How to stop a runaway AI agent

A runaway agent isn't hypothetical: a retry loop that multiplies spend, a tool call that deletes the wrong records, an automation that floods a provider. The damage happens in minutes — long before a dashboard alert or an invoice tells you. The only reliable place to stop it is before the action runs.

Why detection isn't enough

Observability tells you a runaway happened. Alerts fire after the spend, after the deletion. By the time a human sees the graph, the refund went out and the records are gone. Stopping a runaway agent is a pre-execution problem: the action has to be blocked at the boundary, not flagged after.

A fail-closed boundary in front of every action

Keel sits in the request path and evaluates a permit before each AI action. If the action violates your policy or budget — too expensive, out of scope, beyond a rate limit, touching something it shouldn't — the permit denies it, and the action never reaches the provider. Fail-closed means: if the check can't pass, the action doesn't run.

• Hard budget caps — spend is blocked before tokens burn, not reported after
• Scope limits — an agent can't take actions outside what it's permitted to do
• Rate and loop limits — a retry storm hits the boundary, not your bill or your data
• Bounded blast radius — one bad loop can't refund $200k or wipe a table, because the boundary stops it at the first disallowed action

And because Keel gates the action, not the token stream, the check sits where a sub-second decision is acceptable — it doesn't add latency to every inference.

You also get the record for free

Every allow and every deny is recorded as tamper-evident, independently verifiable evidence. So after you stop a runaway, you can also prove what was attempted, what was blocked, and under which rule — without trusting Keel.

Frequently asked questions