The first feature every money-spending agent needs is a brake
An agent that can spend has to halt itself before the next call when cost crosses a line.
Apollo Space Research
Apollo Space
The first agent you let touch a budget will, sooner or later, get stuck in a corner you didn’t anticipate, decide the way out is one more API call, and then make that call a few thousand times in a row. It won’t feel reckless from the inside. Each step is locally reasonable: the last attempt almost worked, so try once more. The bill is the sum of a long sequence of small, sensible decisions that nobody was watching add up.
That’s the failure mode nobody demos. The demo shows the agent booking the flight. It doesn’t show the night it tried to book the flight four hundred times.
An agent that can spend has to halt itself before the next call when cost crosses a line.
This post is about why that one sentence is the real prerequisite for trusting an agent with money, and why we built the brake before we built almost anything that needed one.
The naive version: trust the loop to stop on its own
The obvious way to run a spending agent is to give it the goal, give it the tools, and trust the loop to know when it’s done. Plan, act, observe, repeat. When the task is finished, the loop exits. That’s the whole design, and on a good day it’s elegant.
It works right up until the task isn’t finishable.
A tool returns a slightly wrong result. The agent reads it, decides it’s close, and tries again with a small adjustment. The next result is also slightly wrong, so it adjusts again. Nothing here is a bug in the usual sense, no crash, no exception, no red trace. The agent is doing exactly what it was told: keep going until the goal is met. The problem is that the goal can’t be met, and “keep going” has no opinion about cost. Every retry is a real call to a real provider that charges real money, and the loop has no idea that the meter is running.
This is the part people miss when they reason about agents as if they were chatbots. A chatbot that loops just wastes its own time. An agent that loops while holding a credit card, a paid API key, or a cloud account is converting a logic error directly into a charge. The same retry that costs a chatbot nothing costs a spending agent a line item, and the line item compounds, quietly, in the dark, while the loop congratulates itself on its persistence.
You don’t notice in testing, because in testing the tasks succeed. You notice the first time a real task can’t.
Why “set a max-iterations cap” isn’t the answer
The instinct, once you’ve felt this, is to bolt on a counter. Let the agent take twenty steps, then kill it. Crude, but it stops the runaway, and twenty is surely enough for any reasonable task.
It isn’t, and the reason is worth sitting with.
A step count is a proxy for cost, and it’s a bad one. One step might be a single cheap classification. The next step might be a long generation against an expensive model, or a tool call that fans out into a dozen sub-calls, or a single request that processes a large document and bills accordingly. Twenty cheap steps and twenty expensive steps are the same number to the counter and wildly different numbers on the invoice. Set the cap low enough to be safe on the expensive path and you strangle every legitimate long task. Set it high enough to let real work finish and you’ve left the expensive runaway plenty of room to run.
A step count tells you how many times the agent acted. It tells you nothing about what those actions cost.
There’s a deeper problem hiding under the shallow one. A max-iterations cap stops the agent after the fact, it’s a body found at the bottom of the stairs, not a railing at the top. The damage is already on the bill by the time the counter trips. What you actually want is not a limit on how many times the agent moves, but a check that runs before each move and asks a different question: not “have we done this enough times?” but “can we afford to do this even once more?”
That question is the brake. And the brake measures money, not motion.
Our version: the brake runs before the call, and it measures money
The mechanism is plain, and its plainness is the point. Before the agent makes any call that costs something, a small gate runs first. It looks at how much this run has already spent, looks at the ceiling it was given, and asks whether the next call fits underneath. If it does, the call goes through. If it doesn’t, the call never happens. The agent stops itself, right there, before the spend, not after.
Three things have to be true for that gate to be worth anything, and each one is a place naive versions go wrong.
The first is that the meter has to be real. You can’t brake against a number you don’t have, so the agent has to know its running cost at every step, actual spend, accumulated as it goes, not an estimate it made up at the start. Every call that costs money reports what it cost, and the total lives somewhere the gate can read it. The number has to be true, because a brake calibrated against a fake meter stops at the wrong time or not at all.
The second is that the check happens before the call, never after. This is the whole difference between a brake and a post-mortem. A gate that runs after the call has already let the money out the door; all it can do is write down what it failed to prevent. The gate has to sit in front of the expensive thing, so that crossing the line means the next call simply doesn’t fire. Prevention, not accounting.
The third is that the limit is a real ceiling the run carries with it, not a suggestion in a prompt. “Try not to spend too much” is not a budget, it’s a hope, and the loop that’s three thousand retries deep is in no state to honor a hope. The cap is a hard number attached to the run itself, enforced by the gate, not by the agent’s good intentions. The agent can want to make the next call all it likes. If the next call crosses the line, it doesn’t get to.
