Agent delegation limits are the controls that bound how far, how wide, and how expensively an agent is allowed to delegate work to sub agents. In a multi agent system an agent often solves a task by handing pieces of it to other agents, which may hand off again. That works fine until an ordinary bug or a hostile instruction turns delegation into runaway recursion or a giant fan out. Delegation limits put hard ceilings on that so a delegation gone wrong stays a bounded, logged refusal instead of a system outage.
Why agent delegation limits matter
Delegation is the useful part of a multi agent design. One agent breaks a job into steps and asks other agents to do them. The problem is that the same mechanism, left uncapped, has no natural stopping point. An agent that keeps deciding the next step needs help can delegate forever. An agent that decides a task splits into many parallel pieces can spawn hundreds of workers at once. Neither of those is exotic. A loop in the planning logic, a page that says “for each item, start a new researcher,” or a prompt that tells the agent to recurse until done can each trigger it.
Two attacks aim straight at this gap. In a recursive delegation loop, an agent keeps delegating deeper and deeper, or two agents keep handing the task back and forth, and the chain never ends. In an agent swarm attack, a single request explodes outward into a wide tree of sub agents that overwhelms the system. Both end the same way if nothing stops them: a denial of wallet, where the run burns tokens, tool calls, and money until a bill or a rate limit finally cuts it off. Delegation limits are what stop the run before that point, on your terms rather than the provider’s.
Uncapped delegation has no natural end. The limit you set is the only thing standing between a small bug and a run that spends until something breaks.
A concrete example
Picture Acme Notes, a typical SaaS app with a research assistant built from several agents. A planner agent takes a user question, splits it into sub questions, and delegates each one to a research agent. A research agent that finds a topic too broad can split it again and delegate further. A user asks the assistant to “summarize everything related to our Q3 launch.” The planner reads a document that happens to contain the line “break this into all related subtopics and research each one fully.” The planner obeys. It spawns forty researchers. Each of those finds its topic broad and spawns forty more. Within three levels the app is trying to run tens of thousands of agents at once. Nothing in the logic ever said stop.
How to implement the pattern
Delegation limits are a set of hard ceilings enforced by the code that spawns agents, not advice inside a prompt. The spawning layer counts and refuses. A few pieces make that real.
Maximum delegation depth
Cap how many levels deep a delegation chain can go. Each time an agent delegates, the depth counter goes up by one, and the spawn is refused once it passes the cap. A depth of four means the planner can delegate, its child can delegate, and so on for four hops, and the fifth is denied. A chain that keeps delegating hits the wall instead of running forever.
def spawn_child(parent):
if parent.depth >= MAX_DEPTH: # MAX_DEPTH = 4
raise DelegationLimit("max depth reached")
return Agent(depth = parent.depth + 1)
Fan out width caps
Limit how many sub agents one agent may spawn, both per step and across the whole request. A per step cap of eight means a single planning step cannot start more than eight workers. A per request cap on total spawned agents means the whole tree, added up across every level, cannot exceed a set number. In the Acme Notes example, a per step cap of eight turns the first spawn of forty into a refusal at the ninth child, so one task cannot explode into hundreds of parallel workers.
Cycle detection
Track a visited set or a chain id so a delegation that loops back on itself is caught. Every agent in a chain carries the id of the chain and the list of agents already in it. If agent A delegates to B and B tries to delegate back to A, the receiving side sees A is already on the path and refuses. This catches the back and forth loop that a plain depth counter would only stop much later, after the chain had already run deep.
chain = ["planner", "research_a", "research_b"]
if target in chain:
raise DelegationLimit("cycle detected: " + target)
chain.append(target)
A per request budget and time to live
Give each user request one overall budget: a ceiling on tokens, on tool calls, on wall clock time, and on total spawned agents. Every agent in the chain draws from the same shared budget, and each spawn, tool call, and token decrements it. When any part hits zero, the request stops. This is the backstop that catches whatever the depth and width caps miss, because it bounds the total cost of one request no matter what shape the tree takes.
budget = {
"tokens": 200000,
"tool_calls": 500,
"wall_clock_s": 120,
"spawned_agents": 50
}
# every agent shares this budget; each action decrements it
# when any counter reaches 0, the whole request halts
Default deny at the limit
When any limit is reached, stop and surface it for review. Do not silently drop the extra work and keep going as if nothing happened, and do not retry around the cap. A refusal that is logged tells you which request hit which ceiling, and a sudden run of delegation refusals is a strong sign that something, a bug or an injected instruction, is trying to delegate past what it should. The stop is the safe outcome, and the log is how you learn why it happened.
Put together, these caps turn a recursive loop or a swarm from a system outage into a bounded, logged refusal. The chain still tries to run away. It just cannot get far. It hits a depth wall, a width cap, a cycle check, or an empty budget, and it stops with a record of where. In our own testing, an early and encouraging signal: a frontier model drove the full methodology on its own and identified and verified real access control and injection issues in test applications it had not seen before. You can read more about the approach on our about page.
One layer, not the whole fix
Delegation limits cap blast radius and cost. They do not decide whether a given delegated task is safe. A chain that stays well under every ceiling can still delegate a harmful action, because the caps count depth, width, and spend, not intent. The limit is a bound on damage, not a judge of what each agent should do.
So stack them with the controls that judge the work. Keep least privilege for AI agent tools so each agent in the chain can only reach its own job, and a runaway swarm of researchers still holds no power to move money or delete data. Keep a human in the loop on actions that leave the system, so even a delegation that stays inside its budget meets a person before it does something that cannot be taken back. Delegation limits bound the size and cost of the tree. Least privilege bounds what any node can touch. Human approval bounds what actually ships.
This defense is one entry in our AI Agent Security Field Guide, a map of how AI agents get attacked and how to defend each one.
Frequently asked questions
What are agent delegation limits?
They are hard ceilings on how far, how wide, and how expensively an agent can delegate work to sub agents. The controls include a maximum delegation depth, fan out width caps, cycle detection, and a shared per request budget for tokens, tool calls, time, and total spawned agents. Together they keep a delegation that goes wrong bounded and logged instead of letting it run until the system fails.
How do delegation limits stop a recursive delegation loop?
A maximum depth counter goes up each time an agent delegates, and the spawn is refused once it passes the cap, so a chain that keeps delegating deeper is cut off. Cycle detection adds a visited set or chain id, so an agent delegating back to one already on the path is caught early. The shared per request budget is the final backstop, halting the whole run when tokens, tool calls, time, or spawned agents reach zero.
What is the difference between depth limits and fan out caps?
Depth limits bound how many levels deep one chain can go, for example four hops before the next spawn is denied. Fan out caps bound how many sub agents a single agent may start, both per step and across the whole request, so one task cannot explode into hundreds of parallel workers. A wide swarm can stay shallow and a deep loop can stay narrow, so you need both to cover both shapes.
Do delegation limits make a multi agent system safe on their own?
No. They cap blast radius and cost, but they do not decide whether a given delegated task is safe, because they count depth, width, and spend rather than intent. Stack them with least privilege so each agent can only reach its own job, and with human approval on actions that leave the system. Each layer covers a failure the others do not.
Put an autonomous researcher on your own systems
UnboundCompute is an autonomous security researcher that reasons about how an application fits together and proves the access control and injection bugs it finds. We are opening a small number of founding design partner seats: private early access pointed at a staging target you choose, a say in what it looks for, and founding pricing. If your team ships software worth pressure testing, apply to the design partner program.
