AI agents are becoming more common in business software — and so are the risks they bring. Without proper controls, these systems can fail in costly and dangerous ways. Experts say gateway-level guardrails are one of the most critical missing pieces in most AI deployments today.
One major problem is runaway delegation. When one AI agent triggers another, and that one triggers more, the chain can grow without stopping. Friday afternoon deployments have been flagged as especially risky because they often lack delegation caps. This leads to exponential call multiplication and unpredictable costs. Hard limits at the gateway level can stop this before systems collapse.
Without delegation caps, one AI agent triggering another can spiral into exponential costs and total system collapse.
Money is another concern. Agents without spending limits can consume resources until infrastructure fails. Gateway-enforced caps, like a $50-per-day threshold, act as circuit breakers. They stop individual agents from draining budgets across an entire organization. Without these caps, a single misbehaving agent can cause system-wide damage.
Tool access is a third risk area. Many agents are given broad database access when they only need narrow permissions. A gateway with tool-level role-based access control limits what each agent can actually do. Agents can’t call functions outside their registered scope, even if someone tries to manipulate them into doing so. This least-privilege approach keeps coerced agents from reaching restricted operations.
Prompt injection is a threat that’s harder to see. Malicious instructions can hide inside web pages or documents that agents retrieve after the initial security check. Surface-level input classifiers don’t catch this because the dangerous content enters the pipeline later. OWASP has listed indirect prompt injection as a critical risk in agentic systems.
Long conversations make things worse. Over time, extended histories can erode guardrail effectiveness. Attackers use “salami slicing” — small, gradual shifts that slowly move an agent past its safety boundaries. Guardrails often can’t track these patterns because they inspect requests one at a time. Experts similarly warn that AI dependency risks extend beyond individual users, threatening the integrity of entire automated pipelines when oversight mechanisms are absent.
In multi-agent systems, one compromised agent can spread manipulation to others. Research shows 48% of co-agents get compromised during a single injection incident. The infection moves through system architecture, not through direct user action. Companies that skip unified gateway logging are often left spending weeks reconstructing agent activity trails when auditors or legal teams come asking.
Real-world incidents have made these risks concrete. In one case, an attacker drained approximately $175,000 from an AI-controlled crypto wallet by embedding a Morse-coded prompt injection inside a tweet, which the connected agent decoded and acted on without any verification checks.
References
- https://dev.to/lovestaco/5-things-that-go-horribly-wrong-when-you-run-ai-agents-without-a-gateway-and-how-to-stop-the-1i90
- https://www.cequence.ai/blog/ai/encoded-prompt-injection-action-layer/
- https://ai-coding.wiselychen.com/en/openai-dou-dang-bu-zhu-de-gong-ji-ai-an-quan-fang-tan/
- https://genta.dev/resources/llm-guardrails-production-guide
- https://arxiv.org/html/2604.12986v1
- https://partnershiponai.org/wp-content/uploads/2025/09/agents-real-time-failure-detection.pdf
