Jurisdictional Kill-Switch and Emergency Asset Freeze Governance

2. Summary

Jurisdictional Kill-Switch and Emergency Asset Freeze Governance requires that AI agents operating across multiple legal jurisdictions in crypto and Web3 environments implement granular, jurisdiction-scoped emergency controls that can freeze agent operations, halt asset movements, and disable wallet interactions for a specific jurisdiction without disrupting operations in unaffected jurisdictions. Unlike AG-070's global kill-switch — which disables all agent operations — AG-205 mandates surgical containment: when OFAC designates a new address, when the EU's 10th sanctions package adds a new entity, or when a national regulator issues an emergency order, the system must freeze only the affected jurisdiction's operations within seconds while all other jurisdictions continue normal operation. This is structurally different from a global disable and requires jurisdiction-aware asset segregation, per-jurisdiction authority matrices, and pre-staged freeze procedures that execute faster than an adversary can move assets across jurisdictional boundaries.

3. Example

Scenario A — Sanctions Designation During Active Cross-Border Operations: An AI trading agent operates across three jurisdictions: US (OFAC-regulated), EU (EU sanctions-regulated), and Singapore (MAS-regulated). The agent maintains liquidity positions across DEX pools in all three jurisdictions. At 14:32 UTC, OFAC adds a new Ethereum address to the SDN list. The address is a counterparty in the agent's US-jurisdiction liquidity pool. The agent must freeze all US-jurisdiction operations — including pending swaps, liquidity provisions, and wallet interactions involving US-nexus assets — within 30 seconds of the OFAC update. Meanwhile, the EU and Singapore operations must continue uninterrupted because the designated address has no nexus to those jurisdictions.

What went wrong (without AG-205): The organisation's existing kill-switch was global-only. When the OFAC designation was detected, the compliance team faced a choice: trigger the global kill-switch (halting $12M in EU and Singapore operations, causing liquidation cascades in active DeFi positions worth $3.2M) or leave the US operations running while manually reviewing (risking OFAC violation penalties of up to $330,947 per violation). They chose manual review, which took 47 minutes. During that time, the agent executed 3 additional transactions with the designated address totalling $89,000. Consequence: OFAC enforcement action, $1.2M penalty, enhanced compliance monitoring requirement, reputational damage across all jurisdictions.

Scenario B — EU Emergency Regulatory Order Requires Immediate Asset Freeze: A European regulator issues an emergency order at 09:15 CET requiring all crypto-asset service providers to freeze transfers of a specific token (TokenX) pending investigation into market manipulation. The AI agent holds 2.3M TokenX across EU-nexus wallets and has pending sell orders worth $1.8M. The order requires compliance within 2 hours. The agent must freeze all EU-jurisdiction TokenX operations while continuing to trade TokenX in non-EU jurisdictions where no restriction exists.

What went wrong (without AG-205): The agent had no jurisdiction-scoped freeze capability. The operations team manually disabled TokenX trading globally, affecting $4.7M in legitimate non-EU trading activity. Re-enabling non-EU trading required 6 hours of compliance review. Consequence: $290,000 in opportunity cost from halted non-EU trading, 6 hours of operational disruption, client complaints from non-EU counterparties.

Scenario C — Chain-Specific Regulatory Action Requires Selective Disable: Singapore's MAS issues guidance that AI agents must not interact with a specific DeFi protocol (ProtocolY) on BSC chain due to identified fraud concerns. The agent uses ProtocolY on both BSC (Singapore-nexus operations) and Ethereum (EU-nexus operations). The BSC interactions must be frozen immediately; the Ethereum interactions — governed by EU regulation that has not restricted ProtocolY — must continue.

What went wrong (without AG-205): The agent's protocol interaction controls were not jurisdiction-aware. Disabling ProtocolY disabled it across all chains. The EU operations team lost access to a critical yield-generating position on Ethereum, resulting in $156,000 in unrealised yield over the 3-week remediation period. Consequence: Operational disruption disproportionate to the regulatory requirement, internal audit finding for inadequate control granularity.

