diff --git a/spec/unit/features/kill_switch.feature b/spec/unit/features/kill_switch.feature
index 8df22aa..e9d7e50 100644
--- a/spec/unit/features/kill_switch.feature
+++ b/spec/unit/features/kill_switch.feature
@@ -110,6 +110,18 @@ Feature: Kill-switch enforcement
       When I check kill switches
       Then result is matched with kill_switch reason
 
+    Scenario: AC-13 Kill-switch is inactive at exact expiry epoch (boundary)
+      Given the nginx mock environment is reset
+      And kill switches include scope "jwt:org_id" value "org_xyz" expiring at "2026-02-03T14:00:00Z"
+      And descriptors include "jwt:org_id" as "org_xyz"
+      And the route is "/v1/inference"
+      And the current time is ISO "2026-02-03T14:00:00Z"
+      When I validate kill switches
+      Then validation succeeds
+      And the kill switch has cached expiry epoch
+      When I check kill switches
+      Then result is not matched
+
   Rule: Validation
     Scenario: AC-11 Validation rejects invalid scope_key format
       Given kill switches include scope "invalid_format" value "org_xyz"
@@ -148,3 +160,4 @@ Feature: Kill-switch enforcement
     Scenario: Reject impossible calendar date
       When I parse timestamp "2026-02-30T14:00:00Z"
       Then parsed epoch is nil
+
diff --git a/src/fairvisor/kill_switch.lua b/src/fairvisor/kill_switch.lua
index 7c7aaea..cb4ef78 100644
--- a/src/fairvisor/kill_switch.lua
+++ b/src/fairvisor/kill_switch.lua
@@ -121,7 +121,7 @@ function _M.check(kill_switches, descriptors, route, now)
       end
     end
 
-    if expires_epoch == nil or expires_epoch >= now then
+    if expires_epoch == nil or expires_epoch > now then
       local scope_value = descriptors and descriptors[kill_switch.scope_key]
       if scope_value ~= nil and scope_value == kill_switch.scope_value then
         if kill_switch.route == nil or kill_switch.route == route then
@@ -141,3 +141,4 @@ function _M.check(kill_switches, descriptors, route, now)
 end
 
 return _M
+