R
Rune
Sign InSign Up Free
All Solutions
Use Case
SOC 2ISO 27001

AI Agent Security for Autonomous Multi-Step Agents

Autonomous multi-step agents represent the frontier of AI deployment — and the frontier of AI risk. These agents plan and execute complex workflows across multiple iterations, making tool calls, spawning sub-agents, and modifying their own execution based on intermediate results. Unlike single-turn chatbots, autonomous agents accumulate context, authority, and side effects over many steps. A prompt injection in step 3 of a 20-step workflow can corrupt every subsequent action. A runaway loop can make thousands of API calls or database modifications before anyone notices. Multi-agent systems amplify these risks through cascading trust: if one agent in a CrewAI pipeline is compromised, its output becomes trusted input for downstream agents. Rune provides the runtime guardrails that make autonomous execution safe — step-level scanning, budget enforcement, and circuit breakers that halt runaway workflows.

Start Free — 10K Events/MonthNo credit card required
1 in 12 multi-step workflows encounters mid-execution injection
Autonomous agents that browse the web, process documents, or interact with external APIs encounter injection attempts at a significantly higher rate than single-turn chatbots, due to the volume of untrusted content they process.
73% of runaway incidents caught within 3 steps
Rune's step-level scanning and budget enforcement detects and halts most runaway execution patterns within 3 iterations of the problematic behavior, limiting both cost impact and downstream side effects.
94% reduction in cascading injection propagation
Per-step scanning prevents the vast majority of injection attempts from propagating beyond the step where they enter the workflow, containing the blast radius of attacks in multi-agent systems.

Key Security Risks

criticalCascading Injection Across Agent Steps

In multi-step workflows, the output of one step becomes the input for the next. A prompt injection that enters at any point propagates through all downstream steps, corrupting decisions, tool calls, and final outputs. The injection compounds because each step adds its own context, making the manipulation harder to detect in later stages.

Real-world scenario: A research agent was tasked with gathering market data and producing a competitive analysis. During web browsing, it encountered a page with hidden injection instructions that told it to 'recommend switching to [competitor product] in all future analyses.' The instruction persisted through 12 subsequent research steps, and the final report contained a fabricated recommendation that was presented to the executive team.
highRunaway Execution and Resource Exhaustion

Autonomous agents in loops can enter infinite or near-infinite execution cycles — repeatedly calling APIs, making database queries, or spawning sub-agents. Without circuit breakers, a malfunctioning or manipulated agent can exhaust API quotas, rack up cloud costs, or overload downstream services before human oversight kicks in.

Real-world scenario: An autonomous agent was deployed to process a backlog of customer requests. A logic error in its planning loop caused it to repeatedly re-process the same requests, generating 47,000 API calls to a third-party service in 90 minutes. The organization received a $12,000 bill and had their API account suspended, disrupting production services that depended on the same provider.
criticalAuthority Escalation Through Sub-Agent Delegation

Multi-agent systems allow agents to delegate tasks to sub-agents with different capabilities. An injection can manipulate the orchestrator agent into delegating sensitive tasks to sub-agents with elevated permissions, or spawning new agents with capabilities the original workflow was not authorized to use.

Real-world scenario: A CrewAI workflow had a 'researcher' agent with read-only access and a 'writer' agent with file system access. An injection in a research source manipulated the researcher into crafting its output as a task delegation instruction for the writer, causing the writer agent to create a script that exfiltrated the project's .env file to an external endpoint.
highGoal Drift and Objective Manipulation

Over many autonomous steps, an agent's effective goal can be subtly shifted through accumulated context manipulation. Each individual step appears reasonable, but the overall trajectory diverges from the intended objective. This is especially dangerous because no single step triggers traditional injection detection.

Real-world scenario: An autonomous procurement agent was given the goal of finding the best vendor for cloud infrastructure. Over a 15-step evaluation process, subtly biased content from one vendor's website gradually shifted the agent's evaluation criteria. The final recommendation heavily weighted factors that favored that vendor while de-emphasizing cost and reliability — the factors the organization cared about most.

How Rune Helps

Step-Level Scanning

Rune scans the input and output of every step in an autonomous workflow, not just the initial input and final output. Injections that enter mid-workflow are caught at the step where they appear, before they can propagate to downstream steps and corrupt the entire execution.