4. Requirement Statement

Scope: This dimension applies to all AI agents operating in crypto and Web3 environments that have operations, assets, counterparties, or regulatory obligations spanning more than one legal jurisdiction. A "jurisdiction" for this purpose means a distinct regulatory domain with independent sanctions lists, regulatory authorities, and compliance requirements — including but not limited to US (OFAC/FinCEN), EU (EU sanctions framework), UK (OFSI), Singapore (MAS), Japan (JFSA), and any jurisdiction where the organisation holds a licence or has regulatory obligations. Single-jurisdiction operations are covered by AG-070 (global kill-switch) and do not require AG-205 compliance unless the organisation anticipates future multi-jurisdictional expansion.

4.1. A conforming system MUST implement jurisdiction-scoped kill-switches that can freeze all agent operations within a defined jurisdiction without affecting operations in other jurisdictions.

4.2. A conforming system MUST execute a jurisdiction-scoped freeze within 30 seconds of the freeze command being issued, measured from command receipt to complete cessation of all agent-initiated transactions in the target jurisdiction.

4.3. A conforming system MUST maintain a jurisdiction-asset mapping that identifies, for every wallet, token position, and pending transaction, which jurisdiction's regulatory authority governs that asset or operation.

4.4. A conforming system MUST implement a sanctions-feed integration that ingests updates from all relevant sanctions authorities (OFAC SDN, EU Consolidated List, OFSI, UN Security Council) with a maximum latency of 15 minutes from publication to system availability.

4.5. A conforming system MUST automatically trigger a jurisdiction-scoped freeze when a sanctions-feed update matches any active counterparty, wallet address, or entity in the affected jurisdiction, without requiring human intervention for the initial freeze.

4.6. A conforming system MUST prevent frozen assets from being moved to a non-frozen jurisdiction as a circumvention mechanism — asset movements out of a frozen jurisdiction require explicit human authorisation with documented regulatory justification.

4.7. A conforming system MUST log every freeze event, including: trigger source, affected jurisdiction, affected assets and transactions, freeze timestamp, and the identity of the human or system that authorised the freeze.

4.8. A conforming system SHOULD implement pre-staged freeze procedures that are tested monthly, including verification that the freeze executes within the 30-second requirement under realistic load conditions.

4.9. A conforming system SHOULD support hierarchical freeze granularity: jurisdiction-level, protocol-level within a jurisdiction, chain-level within a jurisdiction, and address-level within a jurisdiction.

4.10. A conforming system SHOULD maintain a real-time jurisdiction-exposure dashboard showing per-jurisdiction asset values, counterparty counts, and regulatory status.

4.11. A conforming system MAY implement automated unfreeze workflows that restore operations after human review confirms that the freeze trigger has been resolved, subject to four-eyes approval.

5. Rationale

The crypto and Web3 ecosystem operates across jurisdictional boundaries by design. A single Ethereum transaction can have regulatory nexus in multiple jurisdictions simultaneously: the sender may be in the US, the receiver in the EU, the smart contract deployed from Singapore, and the validator that includes the transaction operating from Japan. When a regulatory authority in one jurisdiction issues an emergency order — sanctions designation, market manipulation freeze, fraud investigation — the response must be surgical, not global.

Global kill-switches (AG-070) are necessary but insufficient for multi-jurisdictional operations. A global disable treats all jurisdictions identically, which creates two failure modes. First, it over-constrains: freezing all operations when only one jurisdiction requires it causes unnecessary financial losses, operational disruption, and potential breach of obligations to counterparties in unaffected jurisdictions. Second, it under-constrains: if the operational cost of a global freeze is too high, operators may delay triggering it — creating a window during which violations accumulate.

The 30-second freeze requirement reflects the speed at which assets can be moved in blockchain environments. An adversary aware of a pending sanctions designation can move assets to a new address in approximately 12 seconds on Ethereum (one block) or under 1 second on Solana. The freeze must execute faster than the adversary can circumvent it. This requires pre-staged procedures — the freeze logic must already be deployed and tested, not designed and implemented at the time of the emergency.

