How do we prevent a single AI agent or feature from consuming runaway LLM tokens?

The most effective way is to implement deterministic budget caps at the tool-call boundary. SupraWall allows you to set per-agent and per-session hard limits on token usage and dollar spend, halting the agent instantly if a threshold is reached.

Security Hub • Cost Control

AI Agent Runaway
Costs.

Q: What is a circuit breaker for AI agents?

A circuit breaker detects repetitive tool call patterns (the same tool called with identical arguments multiple times in a short window) and halts the agent before costs escalate. It's the agent equivalent of a thermal shutoff.

AI agent runaway costs occur when autonomous agents enter infinite tool loops, recursive spawning chains, or hallucinated repetition cycles with no hard stopping mechanism. Without budget enforcement, a single misbehaving agent can accumulate thousands of dollars in API charges overnight — often with no alerts, no circuit breakers, and no human in the loop.

TL;DR

Agents with no max_iterations or budget caps can generate thousands of API calls in hours — entirely undetected.
The four root causes are: infinite tool loops, recursive agent spawning, context window inflation, and hallucinated repetition.
Application-level counters are fragile. API provider rate limits are blunt. SDK-level budget enforcement is the only reliable protection.
A single looping GPT-4o agent can cost $500+ per incident. Ten agents looping simultaneously: $5,000.

The $4,000 Wake-Up Call

It was a Friday afternoon deployment. A developer shipped a LangChain research agent to do competitive analysis over the weekend. The setup looked reasonable: a web_search tool and a summarize tool, chained together to gather and digest market intelligence. No one would need to babysit it. That was the point.

The first sign of trouble was invisible. One of the search results returned a 429 rate limit error. The LLM, interpreting the error as a signal that the task was incomplete, did what it was designed to do: it tried again. It got another 429. It tried again. The loop had started, and there was nothing to stop it.

Incident Timeline

Friday 6:00 PMAgent deployed. First search executes successfully.

Friday 7:14 PM429 rate limit error encountered. Retry loop begins.

Friday Midnight8,400 API calls accumulated. Zero alerts fired.

Saturday 3:00 AM47,000 API calls. Context window inflating on each retry.

Monday 9:00 AM847,000 API calls. $3,847 in OpenAI charges. Account suspended.

Monday 9:03 AMDeveloper discovers the outage when GPT-4 returns 402 Payment Required.

Nobody configured alerts. Nobody set limits. The circuit breaker existed as a comment in the backlog: // TODO: add max_iterations

The agent wasn't hacked. It did exactly what it was designed to do: try until it succeeds. There was just nothing to tell it to stop.

The Four Root Causes

Runaway costs don't happen randomly. They follow predictable structural patterns that emerge from how LLM-based agents interpret errors and manage state. Understanding these patterns is the first step to preventing them.

Infinite Tool Loops

The most common root cause. The LLM interprets every error response as a signal that the task is incomplete and that it should retry. No native LangChain or CrewAI mechanism prevents this by default — the max_iterations parameter exists but defaults to None in many configurations, meaning the agent will loop indefinitely until the process is killed or the account is suspended.

# LangChain agent with no max_iterations (or max_iterations=None)
agent = AgentExecutor(agent=llm_agent, tools=tools, max_iterations=None)
# Tool returns: {"error": "rate_limit_exceeded", "retry_after": 60}
# LLM decides: "I should retry this call"
# Repeats 10,000 times

Cost estimate: GPT-4o at $0.005/1K tokens, 2,000 tokens per retry: $0.01 per call × 10,000 calls = $100

Recursive Agent Spawning

Multi-agent orchestrators like AutoGen allow agents to spawn sub-agents to handle sub-tasks. Without a depth limit, this creates an exponential tree of concurrent agents — each one making its own API calls and billing independently. At depth 5 with a branching factor of 3, you have 243 agents running simultaneously.

# AutoGen orchestrator spawns sub-agents that each spawn more sub-agents
# With no depth limit, this creates an exponential tree
orchestrator.spawn_subagent("handle_subtask_1")  # spawns 3 more
# Each of those spawns 3 more = 9 agents
# Each of those spawns 3 more = 27 agents
# Depth 5 = 243 concurrent agents, all billing simultaneously

Cost estimate: 243 agents × 50 calls each × $0.01 = $121.50 in one exponential burst

Context Window Inflation

Each round-trip in an agent session appends the full tool result to the conversation context. This means that the cost per call grows with every iteration — early calls appear cheap, masking the escalating cost until it's too late to intervene. The 100th call can cost 50× more than the first.

