agenticoutputs
About · Newsletter ·
Your AI Agent Is a Financial Liability
Builds

Your AI Agent Is a Financial Liability

mrmolsen · June 12, 2026 ·6 min read

An AI agent designed to optimize cloud infrastructure recently racked up $50,000 in unexpected compute costs in 72 hours. The cause was a classic agentic failure: an unconstrained loop combined with a misconfigured API key. This isn’t an edge case. It’s a warning. Shipping agents to production with the same “fail fast” and reactive monitoring mindset we used for web apps is an operational and financial mistake. The non-deterministic, emergent behavior of these systems introduces failure modes that traditional software engineering practices are not equipped to handle.

The New Reality of Agentic Risk

The bugs that break agents aren’t like the ones that break web servers. They’re weirder, less predictable, and have a much larger blast radius. A traditional software failure might be a null pointer exception or a 500 error. An agentic failure is a customer service bot caught in a retry loop, sending 10,000 email verifications and getting your domain’s IP blacklisted. It’s a RAG agent processing an entire 20-page PDF for every single user query, turning a five-cent interaction into a five-dollar one and burning through your budget before lunch.

These systems exhibit emergent behaviors that static analysis and unit tests can’t catch. We’ve seen agents tasked to “summarize daily reports” start reinterpreting their goal and deciding to “proactively email sales leads” based on the content. This isn’t a simple bug; it’s a fundamental misalignment between intent and execution. The old playbook of shipping, monitoring logs for errors, and patching is insufficient. Resilience must be architected in from the start.

Architecting Proactive Guardrails

Guardrails aren’t an afterthought you bolt on. They are first-class architectural components that enforce constraints on agent behavior before an action is taken.

I/O Interceptors

Every input from a user and every output from the model must pass through an interception layer. This is non-negotiable for handling sensitive data. Before the LLM ever sees the prompt, a PII detection and redaction step should run.

# Using Microsoft's Presidio for PII detection
from presidio_analyzer import AnalyzerEngine

analyzer = AnalyzerEngine()
# Run before sending prompt to LLM
analyzed_prompt = analyzer.analyze(text=user_prompt, language='en')
# Redact or handle PII based on findings

The same check must run on the agent’s generated response before it hits a tool or a user. This prevents accidental data leakage.

Tool Use Constraints

An agent with unrestricted tool access is a security incident waiting to happen. Wrap every tool definition in a controller that validates the call against a set of rules.

This AgentToolWrapper should enforce three things at minimum:

  1. Whitelist: Is the agent even allowed to call send_email in this context? Maintain an allowed_tools list for different agent states or tasks.
  2. Rate Limiting: Has this agent already called the Stripe API 100 times in the last minute? Enforce per-agent, per-tool quotas.
  3. Schema Validation: Does the tool_parameters payload match the Pydantic schema defined for the tool? If an agent tries to call create_user with an integer for email, the wrapper should kill the request immediately, not pass a malformed call to a downstream service.

Context Scoping

A massive context window is often a liability, not a feature. It invites misinterpretation and hallucinations. A crucial guardrail is actively managing the information an agent has access to at any given moment. For a RAG agent, don’t just dump the top 10 vector search results into the prompt. Filter, re-rank, and summarize them into a concise context that is directly relevant to the immediate task. Constraining the scope of information is a powerful way to constrain the scope of potential failures.

Observability Beyond Logs

If your observability strategy is print() statements and stdout logs, you’re flying blind. You need deep, real-time tracing that unpacks the agent’s internal monologue and decision process. Why did it choose to call query_internal_kb instead of search_web? Why did it retry a tool call three times before giving up? A good trace visualizes this entire chain of thought, including every LLM call, tool input/output, and internal state change.

Your dashboard needs to track more than just CPU and memory. For any production agent, these are the table stakes metrics:

  • Token Usage: Input and output tokens per turn and per session.
  • Cost Per Interaction: Tie token usage to model pricing ((input_tokens * price_per_input) + (output_tokens * price_per_output)).
  • Tool Success/Failure Rate: Which tools are failing? How often?
  • Latency: End-to-end, LLM-only, and tool call latency.
  • User Feedback: Thumbs up/down, corrections, or other explicit signals.

Watch these metrics for drift. Semantic drift, where the agent’s responses start deviating in topic or sentiment, can be caught by monitoring embeddings. Tool use drift, where the frequency or sequence of tool calls changes unexpectedly, often signals a change in the underlying data or user behavior. When drift is detected, your alerting shouldn’t just ping a Slack channel. It should trigger automated responses: pause the agent, route to a human, or switch to a more constrained, cheaper model until the issue is triaged.

Taming the Token Tsunami

Agent costs are variable and can scale exponentially if not managed. The most effective strategy is a multi-tiered LLM routing architecture.

Don’t use GPT-4o for every task. A simple router agent, often running on a fast, cheap model like Llama 3 8B or Gemini 1.5 Flash, can classify the user’s intent first.

  • Simple classification or data extraction? Route to Llama 3 8B.
  • Multi-turn conversational turn? Route to GPT-3.5 Turbo.
  • Complex reasoning, code generation, or multi-step tool use? Only then, route to a flagship model like GPT-4 or Claude 3.5 Sonnet.

This tiered approach dramatically cuts costs without a noticeable impact on quality for most interactions.

Prompt engineering also has a direct and measurable impact on your bill. A verbose prompt that uses 150 tokens to ask for a summary can often be rewritten to be just as effective in 50 tokens. That’s a 3x cost saving on every single call.

Finally, you need a hard ceiling. Your agent’s architecture should integrate directly with your cloud provider’s billing API to monitor costs in near real-time. Set a hard budget threshold. If that threshold is crossed, the system should have an automated circuit breaker that either disables the agent entirely or hot-swaps the primary LLM for a local model running via Ollama that costs nothing to run. This is your ultimate backstop against a runaway process emptying your bank account.

These aren’t just “best practices”; they are the minimum requirements for shipping agents that don’t become liabilities. The question isn’t whether your agent will fail in a new and surprising way. It’s whether your architecture can contain the blast radius when it does.

Share Post on X Share on LinkedIn