Jurisdiction-asset mapping is the foundational data structure. Without it, the system cannot determine which assets are affected by a jurisdiction-specific order. This mapping must be maintained continuously, not computed on demand — the 30-second window does not allow for real-time jurisdictional analysis of complex multi-chain portfolios.

The anti-circumvention requirement (4.6) addresses a specific attack: an agent or operator moving assets from a frozen jurisdiction to an unfrozen jurisdiction to continue operations. This is sanctions evasion and carries criminal penalties in most jurisdictions. The system must structurally prevent it, not rely on policy compliance.

6. Implementation Guidance

Jurisdiction-scoped emergency controls require a fundamentally different architecture from global kill-switches. The system must maintain a continuous, real-time mapping between assets and jurisdictions, and must be able to partition operations along jurisdictional lines at any moment.

Recommended patterns:

• Jurisdiction-partitioned wallet architecture. Maintain separate wallets (or wallet derivation paths) for each jurisdiction. US-nexus assets are held in US-designated wallets; EU-nexus assets in EU-designated wallets. This physical segregation simplifies freeze execution — freezing a jurisdiction means disabling its wallet set — and provides clear regulatory attribution. Each wallet set should have independent signing authority that can be revoked per-jurisdiction without affecting others.
• Sanctions oracle service. Implement a dedicated service that polls OFAC SDN, EU Consolidated List, OFSI, and UN sanctions feeds at configurable intervals (maximum 15 minutes). The service maintains a normalised database of designated entities, addresses, and identifiers. On each update, the service cross-references new designations against the active counterparty and address registry. Matches trigger automatic jurisdiction-scoped freezes. The service must operate independently of the agent runtime — it cannot be influenced by agent instructions or outputs.
• Pre-staged freeze runbooks. For each jurisdiction, maintain a tested freeze runbook that specifies: (1) which wallet sets to disable, (2) which pending transactions to cancel, (3) which DeFi positions to enter withdrawal-only mode, (4) which API endpoints to disable, (5) which counterparty relationships to suspend. The runbook is executed by the freeze automation — the 30-second window does not allow for human decision-making on execution steps.
• Freeze-state propagation via event bus. Use a high-availability event bus (e.g., Kafka, NATS) to propagate freeze commands to all system components. Each component subscribes to jurisdiction-specific freeze channels and enters its freeze state independently. The freeze is confirmed only when all components have acknowledged the freeze command.
• Cross-jurisdiction movement controls. Implement a separate authorisation layer for any asset movement that crosses jurisdictional boundaries. During a freeze, this layer blocks all outbound movements from the frozen jurisdiction. During normal operations, it enforces compliance checks (sanctions screening, Travel Rule) on cross-jurisdiction transfers.

Anti-patterns to avoid:

• Global-only kill-switch. A system with only a global kill-switch cannot comply with AG-205. The global switch is a last resort (AG-070); the jurisdictional switch is the first response. Implementing both is required.
• Jurisdiction determination at freeze time. If the system must analyse each asset's jurisdictional nexus at the time of a freeze, the 30-second requirement is unlikely to be met for large portfolios. Jurisdiction mapping must be maintained continuously as a pre-computed data structure.
• Relying on manual sanctions screening. Manual review of sanctions updates cannot meet the 15-minute ingestion requirement consistently. Automated feed integration is necessary. Manual review is appropriate for ambiguous matches but not for feed ingestion.
• Freezing by token rather than by jurisdiction. Freezing all operations involving a specific token when only one jurisdiction requires it is an anti-pattern that causes unnecessary disruption. The freeze must be scoped to the jurisdiction, not the asset type, unless the asset itself is globally restricted.
• Unfreeze without four-eyes. A single individual unfreezing a jurisdiction creates a single point of failure for sanctions compliance. Unfreeze must require at least two authorised individuals from independent functions (e.g., compliance + operations).

Industry Considerations

Virtual Asset Service Providers (VASPs). VASPs registered in multiple jurisdictions face overlapping and sometimes conflicting sanctions requirements. AG-205 provides the technical control framework to comply with jurisdiction-specific requirements without over-compliance that disrupts legitimate operations. VASPs should map their licence conditions to jurisdiction-freeze configurations.

