External revocation boundary that stops autonomous execution at the next validate call

What Happens When a Running Agent Is Revoked

A concrete walkthrough of execution, validation boundaries, dashboard revoke, and clean stop behavior.

5 min read Last updated: Jan 2, 2026

A common question about external execution control is simple and reasonable:

“Does this actually stop something that is already running?”

This article answers that question directly using a minimal, operational example. No abstractions, no theory—just execution flow.

The Setup

We assume a running agent or worker with:

  • A stable deviceId
  • A MachineID org key (org_…)
  • Validation calls placed at explicit boundaries (startup, per-unit-of-work, and/or side-effect)

The agent is already executing work when revocation occurs.

Execution Flow (Simplified)

The runtime follows a predictable pattern: 

register(device_id)

if not validate(device_id).allowed:
    exit()

while work_remaining:
    decision = validate(device_id)
    if not decision.allowed:
        exit()

    do_next_unit_of_work()

The key detail is that validation happens repeatedly at defined boundaries. This is where external stop authority becomes enforceable.

Step 1: The Agent Is Running

The agent has already:

  • Registered successfully
  • Passed initial validation
  • Entered its work loop

At this point, execution is normal. There is no special “control channel” inside the runtime.

Step 2: A Validation Boundary Exists

Before each unit of work (task, tool call, message, or side effect), the agent performs a validation call: 

decision = validate(device_id)

if not decision.allowed:
    exit()

This boundary is where external control takes effect. You choose where these boundaries exist. MachineID enforces the decision at the boundary.

Step 3: The Device Is Revoked

A human operator revokes the device from the MachineID.io Console: machineid.io/dashboard.

This action:

  • Does not signal the agent directly
  • Does not rely on cooperation
  • Immediately changes the external authorization decision

No agent redeploy is required. No code changes are required.

Step 4: The Next Validate Call Occurs

On the next validation call, the response changes. Conceptually: 

{
  "allowed": false,
  "code": "DEVICE_REVOKED",
  "request_id": "…"
}

The agent receives a definitive denial.

Step 5: Execution Stops

Because enforcement is binary, the agent exits immediately at the boundary.

There is no degraded mode. There is no hidden fallback path. Work does not continue past the validation boundary.

If validation fails, work does not begin.

What This Demonstrates

  • Execution can be stopped without runtime access
  • Control does not depend on in-process flags
  • Stop authority is external and enforceable
  • Behavior is deterministic and observable

Important Clarification

MachineID does not interrupt execution mid-instruction. It enforces stop authority at explicit validation boundaries. This makes behavior predictable, testable, and safe.

If you need faster stop response, add more boundaries. The enforcement model stays the same; only your boundary frequency changes.

Where to Learn More

Related

View all →

Why Autonomous Systems Need an External Control Plane

Why internal flags fail as execution multiplies—and why authority must live outside the runtime.

Why Internal Kill Switches Fail

The failure modes that make in-process stop logic unreliable under scale and uncertainty.

Register. Validate. Work.

The enforcement invariant: register an execution surface, validate permission, then work.

← Back to all articles