# Each round-trip appends the full tool result to the context
# Round   1:   2,000 tokens  → cost: $0.01
# Round   5:  10,000 tokens  → cost: $0.05
# Round  20:  40,000 tokens  → cost: $0.20
# Round 100: 200,000 tokens  → cost: $1.00 per call
# 1,000 round-trips at average 50K tokens = $250

Context inflation is insidious because early calls are cheap, masking the escalating cost until it's too late.

Hallucinated Repetition

The LLM completes its task, but in subsequent turns it "forgets" or doubts completion and re-invokes the same tool chain from scratch. This is not a loop in the traditional sense — the agent doesn't receive an error. It simply second-guesses itself and starts over, multiplying the cost by the number of repetitions.

# Agent completes task, but LLM "forgets" or doubts completion
# Reinvokes the same tool chain from scratch
result = agent.run("Generate monthly report for all 500 customers")
# Agent completes reports 1-500
# LLM in next turn: "I should verify these were sent correctly"
# Agent regenerates reports 1-500 again
# Repeat 10 times = 10× the expected cost

The Math Nobody Does Before Shipping

Most teams ship agents without ever calculating the cost floor of normal operation — let alone the cost ceiling of a runaway scenario. Here is the arithmetic that should happen before every production deployment.

Baseline agent:
  - Tool calls per session:  50
  - Tokens per call:        2,000 (input + output)
  - Model: GPT-4o at $0.005/1K tokens

Cost per session = 50 × (2,000/1,000) × $0.005 = $0.50

Normal operation (100 sessions/day, 30 agents):
  Monthly cost = 100 × 30 × $0.50 × 30 = $45,000 ← already significant

Loop scenario (agent retries 1,000× instead of stopping once):
  Single incident cost = 1,000 × $0.50 = $500 per agent per incident
  10 agents looping simultaneously = $5,000 per incident

The table below shows how runaway multipliers scale across the major frontier models. These figures use the per-token rates as of early 2026 and assume 2,000 tokens per agent call. Use this as a reference when calculating your exposure.

Cost by Loop Multiplier and Model (2,000 tokens/call baseline)

Agent Scenario	GPT-4o	Claude Sonnet 4	Claude Opus 4	GPT-4o-mini
Normal session (1×)	$0.01	$0.006	$0.03	$0.0006
100× loop	$1.00	$0.60	$3.00	$0.06
1,000× loop	$10.00	$6.00	$30.00	$0.60
10,000× loop	$100.00	$60.00	$300.00	$6.00
Worst case (100K× loop)	$1,000.00	$600.00	$3,000.00	$60.00

A single Claude Opus 4 agent in a worst-case 100K-loop scenario costs $3,000 — from a single misbehaving session. At 10 concurrent agents, that's $30,000 from a single overnight incident.

Three Prevention Strategies

There are three architectural levels at which you can attempt to prevent runaway costs. They are ordered from weakest to strongest. Only one provides reliable protection.

Strategy 01 — Weak

Application-Level Counters

The most common approach: each developer manually adds a call counter to each tool function and raises an exception when the limit is reached. This is fragile by design — it requires every developer to implement it correctly every time, it doesn't catch context inflation, can't be centrally enforced, and is trivially bypassed by refactors.

# Common but fragile approach
call_count = 0
MAX_CALLS = 100

def my_tool(args):
    global call_count
    call_count += 1
    if call_count > MAX_CALLS:
        raise RuntimeError("Max calls exceeded")
    return do_actual_work(args)

✗Requires every developer to implement correctly — drift is inevitable
✗Does not catch context window inflation across calls
✗Cannot be centrally audited or enforced across teams
✗Counter resets if the process restarts (e.g., during a crash recovery loop)

Strategy 02 — Medium

API Provider Rate Limits

OpenAI and Anthropic both offer account-level rate limits and monthly spend caps in their billing dashboards. Setting these is better than nothing, but it comes with a critical flaw: the limits apply globally across your entire organization. When a single rogue agent triggers the org-level rate limit, every other agent in production — including your critical customer-facing workflows — gets throttled or blocked simultaneously.

