The most consequential agentic AI incident reports of the last six months were not about data loss or jailbreaks. They were about money. A retailer that woke up to a twelve million dollar inference bill because a customer service agent looped on a single ticket for forty hours. A SaaS provider whose research assistant fanned out into a tree of sub-agents that consumed the next quarter's model budget in a weekend. A consultancy that traced a sudden spike to an attacker who had figured out that asking the right adversarial question caused the agent to retry, expand, and pay tokens on his behalf. These are not edge cases anymore. They are the dominant cost story in agentic AI, and they are pulling security, finance, and platform teams into the same room for the first time.
The Shape Of A Modern Budget Explosion
A budget explosion in an agentic system rarely looks like a single bad query. It looks like a chain of choices that each individually felt reasonable. The agent encounters an ambiguous task, decides to gather more context, calls a retrieval tool, gets back a partial result, decides to call another tool, recurses into a sub-agent, that sub-agent does the same. By the time anyone looks, the trace has thousands of nodes and each node billed for tokens.
Three patterns recur. The first is the silent retry loop. A tool returns an error or empty response. The agent's reasoning concludes that the right response is to try again with a refined query. Without a hard cap, this can run until something else stops it — usually a quota at the model provider, often hours later. The second is the fan-out without join. An agent decomposes a task into ten sub-tasks, each of which decomposes into ten more. There is no global budget. Each level looks reasonable in isolation. The third is the context bloat spiral. The agent appends previous tool outputs to its context to maintain reasoning. After enough turns, every call is paying for a 200,000-token prompt to do a 500-token job.
What turned all of this from a finance nuisance into a security concern is the discovery that attackers can deliberately trigger any of these patterns. A crafted input that makes the agent uncertain enough to keep gathering context, or a poisoned document that the agent feels obligated to reread on every turn, or a prompt that nudges the agent toward fan-out where it would otherwise have answered directly — each one is now a documented attack pattern with a name.
Why This Is A Security Problem
Cost-targeted attacks on agents share a property that should sound familiar: the attacker spends a small amount and forces the defender to spend a large one. That is the structure of denial-of-wallet, and it has the same dynamics that made application-layer DDoS such a long-running operational problem. The marginal cost to the attacker of a query is essentially the cost of one model call. The marginal cost to the defender, if the agent fans out, can be thousands of times higher. Until the asymmetry is corrected by controls, the economics favor the attacker.
The other reason this is a security problem is the blast radius of unchecked spend. Many enterprise agent deployments share a model provider account across multiple products. A runaway in one product consumes budget for all of them. Several disclosed incidents in 2026 included not just a direct cost line but a service degradation line — other products throttled or paused while the runaway team's bill was investigated.
What 2026 Programs Are Putting In Place
The programs that have absorbed these incidents and come out the other side share a small number of controls.
Per-task budget envelopes. Every agent invocation gets a budget at start, expressed in tokens, dollars, or wall-clock time. The agent runtime tracks cumulative spend across the agent and any sub-agents it spawns. When the envelope is exhausted, the agent halts and surfaces a partial result rather than continuing. This is the single most effective control. It is also the one most often skipped because it requires runtime work and a clear policy for what to return when the envelope is hit.
Loop and recursion caps. Independent of cost, the runtime enforces hard limits on the depth and width of tool-call trees. A sub-agent cannot spawn a sub-sub-agent past a configured depth. A retry loop cannot exceed a configured count. These limits are frequently violated by agent designers in development because they make some legitimate workflows fail; the violation is what calibrates the limit, not what removes it.
Anomaly detection on spend velocity. Token consumption per agent, per tenant, and per workflow is metered in near real time. A spike that exceeds a moving baseline triggers a human notification and, in stricter environments, an automatic pause. Teams that have implemented this report catching most runaways within minutes rather than hours.
Cost attribution to the request. Every model call carries metadata identifying the originating user, tenant, and workflow. When a bill arrives, it can be decomposed back to the request that caused the spend. This sounds like an accounting feature, but it is what allows security teams to spot single-tenant attacks against shared infrastructure.
The Failure Mode We Still See
The failure mode that keeps appearing in incident reviews is budget controls applied at the wrong layer. A team puts a per-API-key spending limit at the model provider, and considers themselves protected. They are not. By the time the provider's quota fires, the agent has already spent the budget and either crashed mid-task or, worse, completed in a degraded state that masked the runaway. Effective controls have to live in the agent runtime, where the loop, fan-out, and context decisions are made. Provider-side limits are a backstop, not a primary control.
A related failure is opaque sub-agent spend. A primary agent invokes a sub-agent provided by a different team or vendor. The sub-agent runs against a different model, on different infrastructure, and bills to a different account. The primary agent has no visibility into what the sub-agent costs. Cost-aware orchestration requires that sub-agent invocations carry their spend back to the calling agent's envelope, which in turn requires standards for cost reporting between agent components — standards that are emerging but are not yet universal.
The Direction Of Travel
The mature shape of agentic AI in enterprise has cost as a first-class concern in the same way memory or latency is for traditional software. Token budgets are part of API contracts. Runtime traces include a cost dimension alongside latency and accuracy. Security review for new agent deployments includes a denial-of-wallet threat model. The teams that figured this out the hard way after a spectacular Q1 bill are now the ones writing internal standards. Teams still on the learning curve are the ones whose CFOs are asking pointed questions about why a chatbot needed eight thousand dollars to summarize a contract.
How Safeguard Helps
Safeguard models agent runtime spend the same way it models other security signals — as a continuously monitored, policy-governed property of every deployed agent. Token consumption, tool call counts, recursion depth, and per-tenant spend are surfaced in the platform alongside vulnerability and policy data, so a runaway loop registers as an incident the moment it deviates from baseline rather than the next billing cycle. Policy gates let you require explicit budget envelopes and recursion caps before an agent can ship to production. Anomaly detection on the token and tool-call streams catches denial-of-wallet attempts in real time and routes them through the same triage that handles other security findings. And because Safeguard correlates spend with the originating user, workflow, and upstream agent component, when an attacker probes your agent for cost amplification you see who, what, and where — fast enough to act before the bill arrives.