🔍AI RiskAtlas
← Risk taxonomy

Resource Exhaustion / Denial of Wallet

mediumAgency & tools
Also known as: unbounded consumption, denial of wallet, agent loop blowup

Definition

An AI agent gets stuck doing far more work than intended — looping, retrying, spawning more sub-tasks, or being baited into expensive actions — and the bill (compute, API calls, real money) balloons before anyone notices.

★ Suggested sub-risk — not yet in your taxonomyrecommended under #44 Disruption to connected systems

This is recommended as a granular sub-risk of #44 Disruption to connected systems (Robustness & Stability · Technology Risk). Operation Bizarre Bazaar shows exposure of the serving plane is the root attack surface, independent of any model/input exploit. It bridges resource-exhaustion (compute theft/denial-of-wallet), supply-chain (a criminal resale chain), data-leakage (prompt/history exposure) and disruption to connected systems (MCP lateral movement) — mapping cleanly under enterprise risk #44 (Disruption to connected systems) with a denial-of-wallet primary effect. Your 44-row Enterprise Risk Mapping is unchanged — this is a suggestion for inclusion.

Where it attaches

The system components this risk arises at.

🎛️ Orchestrator / Agent Loop🗺️ Planner Agent🤖 Worker Agent🔧 Tool Runtime🏗️ Serving Infrastructure🔌 External APIs

Detection signals

  • Iteration / tool-call counts far above the task norm
  • Cost or token spend spiking for a session or agent
  • Recursive sub-agent fan-out without convergence
  • Retry storms against an external API

Controls & guardrails that address this

4

Grouped by control function, with the AI lifecycle stage(s) to apply each and the other risks it addresses. Filter by control category below.

Control category
Preventive · 2
Least-privilege identity & scoped credentialsinteractive

Giving the agent only the keys it needs for the current task, not a master key to everything.

Human-in-the-loop approval on high-risk actionsinteractive

Pausing to ask a person before doing anything big or hard to undo — sending money, deleting data, emailing customers.

Open these in the Control Library →

Framework mappings

OWASP LLM Top 10
  • LLM10:2025 Unbounded Consumption
MITRE ATLAS
  • AML.T0034 Cost Harvesting
NIST AI RMF
  • MEASURE 2.6
  • MANAGE 2.2

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