Blog

When an AI agent runs up your bill overnight: who owns it, and how to stop it

An autonomous AI agent can run up your bill overnight. Govern each one with an owner, an approved model scope, a budget with an automatic cutoff, and a kill switch.

June 25, 20266 min readSteve LaBella, Founder, Tallin

An autonomous AI agent is any piece of software that calls AI models on its own schedule to finish a task, and governing one comes down to four things: a named owner, an approved set of models it can call, a budget that cuts itself off when spend crosses a line, and a switch that disables its access the moment it goes wrong. The catch is that all four have to run at the point of use, because by the time a runaway agent shows up on an invoice, the money is already gone.

The biggest line on your AI bill probably isn't a person

Most teams still picture AI spend as employees typing into a chat window. That part is easy to reason about: a person gets tired, goes home, and stops. The faster-growing cost is the software that doesn't. An internal app that calls a model on every request. A pipeline that summarizes documents on a schedule. An agent someone wired up on a Friday to clear a backlog, then forgot about over the weekend.

That last one is where the surprises live. An agent can loop at machine speed, retry on every failure, and fan a single task out into hundreds of model calls with no one watching the meter. By Monday it can be one of your top spend lines, and because it was billed straight through as "software," nobody flinched. No human did anything wrong. There was just nothing inline to catch it.

A monthly invoice can't show you this. You only catch a runaway agent if you meter spend where it happens, on each model call, and give every agent a limit before the number gets large.

Why an agent needs different controls than a person

We already know how to govern people using AI: give them accounts, approved tools, and someone who owns the policy. Agents break two of the assumptions that make that work.

First, an agent has no natural brake. A person sends a few prompts and moves on. An agent can run a tight loop for hours, and a small bug, like a retry that never backs off, turns into real money fast. The control can't wait for a weekly review. It has to sit in the request path and act while the calls are happening.

Second, an agent is often anonymous. It runs under a shared API key, in a service account nobody mapped to an owner, calling a model your security team has never heard of. When finance asks who's spending and security asks what it's allowed to do, the honest answer is usually a shrug. You can't govern what you can't name.

The four controls that make an agent safe to run

You don't need a new framework for this. You need to give an agent the same things you'd give any account that can spend money.

An owner and a purpose. Every agent gets a named human who's accountable for it and a one-line reason it exists. The agent nobody owns is the one that runs away.

An approved model scope. Decide which models and providers the agent is allowed to call, and enforce it at the gateway instead of trusting the code. If it reaches outside that scope you can block it, warn, or just watch, depending on how much you trust it yet.

A budget with an automatic cutoff. Give the agent its own limit, with alerts as it climbs and an automatic cutoff once it crosses the line. That is the difference between learning about a runaway on Monday and stopping it Saturday night.

Shadow mode and a kill switch. Before you enforce anything, run a new agent in shadow mode and watch what it would have been blocked on, so you don't take a production outage on day one. When one does go sideways, one click disables that agent's Tallin-mediated model access, and it fails closed, so the safe state is the default.

The honest part: what a kill switch actually reaches

Here's the line we won't blur, because it's the one that matters in a real review. A kill switch on an agent disables the model access that runs through Tallin. It does not reach a direct call the agent makes to a provider around us, and it does not undo a tool or action the agent already triggered after the model answered. An off switch on model access is real and useful. It is not an off switch on everything an agent can touch, and any vendor who tells you otherwise is selling.

So we say plainly what we govern and what we don't. Tallin labels every actor by how it knows it: observed, inferred, enforced, or not covered. The agent calls routed through the gateway are governed and on the record. The ones that bypass it are named as gaps, not painted over. That honesty costs us in a demo sometimes. It is also the only version of this that survives an auditor.

Start by naming the agents you can't name

If you want to get ahead of this, the first move isn't a policy. It's an inventory. Route what you can through one control point and read the live list of agents, by team and provider. Pull in your provider usage and billing alongside it, because each source surfaces agents the others miss. Then go hunt the non-human callers on purpose: the internal app, the scheduled job, the agent a smart team shipped without telling anyone. For each one, fill in four blanks: who owns it, why it exists, what it's allowed to call, and what it spends. The blanks you can't fill are your real risk list.

Do that, and the question your board is going to ask, how much are we spending on agents and who's accountable, stops being a shrug and becomes a number you can stand behind.

Key takeaways

  • The fastest-growing line on your AI bill is often an autonomous agent, not a person, and a monthly invoice can't catch a runaway until the money is already spent.
  • Agents need inline controls because they loop at machine speed and often run anonymously under shared keys, so after-the-fact review is too late.
  • Four controls make an agent safe to run: a named owner and purpose, an approved model scope enforced at the gateway, a budget with an automatic cutoff, and shadow mode plus a kill switch.
  • Be honest about the boundary: a kill switch disables an agent's Tallin-mediated model access, not its direct provider calls or the tool actions it already triggered.
  • Start with an inventory. Route agents through one control point, pull provider and billing data, and fill in owner, purpose, scope, and spend for each.

Keep reading

Want to stop estimating and start measuring?

Tallin gives you the same observable, attributable, defensible ledger this article describes — with the honest coverage taxonomy baked in.