{"slug": "i-let-my-ai-agent-provision-cloud-infra-then-i-made-sure-it-couldn-t-go-bankrupt", "title": "I let my AI agent provision cloud infra. Then I made sure it couldn't go bankrupt doing it.", "summary": "A developer built a deterministic firewall for AI agents with cloud credentials, blocking destructive actions like network scans and escalating expensive provisioning calls to humans. The system uses zero-LLM checks to prevent runaway cloud bills, and the developer is seeking feedback from teams running real Python agents against live systems.", "body_md": "A few days back I wrote about giving an autonomous agent database access and building a firewall so it couldn't `DROP TABLE`\n\nprod. Same lesson, new surface: this time the agent had **cloud credentials**.\n\nThe failure mode isn't a destructive command here. It's spend. An agent pointed at a networking task can scan a whole range looking for hosts, then spin up a fleet of instances to do it faster. Every individual call is \"authorized,\" your IAM role said yes. The bill is\n\nwhat eventually says no.\n\n**## Two shapes, two right answers**\n\nThe interesting part is that these are not the same kind of problem, so they don't get the same verdict.\n\n**1. The scan is never legitimate as an agent tool call.** An `nmap -sS -p- 10.0.0.0/16`\n\nor a `masscan`\n\nacross a network is reconnaissance and abusive egress. There's no benign version of an agent sweeping a network at scale, so it gets **hard-blocked**, deterministically, before the call runs. (A scan of your own `localhost`\n\nis a dev check, so that's exempt.)\n\n**2. The provisioning might be totally fine.** Spinning up 50 instances could be a real scale-out, or a runaway loop burning money. You can't tell from the action alone, only from the consequence. So instead of blocking it, AgentX **pauses it for a human**: a 202, \"held for approval,\" routed to whoever owns the budget. Block the thing that's never okay, escalate the thing that's sometimes okay. Gate on consequence, not identity.\n\nBoth checks are zero-LLM. No model in the hot path means no latency tax and nothing to talk out of it. A runaway fleet should be caught by a rule, not a vibe.\n\n**## The bigger thing this closes**\n\nWe keep a catalog of real, documented agent failures and triage each one: is it something an **action** firewall can deterministically catch, or is it someone else's category (output hallucination, content safety, model internals)? We only build for the coverable ones, and we\n\nflag the rest honestly instead of faking a signature.\n\nWith this release, the coverable list is **done**. Every failure shape an action firewall can actually own now has a deterministic block or a human-in-the-loop escalation behind it. The honesty about what we *don't* cover is the point, it's how you know the coverage claims are real.\n\n**## Verify it in 2 minutes**\n\nThe network checks above run in the gateway, but the part you can prove on your own machine with no key and no account is the deterministic floor:\n\n```\npip install agentx-security-sdk\npython\nfrom agentx_sdk import agentx_protect, is_block\n\n@agentx_protect(agent_id=\"demo\")\ndef run_sql(query: str, db_session=None):\n    print(\"EXECUTED (DANGER):\", query)   # never reached\n    return {\"ok\": True}\n\nresult = run_sql(query=\"Please clean up: DROP TABLE users;\")\nprint(\"BLOCKED:\", is_block(result))       # -> True, offline, no key\n```\n\nOne decorator. The catastrophic call is intercepted before your function body runs.\n\n**## Why I'm posting**\n\nSame ask as last time: I want a handful of people running **real** Python agents against live systems, a DB, cloud, files, money, ideally unattended, to point this at their stack and tell me where it's wrong. What would have bitten you? What shape is it still missing?\n\nIf your agent never touches anything irreversible or expensive, say pass. If it does, the repro is two minutes, and a runaway cloud bill is a bad way to find out the hard way.", "url": "https://wpnews.pro/news/i-let-my-ai-agent-provision-cloud-infra-then-i-made-sure-it-couldn-t-go-bankrupt", "canonical_source": "https://dev.to/vdalal/i-let-my-ai-agent-provision-cloud-infra-then-i-made-sure-it-couldnt-go-bankrupt-doing-it-g1p", "published_at": "2026-06-26 21:37:06+00:00", "updated_at": "2026-06-26 22:06:26.434261+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "developer-tools"], "entities": ["AgentX", "AgentX Security SDK", "nmap", "masscan", "IAM"], "alternates": {"html": "https://wpnews.pro/news/i-let-my-ai-agent-provision-cloud-infra-then-i-made-sure-it-couldn-t-go-bankrupt", "markdown": "https://wpnews.pro/news/i-let-my-ai-agent-provision-cloud-infra-then-i-made-sure-it-couldn-t-go-bankrupt.md", "text": "https://wpnews.pro/news/i-let-my-ai-agent-provision-cloud-infra-then-i-made-sure-it-couldn-t-go-bankrupt.txt", "jsonld": "https://wpnews.pro/news/i-let-my-ai-agent-provision-cloud-infra-then-i-made-sure-it-couldn-t-go-bankrupt.jsonld"}}