"For agentic systems, implement maximum step counts and execution time limits to prevent runaway inference loops." "Agents must have a defined termination condition independent of the LLM’s own decision to stop."

The agentic loop attack (Slide 12 and Scenario 3, Slide 16) ran for 22 minutes and 847 LLM calls before the network layer timed it out. There was no application-level step counter, no task-level token budget, and no graceful termination when the agent appeared to be looping. The Nasr et al. research also demonstrates: sustained generation without a stop condition causes models to diverge from aligned behavior, compounding both the cost and the output risk.

→ Set a hard maximum step count per task (e.g., 20 tool calls). Terminate and return a partial result if hit.
→ Set a wall-clock timeout per task (e.g., 60 seconds). Kill the task if exceeded.
→ Track cumulative tokens across all steps in a single task. If a task exceeds its token budget, stop it.
→ Detect loop signatures: if the agent’s last 3 tool calls are identical, terminate.
→ Log every agent step — step count, tokens used, tool called, result — for post-incident analysis.

Ask your agent a question specifically designed to make it uncertain and keep searching: "Find the most authoritative source on X, verify it is correct, and if you're not 100% sure, search again." Count how many steps it takes. If it exceeds 15, your step limit is either absent or set too high.