Download this as a formatted PDF
Get the beautifully formatted version to share, print, or keep. Just tell us who you are.
Why audit your AI spend now
Enterprise AI spend is compounding at roughly 50% a year — faster than any cloud category before it — and most of it still runs on shared keys with no owner, no budget, and no attribution. That combination is how a leaked deploy key or a runaway agent turns $340 into $34,000 overnight, and how nobody notices until the invoice posts a day later.
The native OpenAI, Anthropic, and Google dashboards are good at one thing: telling you what you already spent. They can't tell you who spent it, they can't stop the next spike, and they can't hand your auditor a record they'll accept. The gap between "we saw the damage" and "we stopped the call at $500" is exactly where money leaks out of an AI program.
This checklist finds that gap. It walks 25 concrete questions across five areas — visibility, waste, controls, identity, and compliance — and each one has a "what good looks like" answer so you can score yourself honestly. Most of these questions are uncomfortable on purpose. If you can't answer one without pulling a screenshot or asking an engineer, that's the finding.
How to use it: block 30 minutes. Go section by section, check the box only when you can answer today, from a system, without asking engineering to run a query. Tally your score at the end. Then pair it with the free AI Spend Audit — connect a usage export and see your own numbers turn the abstract questions below into dollars.
The rule for every question: if the honest answer is "we'd have to go ask someone," leave the box unchecked. Attribution and control that live in someone's head are neither.
Section 1 — Visibility & Attribution
You can't govern what you can't see, and "which API key" is not seeing. Real visibility answers which team, on what task, against whose budget — before you need to reconcile an invoice.
-
Can you name the team that spent the most on AI last month — without asking engineering? What good looks like: spend is attributed by team, project, and person in a system you can open yourself, not reverse-engineered from provider keys after the fact.
-
Can you split a single provider invoice back to the business units that drove it? What good looks like: a chargeback report finance can reconcile to the provider invoice row by row — not an off-path estimate built in a spreadsheet.
-
For any AI call, can you answer WHO, HOW MUCH, WHY, WHERE, and WHEN? What good looks like: every governed call is written to an append-only ledger that records the person or agent (WHO), the budget it drew on (HOW MUCH), the project and task (WHY), the location (WHERE), and the timing (WHEN).
-
Do you know your AI spend today — or only at the end of the billing cycle? What good looks like: spend is visible in near real time as calls happen, not discovered when the invoice lands 30 days later.
-
Can you attribute the cost of an autonomous agent separately from the human who launched it? What good looks like: each agent is its own persona with its own record, and its subagents roll up under it — so "the agent" is a line item, not a mystery inside someone's key.
-
If spend doubled next month, could you say which workload caused it in minutes? What good looks like: attribution is granular enough to isolate the workload, project, or key responsible without a forensic exercise.
Section 2 — Waste & Optimization
Roughly 30% of AI spend is lost to unoptimized prompts, retries, and runaway jobs — and that's the conservative end; published audits put waste far higher. The waste is invisible precisely because nothing on the request path is watching for it.
-
Do you know what percentage of your AI traffic is repetitive — the same questions asked a thousand ways? What good looks like: you've measured your cacheable share. On repetitive production traffic, a well-tuned semantic cache typically eliminates 40–80% of provider calls — a cache hit costs nothing.
-
Are you paying to regenerate answers you've already produced? What good looks like: semantically identical requests are served from cache at zero provider cost instead of billed again — and the replay is streamed so the user experience is identical.
-
When the cache saves money, can you see how much — as a number a CFO can put on a slide? What good looks like: each cache hit lands in the ledger as a first-class saving, with the dollar amount you would have paid recorded — not a saving that silently disappears.
-
Do you know how much you spend running premium models on tasks a cheaper tier could serve? What good looks like: you can see spend by model and flag the over-spec calls, rather than defaulting every workload to the most expensive model available.
-
Can you spot an agent stuck in a retry loop before it burns the weekend? What good looks like: retry-heavy behavior is visible in the record (an unusually high reserve-to-settle ratio is the tell) rather than discovered on Monday.
-
Does context accumulation in long agent runs show up anywhere before the bill? What good looks like: you understand which workloads have superlinear cost growth and watch token-in on multi-step runs, instead of assuming linear cost.
Section 3 — Budgets & Controls
Alerts are not controls. An alert at 3 AM that nobody wakes up for is four more hours of uncapped spend. The only thing that stops a runaway is a limit that says no before the call, not a notification after it.
-
Does every workload have a hard budget cap — or just a monitoring dashboard? What good looks like: each key carries a hard cap and a budget window enforced on the request path, not a soft threshold that only fires an email.
-
When a budget is exhausted, does the next call get blocked — or just logged? What good looks like: the gateway returns a 402 before the call is forwarded to the provider. No spend occurs. It's a circuit breaker, not an alert.
-
Could two concurrent agent threads both spend the "last $5" in your budget? What good looks like: the reserve-then-call operation is atomic — one thread gets through, the other gets the 402. A hard budget, not a soft one.
-
Can you freeze a single leaking key without taking down everything else? What good looks like: a one-click kill switch on any key, team, or workload — because every workload has its own key, not a shared one.
-
Does an anomaly trigger anything the moment it happens, or only in the next report? What good looks like: spend-anomaly alerts fire the instant a workload deviates from plan, on-path, while there's still time to act.
