It started as a routine automated task. An AI agent querying a database, processing results, and returning a structured output. Straightforward enough — the kind of workflow that gets built in an afternoon and trusted to run quietly in the background.
What actually happened: a mismatched variable meant the database query returned nothing useful. The agent, finding no valid result, tried again. And again. For three hours, the loop ran undetected — each iteration calling the API, consuming tokens, logging nothing that would trigger an obvious alert. By the time the API usage logs were checked by chance, the damage was done. Had nobody looked, it would have continued running indefinitely.
This isn’t a hypothetical. It’s a failure mode that anyone building with AI agents should understand before it happens to them.
How Runaway Loops Happen
AI agent architectures are typically built around a feedback loop: the agent takes an action, evaluates the result, and decides what to do next. When that cycle works correctly, it’s powerful. When it doesn’t, the same mechanism that makes agents useful becomes the mechanism that makes them expensive to break.
The trigger is almost always mundane. A variable name that doesn’t match the database schema. A null return value that the code doesn’t handle gracefully. An API response in an unexpected format that the parsing logic silently misreads. A retry condition that’s too broad — catching legitimate failures along with the error state that should terminate the loop.
In each case, the agent reaches a decision point, concludes that the task isn’t complete, and tries again. If the underlying condition causing the failure isn’t corrected between iterations — and in a bug scenario, it won’t be — the loop continues until something external interrupts it.
That external interruption rarely comes automatically. It requires someone to notice.
What It Costs
The financial exposure depends on the model, the token count per call, and how long the loop runs. For lightweight queries this might be tens of dollars. For agents processing large contexts, calling expensive models, or spawning sub-agents with each iteration, the cost can reach hundreds or thousands of dollars in a matter of hours.
Beyond the direct API cost, there are secondary consequences that are harder to price.
Data integrity. An agent looping on a write operation — attempting to insert, update, or process records — may corrupt data, create duplicate entries, or leave records in inconsistent states. Depending on the system, this can be harder to recover from than the token bill.
Rate limit breaches. Sustained high-volume API calls can trigger rate limiting from your provider, disrupting other services that depend on the same API keys. In a production environment, this can cascade into outages that have nothing to do with the original bug.
Obscured logs. Thousands of near-identical API calls in the logs make it significantly harder to diagnose what actually happened, and can mask other issues that occurred during the same window.
Why It Goes Undetected
The insidious quality of runaway loops is that they often look like normal operation from the outside. API calls are being made. The system is responsive. No error is being thrown — or if one is, it’s being silently caught and the loop continues anyway.
Standard application monitoring doesn’t flag this. Unless you’re specifically watching for unusual API call volume, unusual spend rate, or unusual loop iteration counts, the problem is invisible until you happen to check the right log at the right time.
Most developers building AI agent workflows set up error logging. Fewer set up cost monitoring with automatic alerts. Almost nobody sets up loop iteration limits as a hard constraint — because when you’re building the happy path, infinite loops seem like an edge case rather than a realistic failure mode.
They’re not an edge case. They’re a predictable consequence of building systems that retry on failure without bounding that retry behavior.
The Safeguards That Actually Help
Hard iteration limits. Every agent loop should have a maximum iteration count that cannot be overridden by the agent’s own logic. If a task hasn’t completed in ten iterations, or twenty, or whatever threshold makes sense for the workflow — the loop terminates and an alert fires. This single constraint would have caught the three-hour loop described above within minutes.
Spend alerts on API keys. Most major API providers allow you to set spending alerts at defined thresholds. A $10 alert might feel excessive for a workflow that normally costs pennies per run — until it catches a runaway loop before it hits $200.
Timeout constraints. Agent tasks should have a maximum allowed runtime. A task that should complete in thirty seconds has no business running for thirty minutes. If it does, something is wrong and a human should decide what happens next.
Explicit error handling for empty or unexpected results. The failure mode in the database scenario above — a mismatched variable returning no results — should have been caught at the result-validation step. If the agent expects a non-empty result and receives an empty one, that should terminate the task with a logged error, not trigger a retry.
Separation of read and write operations in loops. If an agent must loop, consider structuring it so that write operations require explicit confirmation that the previous read returned valid data. A loop that only reads and fails gracefully is recoverable. A loop that writes on each iteration is not.
The Broader Point
This failure mode is a specific instance of the broader guardrails problem discussed in this publication before. Autonomous agents are powerful precisely because they act without constant human supervision. That same property means their failure modes also operate without constant human supervision.
The developers and organizations getting the most value from AI agents are those who treat the failure cases as design requirements, not afterthoughts. What happens when the data is wrong? What happens when the API returns an unexpected response? What happens when the task can’t complete? These questions should have explicit answers built into the system before it runs in production — not discovered at 2am when the API bill arrives.
A three-hour loop is a recoverable incident. The same architecture running unmonitored for three days is not.
Subscribe below for further writing on OSA — what the evidence shows and where the open questions remain.
Follow the Thinking
Subscribe for occasional writing on the OSA category — what the claims are, what the evidence shows, and what the open questions are.
Subscribe