The Bill You Didn't Authorize

It's a Friday afternoon. A senior engineer decides to clean up a service that's been bothering him for months. He opens Claude Code, points it at the repo, and lets it work. By Sunday night it has refactored across twelve files, written tests, and surfaced a handful of issues he'd been meaning to fix.

Good work. Real work.

On Monday, finance flags an anomaly. The team's API spend over the weekend equals what they normally burn in a month. Engineering investigates. The work product is legitimate. The bill is real. Nobody approved either one.

Six months ago, that scene wouldn't have happened the same way. The tool was priced per seat, the bill was predictable, and the cost of an engineer working all weekend was the engineer. Then enterprise AI moved to usage-based pricing. The Information reported this week that Anthropic is making this the standard for its enterprise customers, and the pattern is spreading. Pay for what you consume. Anthropic's own CEO has said publicly that most companies aren't planning for the true cost of running AI at scale, and from what I'm seeing across clients, he's right.

The gap is wider than most boards know.

Why this looks like cloud, but isn't

If you've lived through a cloud migration, the shape of this is familiar. AWS launched, organizations moved fast, bills exploded, FinOps emerged, controls caught up. I spent enough time at AWS to remember how that story ended, which is also why I think a lot of leaders are about to underestimate this one.

Cloud spend was driven by infrastructure decisions made by a small group of engineers. You provisioned a server, scaled a database, stored a file. The number of people who could materially move the bill was small, and most of them had technical context for what their actions cost. Even at peak chaos, cloud was bounded by what the engineering team built.

AI consumption isn't bounded that way. A product manager running analyses, a salesperson generating outreach, a finance analyst querying every quarterly close, an engineer letting an agent work unattended over a weekend. They can all incur AI spend, and most have no concept of what their actions cost. A token isn't intuitive the way an EC2 instance is.

Then there's the architecture shift. The previous generation of tools suggested. The current generation acts. A coding assistant that autocompletes consumes tokens at one rate. An agent that opens pull requests, runs tests, refactors across files, and chains tool calls consumes them at five to ten times that. Same engineer, same approved tool, very different cost behavior.

Which is why the cloud playbook helps but doesn't fully translate. Per a recent FinOps Foundation survey, "only 7.5% of enterprises have embedded FinOps into their AI projects," and IDC has reported that 41% of organizations are wasting more than 15% of their AI spend.

What's actually happening inside organizations

The conversation I keep ending up in, increasingly with the CFO and the CIO together, is some version of the same problem. The bill is growing faster than anyone expected, nobody is sure who authorized it to grow that way, and nobody can produce a clean answer for what would stop it.

Three things converge to create that.

Annual budgets assume annual rates of change, but usage-based AI spend can compound weekly. By the time variance hits a quarterly review, the run rate has already redefined the baseline. IDC's FutureScape 2026 forecast warns that "large enterprises could see up to a 30% rise in underestimated AI infrastructure costs by 2027." That's the macro number. The day-to-day version is uglier.

Authorization sits in the wrong place. Procurement approved the tool quarters ago, the people generating the spend have no visibility into the bill, and the people paying the bill have no authority over the usage. The org chart was designed for per-seat licensing, not per-token consumption.

Shadow AI looks like productivity. Faster code, better drafts, more throughput. The output is what leadership wanted in the first place, so nobody flags it until the invoice arrives. And the volume is about to make all of this harder. IDC's data suggests enterprises deployed tens of millions of agents in 2025, with that number expected to grow significantly through 2026. You cannot govern that with a quarterly procurement review.

What a working version looks like

A mid-market SaaS company I work with caught this early. Their monthly AI spend went from $18K to $47K in two months. The CTO didn't ask for more budget. He stood up a three-person standing group: a finance lead, an engineering lead, and a model-selection owner from the data team. They put real-time spend dashboards in front of every engineering manager, set tiered approval thresholds (anything above 25% month-over-month growth needed a named sign-off), and put hard rate limits at the API gateway so no single workflow could run away unattended over a weekend.

Six weeks later, spend was flat. Not because they used less AI. Because the spend they did incur could be tied to a named owner, a defined outcome, and a number someone had agreed to in advance.

The technology to do this isn't exotic. The hard part was deciding who got to say no.

The shift you're actually paying for

AI governance, until now, has mostly been about behavior. What the model is allowed to do, who it affects, how its decisions get reviewed. Those questions still matter.

Usage-based pricing introduces a second axis: authority to spend. It sits in a different part of the organization than behavioral controls. Not just a CISO question. Not just a Chief AI Officer question. A CFO question, with help from procurement, FP&A, and engineering.

Which means every AI system above a trivial threshold now needs two approvals, not one. Behavioral approval (is this safe, fair, compliant) and financial approval (is this team authorized to spend this much, at this rate, for this outcome). Both, with named owners, enforced limits, and escalation paths when consumption outpaces planning. Most governance frameworks I see don't separate these.

The Monday-morning move

You don't need a transformation program. You need four things on a single page, by end of next week.

A named budget owner for every material AI workflow. Not the tool. The spend. Title and cost center.

A scale-up approval threshold that triggers before the invoice arrives. Most clients I see start at "any month-over-month consumption increase above 25% requires written approval from the budget owner." It's arbitrary, but it's a number, and arbitrary plus enforced beats sophisticated plus theoretical.

A real-time view of spend by team, project, and workflow. If your finance team can only produce this monthly across a manual reconciliation of cloud bills and vendor invoices, that gap is the first thing to close.

A platform-level kill switch on runaway workloads. Rate limits in the gateway. Automatic pauses for sessions that exceed defined token or duration thresholds. If an agent can run unattended over a weekend, the platform has to be able to stop it before Monday, without waiting for a human to notice.

If you can put names and numbers next to those four items by close of business Friday, you're ahead of the median.

The bottom line

The shift to usage-based AI pricing isn't just a vendor pricing change. It's a change in what governance has to cover. Behavioral controls are necessary and no longer sufficient.

The new question is whether your organization can answer, in real time, who is spending what on AI, under what authority, with what limits. If those answers require a meeting, a spreadsheet, and a week, the controls aren't there yet.

Deployment authority got the attention. Spend authority is the next gap. Like most governance gaps in AI, it tends to surface the same way. Not when the system is working. When the bill arrives.

P.S. Walk over to your CFO this week and ask: "If I needed our total AI spend for last month, broken out by team and including all third-party vendor accounts, how fast could I have it?" If the answer is "by end of day," you're in good shape. If it's "by end of week," you have work to do. If it's "let me find out who would even know," you've found your gap. Start there.