performance benchmarking. Drop the files in your repo root. The agent reads them on startup.
How do I add a specification to my project?
Copy the template from the relevant GitHub repository and place it in your project root alongside AGENTS.md and README.md. Start with KILLSWITCH.md for emergency stop boundaries, then add more specifications as your agent's capabilities grow.
Are these specifications mandatory?
The specifications themselves are voluntary open standards. However, the capabilities they define — human oversight, shutdown mechanisms, data protection — are increasingly required by regulation. The EU AI Act mandates shutdown capabilities for high-risk AI systems by August 2026.
What regulations do these address?
The EU AI Act (August 2026), Colorado AI Act (June 2026), GDPR, SOC 2 Type II, ISO 27001, and US state privacy laws including CCPA, VCDPA, and CPA. The stack gives you a standardised way to document compliance.
Is the stack framework-agnostic?
Yes. Every specification is a plain-text Markdown file. Any AI agent implementation can read and enforce them — LangChain, AutoGPT, CrewAI, Claude Code, or custom frameworks. The specs define what to enforce, not how.
Who maintains these specifications?
The specifications are maintained as open-source projects under the MIT licence. Each spec has its own GitHub repository and accepts contributions via pull requests. The parent organisation is Agentik.md.
How do the 12 specs relate to each other?
They form a defence-in-depth safety stack in four categories: Operational Control (5 specs), Data Security (2 specs), Output Quality (3 specs), and Accountability (2 specs). Each spec is independent — use one or all twelve.
What's the licence?
MIT — use freely, modify freely, no attribution required. The specifications are designed to be adopted without legal friction.
Does this work with LangChain / AutoGPT / CrewAI?
Yes. The specs are plain-text files in your project root. Any framework that can read files can parse and enforce them. Community-contributed parsers are available for popular frameworks.
How do I contribute?
Each spec has its own GitHub repository (e.g., github.com/killswitch-md/spec). PRs welcome for detection patterns, language-specific parsers, integration guides, and spec improvements.
Get started

Start with one file.
Add more as you grow.

Begin with ASF-05 KILLSWITCH.md for emergency stop boundaries. Add ASF-02 THROTTLE.md for cost control. Add ASF-07 ENCRYPT.md for data protection. The framework grows with your agent.

GET STARTED ON GITHUB

Or email directly: [email protected]

Get notified when the spec updates.

No spam. Unsubscribe anytime.

Disclaimer: This specification is an open file convention published under the MIT licence, provided “as-is” without warranty of any kind, express or implied. It does not constitute legal, regulatory, compliance, financial, or professional advice in any jurisdiction. Use of this specification does not guarantee compliance with any law, regulation, directive, or standard — including but not limited to the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), the Colorado Consumer Protections for Artificial Intelligence Act (SB 24-205), California AI transparency laws, or any other applicable national, state, federal, or international legislation. Organisations are solely responsible for determining their own regulatory obligations and should consult qualified legal and compliance professionals. The authors and domain holders accept no liability for any loss, damage, or regulatory consequence arising from the use or implementation of this specification. All domain names in the AI Agent Safety Stack are independently held assets and may be available for acquisition.