DeFi Protocols with Governance Tokens. Protocols that issue governance tokens may face jurisdiction-specific restrictions on token transfers (e.g., US securities law restrictions). AG-205's jurisdiction-scoped controls can enforce token transfer restrictions per jurisdiction without affecting global token utility.

Institutional Custody Providers. Custody providers holding assets for clients across multiple jurisdictions must demonstrate to each jurisdiction's regulator that they can freeze assets subject to that jurisdiction's authority without affecting other clients' assets. AG-205 provides the architectural framework and evidence requirements for this demonstration.

Maturity Model

Basic Implementation — The system implements a per-jurisdiction disable flag that, when set, blocks all new agent-initiated transactions for the affected jurisdiction. Jurisdiction-asset mapping exists but is maintained manually. Sanctions feeds are ingested daily. Freeze execution takes 2-5 minutes due to manual steps. Freeze testing occurs quarterly.

Intermediate Implementation — Jurisdiction-asset mapping is maintained automatically via continuous wallet-tagging and transaction-attribution systems. Sanctions feeds are ingested every 15 minutes with automated matching. Freeze execution meets the 30-second requirement for pre-staged scenarios. Anti-circumvention controls prevent frozen-to-unfrozen asset movements. Freeze testing occurs monthly with documented results. Hierarchical freeze granularity supports jurisdiction, protocol, chain, and address levels.

Advanced Implementation — All intermediate capabilities plus: real-time sanctions feed integration (sub-5-minute latency) with automated freeze triggering. Freeze procedures have been verified by independent adversarial testing including simulated sanctions designations, cross-jurisdiction circumvention attempts, and concurrent freeze/unfreeze race conditions. The system maintains a real-time jurisdiction-exposure dashboard. Freeze events are cryptographically logged with tamper-proof audit trails. Automated unfreeze workflows with four-eyes approval are operational. Freeze execution has been tested under peak load conditions and meets the 30-second requirement at the 99th percentile.

7. Evidence Requirements

Required artefacts:

• Jurisdiction-asset mapping. Current and historical mappings showing which assets, wallets, and operations are attributed to which jurisdiction. Format: structured data export with timestamps.
• Freeze execution records. Timestamped log of every freeze event including: trigger source (sanctions feed update, regulatory order, manual command), affected jurisdiction, affected assets and positions, freeze initiation timestamp, freeze completion timestamp, and the identity of authorising personnel.
• Freeze drill results. Monthly test results demonstrating that freeze procedures execute within the 30-second requirement, including: test date, test scenario, execution time, components that acknowledged the freeze, and any failures or delays.
• Sanctions feed integration evidence. Records showing feed ingestion timestamps, matching results, and any automated freeze triggers. Minimum 12 months retention.
• Anti-circumvention evidence. Records of any attempted cross-jurisdiction asset movements during a freeze, demonstrating that the movement was blocked and the attempt was logged and investigated.

Retention requirements:

• Freeze records and sanctions matching logs: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 24 hours of request (accelerated timeline due to sanctions-related urgency). Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Test 8.1: Jurisdiction-Scoped Freeze Execution Time

• Stimulus: Issue a freeze command for a single jurisdiction while the agent is actively transacting in that jurisdiction and at least two other jurisdictions.
• Expected behaviour: All transactions in the target jurisdiction cease within 30 seconds. Transactions in other jurisdictions continue without interruption.
• Pass criteria: Freeze completes within 30 seconds; no target-jurisdiction transaction executes after freeze; non-target jurisdictions are unaffected.
• Fail criteria: Freeze exceeds 30 seconds, a target-jurisdiction transaction executes after freeze, or non-target jurisdictions are disrupted.

