What changes in an agent loop
In a chatbot, unbounded consumption surfaces as cost spikes from runaway token usage: visible, containable, and almost never destructive beyond budget. In an agent, autonomy amplifies the failure mode by orders of magnitude. A single prompt injection or planning bug can cause the agent to loop tool calls, fan out sub-tasks to peer agents, or spawn sub-agents that each fan out further; the runtime sees a tree of individually authorised requests, not a recognisable denial-of-service pattern. In multi-agent networks one runaway agent can exhaust shared resources (rate-limited external APIs, model-endpoint concurrency slots, database transaction queues) and starve the whole fleet. The attack does not require breaking authorisation; it only requires keeping the agent busy doing expensive legitimate work. Containment requires explicit per-agent rate limits, step-count and cost ceilings, and circuit-breaker logic that terminates a session whose resource signature deviates from its defined task envelope.
For the full definition, prevention checklist, and detection guidance, read OWASP's Unbounded Consumption page →. This page only adds the agentic angle and the bridge into Helmwart.
Mitigations
A blockchain transaction, once committed, cannot be undone. An agent that signs and broadcasts a transaction without an enforcement layer before it can exceed its authorised value, call a contract it was never provisioned to reach, or drain a wallet in a runaway loop, and by then the funds are gone. A transaction guard intercepts each proposed transaction before signing, checks it against value bounds, a contract allowlist, a gas or compute-unit limit, and a replay-protection nonce, and refuses to sign anything that falls outside declared policy.
An agent that encounters a quota trip, a dependency failure, or a timeout faces a choice: continue at reduced quality, or refuse. Getting that choice wrong is the core operational failure. Graceful degradation requires the answer to be declared before the incident, not improvised during it: write-authority paths fail closed and return a refusal; read-only paths fail open and disclose the degraded state explicitly.
Agentic systems can act faster than a human can intervene through normal channels. A kill switch is the operational guarantee that a named human role can stop agent activity at any scope (single instance, class, or global) through a documented runbook, without requiring a code change or redeployment, and with every invocation written to an audit trail.
An AI agent can review and rewrite its own answer to improve it. If that review runs too long it ties up resources and stops the agent responding in time, and an attacker can deliberately trigger those endless cycles to stall the system. A reflection-loop depth limit prevents that: it sets how many review rounds an agent may run before it has to stop.
An agent operates without direct human oversight, autonomously scheduling tool calls, external API requests, and reflection loops. Without a budget, a single triggering event can fan out into hundreds of downstream calls. Per-agent rate limits and quotas assign each agent identity its own ceiling on call rate, token consumption, and cost spend, so a misbehaving or compromised agent cannot exhaust shared resources and its overconsumption becomes a visible, actionable signal.
Each tool in an agent's catalog should expose only the methods, resources, and parameter ranges its designated role requires. Over-broad tool surfaces let individually authorised primitives compose into actions no human intended to grant; narrowing the scope at design time reduces both the attack surface and the blast radius of any compromise.