An agent read one note someone left in a database, obeyed it, and deleted the customer table. Eight seconds. The model that did it is one of the good ones — current, capable, the kind you would happily ship. That is the part worth sitting with: the intelligence was never the problem.
The people who build these agents already know this. They have quietly stopped doing the thing the rest of us were told to master. Peter Steinberger, who wrote one of the popular coding agents, put it to millions of viewers: stop prompting your agents, design the loops that prompt them. Boris Cherny, the lead behind Claude Code, says it flatter — I don't prompt anymore; my job is to write loops. The skill stopped being the prompt. It became the loop, and the bounds you put on it.
The loop is the agent
Strip the jargon. A model on its own is a brain in a jar: it can think, but it cannot act, cannot read a file, cannot remember what it did a second ago. An agent is what you get when you drop that brain into a loop — it reasons, takes an action, looks at the result, and goes again until the job is done. The model is the engine. The loop is the car. And like any car, the question that matters is whether it has brakes.
This is measurable, not a vibe. In the SWE-agent research, freezing the model and improving only the interface it acts through solved 10.7 percentage points more real problems — same brain, better harness. Reflexion, which lets a model look at its own mistakes and retry, hit 91% on a coding benchmark where a raw GPT-4 scored 80%. The loop beats the bigger model.
Bounded or it becomes a headline
In the video I prove it on my own machine. Same model, same attack, one variable: whether the loop has a bound. Unbounded, it reads the planted note and drops the table. Add a single read-only role and run the identical attack — the database itself refuses. Not because the agent got smarter. Because it physically cannot do damage. Ask it a business number unbounded and it answers a confident, invented figure; bounded, it runs the real query, checks itself, and corrects.
Skip that bound in production and you get the headlines, all from the same root cause — not a dumb model, an unbounded loop. A runaway agent burned $6,531 in cloud spend overnight with no cost cap. A chatbot invented a refund policy and a tribunal held Air Canada liable. A Chevrolet dealership bot was talked into a "legally binding" $1 car.
It has a name
Bounding the loop is real engineering, and it is the most underrated skill in this field: least privilege, an approval gate on anything that changes state, output you validate, a verifier grounded in real data, circuit breakers and cost caps, full tracing, and treating any instruction inside your data as hostile by default. Andrej Karpathy calls the road there the march of nines — and getting to 99.99% reliable is not a better prompt. It is architecture. We call the discipline AI Reliability Engineering.
Watch the full build and the live demo:
▶ Stop Prompting Your AI Agents — the full video
The 7-point bounded-loop checklist I use, plus every paper and source behind this, is free at qualixar.com.
(https://qualixar.com/learn/guides/bounded-loops-workbook)
Don't trust your agents. Verify them.
Top comments (0)