Put those three together and the runaway from the opening becomes a non-event. The agent tries its hopeless retry. The gate adds up what the run has spent, sees it’s at the ceiling, and refuses the call. The loop that would have made four hundred attempts makes the ones the budget could afford and then stops, cleanly, on a number, with the reason written down, instead of stopping when someone notices the invoice.
The brake is also a contract, not just a circuit breaker
Here’s the part that turns a safety feature into something you can actually build a business on.
A budget that stops a runaway is useful. But the same gate that prevents the disaster also makes the agent predictable, and predictability is what lets a human hand over the keys in the first place. If every run carries a hard ceiling, then the worst case is knowable in advance. You’re not signing a blank check and hoping the loop behaves. You’re authorizing a bounded amount, and the system guarantees the bound, not by trusting the agent to be careful, but by refusing to let it exceed the number no matter how confident it gets.
That’s a different kind of trust than “the model is smart enough not to waste money.” Smart models still get stuck. Careful prompts still get ignored three thousand iterations into a loop. The thing you can actually rely on is the gate that runs every time and has no feelings about the task, it doesn’t get optimistic, it doesn’t think the next call will be the one that works, it just compares two numbers and decides.
You don’t make a spending agent safe by making it wiser. You make it safe by giving it a number it cannot cross.
And once the ceiling is real, it composes upward. A single run carries a cap. A batch of runs carries the sum of theirs. An overnight fleet of agents working in parallel carries a budget across all of them, because every one of them is braking against the same kind of gate, and a ceiling that holds for one holds for a thousand. The discipline that keeps a single agent from looping its way to a surprise invoice is the same discipline that lets a whole fleet run while you sleep. You don’t supervise the spend by watching it. You bound it before it starts and let the gate hold the line.
Why we built the brake first
The order matters, and it’s a little counterintuitive, so it’s worth saying plainly.
You might expect the spending capability to come first and the safety to come later, ship the agent that books the flight, then add the budget once it’s proven. We did it the other way around. The brake came before the spend, because an agent that can spend without a brake isn’t a smaller version of the safe one. It’s a different, more dangerous thing, and you can’t retrofit the discipline onto a system that was designed to assume it didn’t need it. The meter, the pre-call gate, the hard ceiling, those aren’t features you add to a spending agent. They’re the foundation a spending agent has to stand on before you let it near anything that charges.
Every spending tool we wire up inherits that foundation. A new capability doesn’t get to skip the gate because it’s new. It brakes against a cost ceiling the same way the first one did, because the rule isn’t “this particular tool is careful.” The rule is that nothing that costs money runs without a brake in front of it.
The turn: the brake is really about who gets to sleep
A budget enforcer sounds like a line item in a spec. It isn’t. It’s the reason a person can close the laptop.
What you’re really buying, when you put a hard ceiling in front of every spend, is the ability to walk away. To hand a real task with a real cost to a system and not lie awake wondering whether a stuck loop is quietly burning the month’s budget while the office is dark. The fear that keeps people from delegating to agents was never that the agent would be dumb. It’s that the agent would be expensively dumb, in a way nobody caught until the statement arrived. An agent that can spend has to halt itself before the next call when cost crosses a line, and the reason that one sentence is worth a whole post is that it’s the difference between handing over a task and handing over your peace of mind. The brake takes that specific fear off the table, not by promising the agent won’t get stuck, but by guaranteeing that when it does, the worst it can cost is a number you already agreed to.
That’s the quiet thing under the mechanism. A meter, a gate, and a ceiling are engineering. But what they add up to is a person trusting a machine with money and still sleeping through the night, and that trust isn’t a feature you can turn on. It’s earned, one bounded run at a time, by a system that has never once spent more than it was allowed to.
That’s what we’re building at Apollo Space: an operating system where every agent that can act also knows when to stop, where the budget isn’t a warning you read after the fact but a wall the next call hits before the money leaves. If you’ve ever found out what a stuck process cost you by reading the invoice, you already know why the brake comes first.
Apollo runs your company's repetitive ops so your team doesn't.
Join the waitlist for early access, founding-user pricing, and a front-row seat as we ship.
Join the waitlistThe hidden tax of parallel agents is a migration diamond
Six agents writing to one schema conflict in the database, not the code, and CI dies at "multiple heads."
EngineeringAn orchestrator that can't survive its own crash isn't one
A crash that erases the orchestrator's reasoning loses the one thing you can't rebuild.
EngineeringPut a deterministic gate in front of your smartest reviewer
The cheapest defect-catch is a dumb script that checks two merged branches still boot before any judgment.