The Infinite Loop
Deploying agents without hard limits on iterations, token spend, or wall-clock time. The agent spins indefinitely when it encounters ambiguous situations, soft failures, or adversarial inputs — racking up cost and producing nothing useful.
OWASP lists unbounded consumption as a top-10 LLM security risk.
Why It Happens
- Hard limits feel like they constrain the agent's ability to solve complex tasks
- Teams worry about cutting off a productive run
- During development, infinite loops are rare, so the problem seems theoretical
- Nobody wants to explain to a user why the agent "gave up"
What Goes Wrong
- Cost explosion — adversarial inputs can trigger recursive loops costing thousands of dollars in minutes
- Repetition — agents giving the same answer 50+ times in a loop, ignoring stop signals
- Silent failure — the agent appears busy but is making no progress
- Resource exhaustion — compute, memory, and API rate limits consumed by a single runaway task
What to Do Instead
- Max iterations — hard limit on LLM calls per run (e.g., 25 turns)
- Token budget — cap total token spend per execution
- Wall-clock timeout — kill execution after N minutes regardless of state
- Loop detection — detect same tool called N times with same arguments
- Graceful degradation — when limits hit, summarize progress and surface what remains, don't just crash
Signs You Have This
- No
max_iterationsor timeout in your agent loop - You've seen unexpectedly large API bills
- Agents occasionally seem to "hang" on certain inputs
- You can't answer "what's the worst-case cost of a single agent run?"