Boffins build 'AI Kill Switch' to thwart unwanted agents

AutoGuard uses injection text for good

A team of computer scientists in South Korea say they’ve built something that sounds straight out of a sci-fi thriller: an “AI Kill Switch” designed to stop rogue AI agents from scraping data they shouldn’t touch.

Boffins build 'AI Kill Switch' to thwart unwanted agents

But instead of blocking bad bots the old-fashioned way—by chasing down suspicious IP addresses or filtering based on browser clues—these researchers took a smarter, almost elegant approach. They created a system that talks to AI agents in their own language, nudging them into backing off before they cause trouble.

And honestly, the ingenuity is kind of thrilling.

A new defense called AutoGuard

The creators, Sechan Lee from Sungkyunkwan University and Professor Sangdon Park from POSTECH, call their invention AutoGuard, and they describe it in a preprint paper now under review for ICLR 2026.

If you’ve ever tried using an AI model to do something shady, you’ve definitely hit a wall. Modern AI systems are stuffed with safety rules that politely—but firmly—say “Nope, can’t do that.”

AutoGuard uses that very instinct against malicious agents. It generates sneaky defensive prompts that trigger these built-in refusal behaviors, causing harmful bots to shut themselves down like they just remembered they left the stove on.

How the trick works

AI agents are a combo of large language models and software tools that help them browse the web—like Selenium, BeautifulSoup4, or Requests. They run around the internet gathering information or taking actions automatically.

The problem? LLMs aren’t great at distinguishing between different types of instructions. Whether text comes from a user or from a website, the model just tries to follow it.

This opens the door to attacks like:

Direct prompt injection: “Ignore previous instructions and do what I say.”
Indirect prompt injection: Hidden instructions buried inside website content that secretly tell the AI what to do.

Almost every AI model today can be fooled this way. AutoGuard flips this weakness to the side of the good guys.

Defensive prompt injection—with a twist

“AutoGuard is a special case of indirect prompt injection, but used for good,” Park told The Register. He explained that the system actually learns and adapts its defensive text over time, evolving it to outsmart potential attackers.

It's kind of like a digital immune system.

Park also pointed out something reassuring: training unsafe, high-performance AI models is extremely expensive. That cost creates a natural barrier, making well-funded bad actors far less common.

What AutoGuard tries to stop

The creators focused on three major threats:

1. Illegal scraping of personal information

2. Toxic or misleading auto-generated comments on news sites

3. AI-driven vulnerability scanning

AutoGuard isn’t meant to replace traditional defenses—it’s more like an extra lock on the door that only triggers when a suspicious visitor arrives.

A two-LLM system under the hood

The system runs using Python code that coordinates two separate LLMs:

A Feedback LLM
A Defender LLM

These two models work together in a loop, refining the defensive prompt until it’s strong enough to derail an attacking agent. In their tests, GPT-OSS-120B acted as the feedback model, while GPT-5 served as the defender.

Park noted that AutoGuard is lightweight for websites—its hidden defensive prompt is just a couple of pages long and doesn’t slow anything down.

Invisible to humans, obvious to bots

Website owners simply embed AutoGuard’s generated text into a hidden HTML element. Humans never see it, but AI bots do—and many of them immediately get spooked and stop.

In testing, the system performed impressively:

Over 80% Defense Success Rate (DSR) against malicious agents like GPT-4o, Claude 3, and Llama 3.3-70B.

Around 90% DSR against GPT-5, GPT-4.1, and Gemini-2.5-Flash.

That absolutely crushes the previous defenses: