Portfolio by Johnny RiceInformatics demo
ClariTrial
All posts

Bounded Autonomy: How Step Budgets Prevent Runaway AI Agents

Unconstrained tool loops cause cost blowouts and unpredictable behavior. Step budgets, role-limited tools, and read-only enforcement keep agents on a leash.

autonomysafetytool budgets

In March 2025, a developer shared a post-mortem of an AI coding agent that racked up $1,200 in API costs in 40 minutes. The agent had been given access to a search tool, a code-execution tool, and a file-write tool with no step limit. It entered a loop: search for documentation, write code, run the code, encounter an error, search again. Each iteration cost money. Nobody was watching.

This is the runaway-agent problem, and it is a natural consequence of giving language models open-ended tool access. The model does not have a concept of "enough." It will keep trying until it succeeds, or until it hits a context window limit, or until someone kills the process.

The cost is not just money

Runaway loops create three problems:

  1. Cost: each tool call (especially those that invoke external APIs or database queries) has a marginal cost. Without a cap, a confused agent can burn through budget fast.
  2. Latency: the user waits while the agent loops. After 30 seconds of silence, most users assume the system is broken.
  3. Unpredictability: the more steps an agent takes, the harder it is to reason about what happened. A 3-step trace is auditable. A 47-step trace is a debugging exercise.

Step budgets in ClariTrial

ClariTrial enforces step budgets at two levels:

Lead model: capped at 18 tool-call steps. This is high enough for complex multi-specialist queries (which typically use 4-8 steps) but low enough to prevent runaway loops. The budget is set via maxSteps on the streamText call and is not overridable by the model.

Specialist subagents: each of the four specialists (trial discovery, trial deep dive, evidence synthesis, trial comparison) has its own budget of 4-5 steps, enforced by SPECIALIST_MAX_STEPS. Specialists also have role-limited tool sets: a trial-comparison specialist cannot call PubMed, and an evidence-synthesis specialist cannot call the trial-comparison tool. This prevents specialists from wandering outside their assigned task.

The combined ceiling for a single user query is: 1 lead step to delegate + up to 3 parallel specialists x 5 steps each = 16 specialist steps + remaining lead steps for synthesis. In practice, most queries resolve in under 10 total steps.

Intent modes: user-controlled autonomy

Step budgets set a ceiling, but ClariTrial also lets users control how much autonomy the agent exercises. Three intent modes are available:

  • Facts & SQL: biases the agent toward deterministic queries (AACT presets, registry counts, tight data pulls). The agent is less likely to delegate to specialists and more likely to return structured data directly.
  • Explore: allows broader synthesis, comparison, and interpretation across sources. The agent uses more of its step budget.
  • Auto: the agent decides based on the question.

Each mode is explained with an inline tooltip so the user understands what they are choosing.

Read-only enforcement

Every tool in ClariTrial is read-only. The agent queries registries and databases but never writes to external systems, submits forms, or triggers actions. This is a structural recoverability guarantee: if the agent produces a wrong answer, there is nothing to undo except the text on screen.

This is a deliberate constraint. Many AI agent frameworks encourage tools that take actions (send emails, create tickets, update records). Each write operation creates a recoverability problem: if the agent was wrong, can you reverse what it did? In high-stakes domains, the answer is often "not easily" or "not without consequences."

By restricting tools to reads, ClariTrial eliminates an entire class of failure. The worst case is a wrong answer that the user can challenge, regenerate, or ignore. No data was corrupted, no form was submitted, no email was sent.

Applying this elsewhere

Step budgets and tool restrictions are portable to any multi-agent system:

  • Set a ceiling that is generous enough for legitimate work and tight enough to cap worst-case cost and latency.
  • Scope tools per role so subagents cannot drift into tasks they were not designed for.
  • Default to read-only unless you have a specific, tested reason to allow writes, and if you do allow writes, add a confirmation step.
  • Expose the autonomy control to users. Let them choose how much rope to give the agent. Informed users who chose "Explore" will forgive a longer wait; users who chose "Facts & SQL" expect a fast, tight answer.

The underlying principle: autonomy is something you grant in measured amounts, not something you hand over and hope for the best.