-
Before an agent starts a long task, can it check whether there's budget for it? What good looks like: every call is authorized against the budget ahead of spend, and the agent is told approved or denied before it spends a token.
Section 4 — Identity & Security
A shared key is an unattributable, unrevokable liability. Every dollar needs an owner, and every owner needs a key that can be frozen on its own — and that's worthless if a leaked token string is enough to spend.
-
Is every team, agent, and employee on a shared provider key — or a distinct governed one? What good looks like: a distinct governed key per team, per agent, per employee, so every dollar has an owner and any single key can be frozen without touching the rest.
-
If a key leaked to a public repo tonight, could someone spend with just the token string? What good looks like: keys carry a binding second factor — a token that leaks without its binding key is a dead key. Exfiltrating the string alone buys the attacker nothing.
-
Do your raw provider keys ever sit in application code, env files, or CI logs? What good looks like: workloads use governed virtual keys (
tk_live_…) instead of raw provider keys; the raw keys stay in a vault and are never exposed on the request path. -
When someone leaves, is their AI access revoked with the same rigor as their email? What good looks like: access is keyed to identity so it can be cut cleanly per person, not left live on a shared key nobody wants to rotate.
-
Can sensitive data (PII) reach your model providers today — and can you prove it can't? What good looks like: a fail-closed PII pre-flight with twelve detectors scans the prompt before it reaches the model; if it can't clear the check, the call doesn't go. Fail-closed means a fault drops the call, it doesn't wave it through.
-
If you use a cache, are you sure it isn't quietly storing customer PII in the cache key? What good looks like: PII is redacted from the text before it's hashed or embedded, so raw PII never enters the cache store — a control that doesn't create a new data-residency problem.
Section 5 — Compliance & Audit
Governance you can't prove isn't governance an auditor accepts. "We have a function developers are supposed to call" is not a control. A control is on the path, with a tamper-evident record behind it.
-
When an auditor asks whether PII can reach your providers, is your answer a control or a hope? What good looks like: the answer is an on-path control with a record behind it — not "we told developers to be careful."
-
Do you have an append-only record of every allocation and policy decision? What good looks like: an append-only audit of every budget allocation and policy decision — tamper-evident, not a mutable log anyone can edit.
-
Could you produce evidence mapped to SOC 2, ISO 27001, ISO 42001, or NIST AI RMF this quarter? What good looks like: a continuous evidence pack that maps your AI controls to SOC 2, ISO 27001, ISO 42001, and NIST AI RMF — assembled from live data, not reconstructed by hand before the audit.
-
For "what did agent X do last weekend?" — can you answer with intent, not just raw logs? What good looks like: the record shows the budget that was authorized alongside what executed, so you can answer intent-and-execution, not just parse request logs after the fact.
Score yourself
Count your checked boxes out of 25.
| Score | Where you stand |
|---|---|
| 0–8 — Flying blind | AI spend is running on shared keys with visibility after the fact and no enforcement. A single leaked key or runaway agent could post a five-figure surprise before anyone notices. Start with attribution and a hard cap on your highest-spend workload. |
| 9–17 — Partial | You have some visibility, maybe alerts, probably a spreadsheet doing the reconciliation. But the controls are off-path — you can see trouble, not stop it. The gaps are almost always in enforcement (Section 3) and identity (Section 4). Close those before spend compounds. |
| 18–25 — Governed | You attribute, cap, and authorize on the request path, and you can prove it to an auditor. You're in the minority. Focus on optimization headroom (Section 2) and keeping the evidence pack continuous as your AI footprint grows. |
Be strict. A box you checked because "engineering could probably tell us" belongs unchecked — the whole point is what you can answer from a system, right now.
The after
Every unchecked box above is the same shape of problem: something that should be enforced on the request path, before the call is instead observed from the side, or not at all. An AI spend control plane closes that gap by design. Here's what it puts in place of the blanks:
-
Five-dimension attribution. Every governed call written to an append-only Token Ledger that answers WHO, HOW MUCH, WHY, WHERE, and WHEN — before a token is spent. No more reverse-engineering spend from provider keys.
-
Hard caps at the gateway. Every key carries a hard budget cap. When it's exhausted, the plane returns a 402 before the call reaches the provider — a circuit breaker, not an alert. The $34,000 weekend becomes a call that stopped at $500.
-
A chargeback CSV finance can reconcile. The same ledger produces a chargeback export that reconciles to the provider invoice row by row — and records every semantic-cache hit as a first-class saving, so the money the cache saved is a number, not a disappearance.
-
Binding-key identity. A distinct governed key per team, agent, and employee, each with a binding second factor — so a leaked token string is a dead key, and any one key can be frozen without touching the rest.
-
Compliance evidence, continuous. An append-only audit rolled into an evidence pack mapped to SOC 2, ISO 27001, ISO 42001, and NIST AI RMF — plus a fail-closed PII pre-flight so the answer to "can PII reach our providers?" is a control, not a hope.
The fastest way to see the difference is to watch a call get governed. Run your own numbers through the free AI Spend Audit — connect a usage export and see your real spend turn into the questions above, in dollars. Then watch one call hit the ledger, draw against a budget, clear the PII pre-flight, and — if it's over cap — get denied with a 402 before a single token is spent.
Run the free audit and watch a call get governed at tokenality.ai/playground.
Make every token count.
Tokenality is a preview product; design-partner customers are awaiting sign-off. Market figures attributed inline. This checklist describes shipped capabilities only.