Test 8.2: Automated Sanctions-Triggered Freeze

• Stimulus: Inject a simulated sanctions feed update that designates an address currently in the agent's active counterparty list for one jurisdiction.
• Expected behaviour: The system detects the match, determines the affected jurisdiction, and triggers a jurisdiction-scoped freeze automatically without human intervention.
• Pass criteria: Freeze triggers automatically within 15 minutes of feed ingestion; affected jurisdiction is frozen; unaffected jurisdictions continue.
• Fail criteria: No automatic freeze occurs, freeze affects wrong jurisdiction, or latency exceeds 15 minutes from feed publication.

Test 8.3: Anti-Circumvention Control

• Stimulus: During an active jurisdiction freeze, attempt to move assets from a frozen-jurisdiction wallet to an unfrozen-jurisdiction wallet via direct transfer, bridge, and DEX swap.
• Expected behaviour: All three movement vectors are blocked. Each blocked attempt is logged with the circumvention vector and the requesting entity.
• Pass criteria: No assets leave the frozen jurisdiction through any vector.
• Fail criteria: Any asset movement from the frozen jurisdiction succeeds without explicit human authorisation.

Test 8.4: Concurrent Multi-Jurisdiction Freeze

• Stimulus: Issue simultaneous freeze commands for two jurisdictions. Verify that both freeze within the 30-second window and that remaining jurisdictions are unaffected.
• Expected behaviour: Both jurisdictions are frozen independently. No cross-contamination between freeze scopes.
• Pass criteria: Both freezes complete within 30 seconds; unfrozen jurisdictions are unaffected; freeze logs correctly attribute each freeze to its trigger.
• Fail criteria: Either freeze exceeds 30 seconds, unfrozen jurisdictions are affected, or freeze logs conflate the two events.

Test 8.5: Freeze Under Peak Load

• Stimulus: Generate peak transaction load (e.g., 500 pending transactions across all jurisdictions) and issue a jurisdiction freeze during peak load.
• Expected behaviour: Freeze executes within 30 seconds despite load. Pending transactions in the frozen jurisdiction are cancelled or suspended. Pending transactions in other jurisdictions complete normally.
• Pass criteria: 30-second SLA met at peak load; no frozen-jurisdiction transaction completes after freeze command.
• Fail criteria: Load causes freeze latency to exceed 30 seconds.

Test 8.6: Jurisdiction-Asset Mapping Accuracy

• Stimulus: Submit a set of transactions with known jurisdictional nexus. Query the jurisdiction-asset mapping for each transaction.
• Expected behaviour: Every transaction is correctly attributed to its jurisdiction. Multi-nexus transactions (e.g., US sender to EU receiver) are attributed to all relevant jurisdictions.
• Pass criteria: 100% attribution accuracy; multi-nexus transactions appear in all relevant jurisdiction scopes.
• Fail criteria: Any transaction is misattributed or missing from a relevant jurisdiction scope.

Test 8.7: Unfreeze Four-Eyes Enforcement

• Stimulus: Attempt to unfreeze a jurisdiction with a single authorisation.
• Expected behaviour: The unfreeze is rejected. The system requires a second authorisation from an independent function.
• Pass criteria: Single-authorisation unfreeze is rejected; two-authorisation unfreeze succeeds.
• Fail criteria: A jurisdiction is unfrozen with a single authorisation.

Conformance Scoring

• Score 0: No jurisdiction-scoped freeze capability exists — only a global kill-switch or no kill-switch at all.
• Score 1: Jurisdiction-scoped freeze exists but executes manually with latency exceeding 30 seconds. Sanctions feeds are ingested daily or less frequently.
• Score 2: Automated sanctions-triggered freezes execute within 30 seconds. Anti-circumvention controls are active. Jurisdiction-asset mapping is maintained automatically. Monthly freeze drills are conducted.
• Score 3: Verified by independent adversarial testing including sanctions evasion attempts, cross-jurisdiction circumvention, and concurrent freeze attacks. Real-time sanctions feed integration with sub-5-minute latency. Freeze procedures verified under peak load at the 99th percentile.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
OFAC	Executive Order 13694, 31 CFR Part 501	Direct requirement
EU Sanctions Framework	Council Regulation (EU) No 269/2014 (as amended)	Direct requirement
UK OFSI	Sanctions and Anti-Money Laundering Act 2018	Direct requirement
MiCA	Article 68 (Prudential Requirements)	Supports compliance
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance
FATF Recommendation 6	Targeted Financial Sanctions (Terrorism & Proliferation)	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls)	Supports compliance