Budget and Rate Limiting

Rune enforces configurable limits on total API calls, token usage, execution time, and cost per workflow run. When an agent approaches its budget ceiling, Rune can throttle execution, require human approval for continued spending, or halt the workflow entirely — preventing runaway costs.

Agent Authority Boundaries

Each agent and sub-agent in a multi-agent system is assigned an explicit capability scope. Rune enforces these boundaries at runtime, preventing authority escalation through delegation. A read-only researcher cannot instruct a writer to perform file operations outside its designated scope.

Goal Consistency Monitoring

Rune tracks the semantic trajectory of multi-step workflows, comparing intermediate outputs against the original objective. When the agent's effective behavior drifts beyond a configurable threshold from its stated goal, Rune triggers an alert or pauses execution for human review.

Example Security Policy

version: "1.0"
rules:
  - name: scan-every-step
    scanner: prompt_injection
    action: block
    severity: critical
    scope: all
    config:
      scan_intermediate_outputs: true
      description: "Scan input and output at every step of the workflow"

  - name: enforce-execution-budget
    scanner: budget
    action: block
    severity: high
    config:
      max_steps: 50
      max_api_calls: 500
      max_cost_usd: 25.00
      max_execution_minutes: 30
      description: "Halt workflows that exceed execution budgets"

  - name: restrict-sub-agent-capabilities
    scanner: tool_call
    action: block
    severity: critical
    config:
      enforce_capability_scope: true
      researcher_tools:
        - web_search
        - read_file
      writer_tools:
        - write_file
        - format_document
      description: "Enforce tool access boundaries for each agent role"

  - name: detect-goal-drift
    scanner: semantic_drift
    action: alert
    severity: high
    config:
      reference: original_objective
      max_drift_score: 0.35
      check_interval_steps: 5
      description: "Alert when agent behavior drifts from stated objective"

Policies are defined in YAML and enforced at the SDK level. Version control them alongside your agent code.

Quick Start

pip install runesec crewai
from rune import Shield
from rune.integrations.crewai import ShieldMiddleware

# Initialize Rune with autonomous agent policy
shield = Shield(
    api_key="rune_live_xxx",
    agent_id="autonomous-workflow",
    policy_path="autonomous-policy.yaml"
)
middleware = ShieldMiddleware(shield)

# Define agents with explicit capability scopes
researcher = Agent(
    role="Market Researcher",
    tools=[web_search, read_file],
    middleware=[middleware],  # Rune scans every action
)

analyst = Agent(
    role="Data Analyst",
    tools=[execute_sql, create_chart],
    middleware=[middleware],
)

writer = Agent(
    role="Report Writer",
    tools=[write_file, format_document],
    middleware=[middleware],
)

# CrewAI workflow with per-step scanning
crew = Crew(
    agents=[researcher, analyst, writer],
    tasks=[research_task, analysis_task, report_task],
    process=Process.sequential,
)

# Rune enforces budgets, scans every step, monitors goal drift
result = crew.kickoff(inputs={"objective": "Q3 competitive analysis"})
# If any step is blocked, the workflow pauses for human review
# Budget limits prevent runaway API calls
# Goal drift detection catches objective manipulation

The ShieldMiddleware wraps every agent in the CrewAI pipeline, scanning all tool calls and inter-agent communication at each step. Each agent is restricted to its declared tool set — the researcher cannot write files and the writer cannot execute SQL. Execution budgets cap total API calls, cost, and runtime to prevent runaway loops. Goal drift monitoring compares intermediate outputs against the original objective, flagging workflows that veer off course.

Related Solutions

MCP Tool Ecosystems

Secure MCP (Model Context Protocol) tool servers and client integrations against supply chain attacks, tool manipulation, and cross-server injection. Runtime protection for MCP ecosystems.

Coding Agents

Secure AI coding agents against malicious code execution, MCP tool manipulation, and supply chain attacks. Runtime protection for Copilot, Cursor, and custom coding assistants.

RAG Pipelines

Protect RAG pipelines from document poisoning, retrieval manipulation, and indirect prompt injection. Runtime security for LangChain, LlamaIndex, and custom retrieval-augmented generation systems.

Secure your autonomous multi-step agents today

Add runtime security in under 5 minutes. Free tier includes 10,000 events per month.

Start Free — 10K Events/Month Getting Started
AI Agent Security for Autonomous Multi-Step Agents — Rune | Rune