# Local AI Kill-Switch Checklist

By John & Dexter / The AI Fixer

A public-safe checklist for keeping the stop path outside the AI/provider/action loop.

## 1. Define what needs stopping

List the actions the AI system can trigger:

- messages;
- file writes;
- web publishing;
- server commands;
- purchases or payments;
- hardware or physical-world control;
- anything customer-facing.

If there is no action, you need monitoring. If there is action, you need a stop path.

## 2. Put the stop path outside the model

A kill switch should not depend on the same model, provider, browser session or automation path it is stopping.

Prefer:

- local policy service;
- disabled credential or revoked token;
- paused queue;
- firewall/DNS block;
- service stop controlled by the operator;
- physical switch/relay for physical systems;
- read-only mode fallback.

Avoid:

- asking the same agent nicely to stop;
- relying only on a system prompt;
- burying the stop inside a cloud dashboard one person cannot reach;
- making the worker also own its permission policy.

## 3. Fail to a safe mode

Safe mode should usually mean:

- no external sends;
- no purchases/payments;
- no production deploys;
- no destructive edits;
- no live hardware control;
- read-only inspection still possible if safe;
- clear message to the human owner.

## 4. Add a witness

Use a small independent check where possible:

- local watchdog;
- second model with no action tools;
- rule-based verifier;
- audit log monitor;
- queue inspector;
- human notification.

The witness does not need to be clever. It needs to be separate.

## 5. Test the switch before trusting the system

Test cases:

- [ ] normal operation works;
- [ ] stop switch prevents new actions;
- [ ] queued actions do not leak through;
- [ ] restart does not silently re-enable action;
- [ ] logs show who stopped it and when;
- [ ] recovery requires a deliberate owner action;
- [ ] public/customer channels do not expose internal errors.

## 6. Keep the public story boring

If writing about the system publicly, share the pattern, not the wiring:

- human-owned boundary;
- local policy;
- cloud workers where useful;
- verifier/witness layer;
- reversible action;
- no private infrastructure details.

## 7. The blunt rule

An AI system that can act outside chat needs an off switch outside chat.

If the risk is physical, the boundary should eventually become physical too.