How to Prevent Runaway AI Costs

A runaway AI agent can spend $12,400 in 90 seconds — a retry loop on a paid API, an unknown-vendor purchase, or an unattended overnight session. The fix is not a bigger budget or better prompts. It is a pre-spend firewall that blocks the transaction before it fires. Here is the 5-step playbook.

The problem, concretely. 67% of 312 production agent teams reported at least one runaway incident in the last 90 days. Median cost: $340. Top decile: $5,000+. The worst incidents exceed $12,000. See the full benchmark.

Why budgets and alerts don't work

Every existing tool that touches AI spend — provider billing caps, LLM gateway budgets, observability dashboards — is reactive. They count tokens or dollars after a call completes, compare to a threshold, and then reject the next call or alert you. The call that crossed the threshold already cost you money. By the time the alert arrives, the damage is done.

A pre-spend firewall is proactive. It evaluates every transaction before it fires. The blocked transaction never happens. This is the difference between an airbag and a crash report.

The 5-step playbook

1 Set a velocity limit (the retry-loop killer)

The #1 cause of runaway spend is a retry loop: a tool fails, the agent retries, each retry is a paid call, 40 retries in 90 seconds. A velocity rule caps the number of transactions per window and blocks the Nth attempt — the loop dies before the wallet does.

{"rule_type": "velocity", "params": {"max_count": 10, "window_minutes": 60}, "action": "BLOCKED"}

This single rule would have prevented 44% of reported runaway incidents.

2 Set a per-transaction cap

Block any single spend over a hard ceiling. This catches the catastrophic one-off — the $6,200 GPU rental, the misformatted API call — that velocity rules might miss if the agent only tries once.

{"rule_type": "per_transaction", "params": {"max_amount": 500}, "action": "BLOCKED"}

3 Configure a merchant allowlist

Block spend at any vendor you haven't explicitly approved. This is your defense against prompt injection that routes spend to attacker-controlled merchants, and against agents that "discover" novel vendors during tool use.

{"rule_type": "merchant_allow", "params": {"allowed": ["openai.com", "anthropic.com", "aws.amazon.com"]}, "action": "BLOCKED"}

4 Add time windows

Flag or block agent spend outside business hours. Most runaway incidents happen during unattended overnight sessions — a time-window rule ensures a human is in the loop when it matters.

{"rule_type": "time_window", "params": {"allowed_hours": "9-18"}, "action": "FLAGGED"}

5 Route large spend to a human

Use an approval threshold so transactions above a value are FLAGGED rather than blocked or approved. A binary cap either blocks too much (breaking your agent's workflow) or allows too much. Flagging routes the ambiguous cases — a $500 compute buy at 3am from a known vendor — to a human.

{"rule_type": "approval_threshold", "params": {"threshold": 200}, "action": "FLAGGED"}

The result

With these five rules in place, your agent cannot:

Every decision is written to a tamper-evident audit log. You wake up to a clean log and at most one or two items to review — not a $12,400 Stripe bill.

Deploy it in 60 seconds

pip install sipi-bot
python -m spendfirewall.api  # self-host, serves on :8080

Or use the hosted endpoint with an API key. Or load the MCP server into Claude Code / Cursor / Hermes. The open-source core is MIT; the hosted version is $99/month.

Prevent runaway costs with sipi.bot →