~Applies globally — one bad agent degrades all production traffic
~Does not isolate by agent, session, or user
~Monthly caps don't prevent a single overnight incident from causing damage
~No granularity: you can't give a research agent $5/day while giving a billing agent $50/day

Strategy 03 — Strong

SDK-Level Budget Enforcement

The only approach that provides reliable, per-agent, pre-call enforcement. SupraWall wraps your agent at the SDK level and intercepts every tool call before it reaches the LLM API. If the budget would be exceeded, the call is blocked before it is made — not detected after the fact. This is the difference between a wall and an alarm.

from suprawall import protect

secured = protect(
    agent,
    budget={
        "daily_limit_usd": 10,        # Hard stop at $10/day per agent
        "session_tokens": 500_000,    # Max tokens per session
        "circuit_breaker": {
            "max_identical_calls": 10,  # Catch loops
            "window_seconds": 60,
        }
    },
    on_budget_exceeded="halt",    # "halt" | "notify" | "require_approval"
)
# When limit is reached: SupraWall raises BudgetExceeded
# Agent halts gracefully, incident is logged, team notified

Why this is the right level: the enforcement happens beforethe API call is made. Budget overruns are prevented, not just detected after the fact. Each agent gets its own independent budget — a rogue agent cannot affect other agents' quotas.

Per-agent isolation — one rogue agent cannot affect production traffic
Pre-call enforcement — the expensive API call is never made
Circuit breaker catches loop patterns before they compound
Configurable response: halt, notify, or require human approval

Incident Response Checklist

If you're reading this because an agent is running right now and you're watching your bill climb in real time, follow this checklist in order. Speed matters — every minute of delay is additional API spend.

Set an account-level hard limit immediately

Go to OpenAI or Anthropic billing → Usage Limits → set a hard daily/monthly cap. This is your emergency brake while you investigate.

Identify the agent and session via audit logs

Filter by agentId and timestamp of the spend spike. If you don't have structured audit logs, check your API request logs for the source IP or API key that is generating the volume.

Terminate the agent process and revoke its API key

Kill the process if it's still running. Immediately rotate or revoke the API key the agent is using. Generate a new key for future deployments — do not reuse the compromised key.

Audit all downstream side effects

Emails sent. Database writes. Charges processed. Webhooks called. The API bill is often not the worst part — side effects from 847,000 repeated tool calls can be catastrophic.

Calculate total blast radius

API costs + downstream charges + human investigation time + any customer impact. Document this number — it will be the most persuasive argument for budget enforcement going forward.

Implement budget limits before redeploying

Do not redeploy the agent without SDK-level budget enforcement in place. See Strategy 3 above. This is not optional for the next deployment.

Add alerting at 50% and 80% of daily budget

Configure alerts that fire before the hard cap is reached. A 50% alert gives you time to investigate manually. An 80% alert is your final warning before the hard stop.

Related Resources

Budget Limits Feature Infinite Loop Detection Prevent Agent Infinite Loops

Frequently Asked Questions

What is an AI agent runaway cost?

When an agent enters an infinite loop or recursive pattern with no stopping mechanism, each tool call incurs an API cost. At scale, this compounds to thousands of dollars before a human notices.

How do I set a hard daily limit on my AI agent?

Use SDK-level budget enforcement. SupraWall's budget config: protect(agent, budget={'daily_limit_usd': 10}). This blocks all tool calls once the agent has accumulated $10 in API costs for the day.

What is a circuit breaker for AI agents?

A circuit breaker detects repetitive tool call patterns — the same tool called with identical arguments multiple times in a short window — and halts the agent before costs escalate. It's the agent equivalent of a thermal shutoff.

Will API provider rate limits protect me?

Only partially. Rate limits apply at the account or organization level — they don't distinguish between your production agent and a rogue loop. They also limit all traffic, not just the looping agent. When one rogue agent hits the org-level limit, all other production agents are blocked too.

How do I know if my agent is currently in a loop?

Monitor your audit logs for repeated identical tool calls with the same parameters within a short time window. SupraWall flags these automatically and can halt the agent or notify your team before costs compound.

Set Budget Limits Before Your Next Deployment.

See Budget Limits Start Free

AI Agent RunawayCosts.