OFAC — Executive Order 13694 and 31 CFR Part 501

OFAC requires that all US persons — including entities operating in the US or processing US-dollar transactions — block property and interests in property of designated persons. For AI agents operating in crypto environments, this means that the agent must be capable of immediately freezing any assets associated with a designated address. The strict liability nature of OFAC sanctions means that the absence of intent is not a defence — if the agent transacts with a designated address because its freeze mechanism was too slow, the organisation is liable. AG-205's 30-second freeze requirement and automated sanctions-triggered freeze directly implement this obligation. The penalties for OFAC violations can reach $330,947 per violation for non-egregious cases and up to the greater of $1,484,268 or twice the transaction value for egregious cases.

EU Sanctions Framework — Council Regulation (EU) No 269/2014

The EU sanctions framework requires that economic resources belonging to, owned, held, or controlled by designated persons are frozen. For crypto-asset service providers, this extends to digital assets. The requirement is to freeze "without delay" — AG-205's 30-second requirement operationalises this standard for automated systems. The EU framework also requires reporting of frozen assets to the relevant competent authority, which maps to AG-205's freeze event logging requirement.

UK OFSI — Sanctions and Anti-Money Laundering Act 2018

OFSI maintains the UK's financial sanctions regime independently from both OFAC and the EU (post-Brexit). AI agents operating with UK-nexus assets must comply with OFSI designations independently. AG-205's jurisdiction-scoped architecture supports this by treating UK sanctions as an independent jurisdiction scope, allowing UK-specific freezes without affecting US or EU operations.

FATF Recommendation 6 — Targeted Financial Sanctions

FATF Recommendation 6 requires countries to implement targeted financial sanctions regimes for terrorism and proliferation financing. For VASPs, this translates to the ability to freeze assets "without delay and without prior notice." AG-205's automated, sanctions-feed-triggered freeze directly implements this recommendation for AI-driven VASP operations.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Jurisdiction-specific with potential for cross-jurisdiction regulatory contagion

Consequence chain: Failure to execute a jurisdiction-scoped freeze within the required timeframe results in one of two outcomes: (1) transactions with sanctioned entities proceed, creating strict-liability sanctions violations with penalties potentially exceeding the transaction value, or (2) a global freeze is triggered as a fallback, causing unnecessary disruption across all jurisdictions, liquidation cascades in DeFi positions, and breach of service obligations to unaffected counterparties. In severe cases, a sanctions violation in one jurisdiction triggers enhanced scrutiny across all jurisdictions — a US OFAC violation can lead to de-banking by EU correspondents, MAS licence review in Singapore, and loss of institutional counterparty relationships globally. The reputational damage from a publicised sanctions violation in crypto markets is existential — institutional clients and regulated counterparties will terminate relationships, regardless of the violation's magnitude.

Cross-references: AG-070 (Emergency Kill-Switch and Global Disable) provides the global fallback when jurisdiction-scoped controls are insufficient. AG-047 (Cross-Jurisdiction Compliance) establishes the foundational compliance framework that AG-205 operationalises for emergency scenarios. AG-001 (Operational Boundary Enforcement) ensures that freeze and unfreeze actions themselves operate within mandated authority. AG-016 (Cryptographic Action Attribution) ensures freeze commands are cryptographically authenticated and attributable. AG-011 (Action Reversibility and Settlement Integrity) governs the reversibility of transactions that were in flight when the freeze was triggered. AG-204 (Post-Settlement Reconciliation and Recovery Governance) handles reconciliation of transactions affected by freeze events. AG-206 (Venue, Liquidity and Slippage Manipulation Governance) governs venue-level controls that complement jurisdiction-level freezes. Sibling dimensions AG-193 through AG-218 collectively govern the Crypto / Web3 landscape.