Skip to main content

Limits and safety

Module 9 · Lesson 3 · 6 min read

TL;DR

The power to call other agents is also the risk: without limits, delegation can spiral into uncontrolled recursion — agents delegating in circles, burning calls with no answer. Three limits keep it bounded: a depth cap (the most important), a cost budget, and a timeout. With them, the worst case is a graceful fallback, not a runaway bill.

When delegation runs away

Delegation gives agents the power to call other agents. That same power is the risk: without limits, an agent-to-agent system can spiral. A router delegates to a specialist, which delegates to another, which delegates back — and now you're burning calls and money on a loop that may never produce an answer. Three limits keep it bounded.

Depth limits — the most important

A depth limit caps how many levels of delegation are allowed. The router is depth 0; each hand-off adds 1. At the cap, a sub-agent simply can't delegate further — its delegate_* tools aren't even offered to it.

Your lab sets maxDepth. With maxDepth: 2, the router can delegate to a specialist (depth 1) and that specialist can delegate once more (depth 2), but no deeper. It's the single most important guard against runaway delegation, and it fails gracefully — the deepest agent just answers directly instead of handing off.

Cost limits

Every agent run costs tokens. A cost limit caps the total spend for a single request across all its delegations, so one expensive question can't quietly run up a huge bill. When the budget is hit, the system stops delegating and returns what it has.

Timeouts

A timeout caps wall-clock time. Delegation adds round-trips, and a slow (or stuck) specialist shouldn't hang the whole request forever. A timeout cuts it off and lets the parent fall back.

LimitCapsWithout it
Depth (maxDepth)Levels of delegationInfinite recursion — agents in circles
CostTotal tokens/spend per requestOne question quietly runs up a huge bill
TimeoutWall-clock timeA stuck specialist hangs the whole request

The failure mode to fear

Of all the things that can go wrong with agent-to-agent systems, the one to respect most is uncontrolled recursion — agents delegating in circles, multiplying cost and latency with no answer at the end. It's the agent version of an infinite loop, except each iteration costs a real model call. That's the checkpoint: the failure mode is runaway recursion, and the depth limit is the single best guard — it makes infinite delegation structurally impossible, while cost and timeout are the backstops that bound the damage of anything the depth cap doesn't catch.

Analogy

Delegation without a depth limit is a manager who, when busy, hires another manager to handle the work — who hires another. The depth cap is a rule: "you may delegate at most twice, then you handle it yourself." Cost and timeout are the company budget and the end-of-day deadline — the backstops that stop runaway delegation even if the org chart somehow loops.

Common mistake

Treating depth, cost, and timeout limits as optional polish to add later. They're not features — they're the safety rails that make delegation production-safe at all. A multi-agent system shipped without a depth cap isn't "mostly fine"; it's one mis-classification away from an infinite loop on a real bill. Set the limits first, then build the delegation.

Key takeaways

Key takeaways

  • The danger of agent-to-agent systems is uncontrolled recursion — an infinite loop that costs money.
  • Depth limit (maxDepth) is the most important guard; it fails gracefully to a direct answer.
  • Cost and timeout limits are the backstops that bound spend and wall-clock time.
  • Set the limits before you build the delegation — they're rails, not polish.

You've built a production-shaped agent

You've now built an agent that learns, uses tools, grounds answers in your docs, connects to real services via MCP, is observable through traces, is measured by evals, is guarded against unsafe input and output, and delegates to specialists within safe limits. That's a production-shaped agent — end to end.

Go deeper: least privilege and the trust boundary between agents

Limits stop runaway delegation; a second discipline stops misused delegation — especially as agents call agents built by other teams (the A2A future from the last lesson):

  • Least privilege per agent. A specialist should hold only the tools its job needs. The billing agent can issue refunds; the technical agent can't. If a sub-agent is compromised or tricked (prompt injection, Module 8), least privilege bounds the blast radius to what that agent could already do.
  • Guardrails at the boundary. A sub-agent's output is another agent's input — so the input guardrails from Module 8 apply between agents, not just at the user edge. A parent shouldn't blindly trust a child's output any more than a user's.
  • Don't let delegation launder authority. If a user isn't allowed to do something directly, delegating through three agents shouldn't grant it. Authority checks belong at the action, not at the entry point.

The unifying idea: every agent boundary is a trust boundary. The limits in this lesson keep delegation bounded; least privilege and boundary guardrails keep it safe. Both are what turn a clever multi-agent demo into something you can actually ship.

Build this in AI Fluens Studio

Reading is step one. Open Studio and build a working agent end-to-end — every concept in this course is something you ship and run for real.

Open AI Fluens Studio