By NHI Mgmt Group Editorial TeamPublished 2026-07-07Domain: EventsSource: 1Password

TL;DR: AI token usage is creating spend and governance blind spots that finance, IT, and security teams cannot reconcile with existing tools, according to 1Password. The real issue is not just cost tracking, but the absence of a shared control model for who can consume AI, how usage is attributed, and what gets governed.


At a glance

What this is: This is a webinar about AI spend governance, with the central finding that token usage is exposing control and attribution gaps across finance, IT, and security.

Why it matters: It matters because identity and access teams increasingly need to govern who can use AI systems, how consumption is attributed, and which controls prevent unmanaged usage from becoming a security and cost problem.

👉 Register for 1Password's live webinar on AI spend and governance


Context

AI token consumption has become a governance problem because usage is often distributed across multiple tools, making cost attribution and control ownership unclear. In practice, that means finance sees the bill, IT sees fragments of activity, and security is left trying to determine whether the spend reflects approved access or unmanaged use.

For identity practitioners, the underlying issue is not just AI spend. It is the lack of an identity control plane that can tie AI usage to accountable users, systems, and policies across human access, non-human identities, and emerging agentic workflows.


Key questions

Q: How should teams govern AI consumption when spend is spread across multiple tools?

A: Start by assigning one control owner for AI consumption governance and require shared evidence from finance, IT, and security. Then map usage back to the identity or workflow that generated it so spend, access, and accountability stay linked. Without that join, AI usage becomes visible only as a cost, not as governed behaviour.

Q: Why do existing IAM tools miss AI spend and usage risk?

A: Most IAM controls can show whether an identity can access an AI-enabled service, but they do not always show token consumption, workflow context, or whether the use was expected. That leaves a gap between access and consumption. The result is blind spending, weak attribution, and limited accountability.

Q: What breaks when AI usage is only managed by finance teams?

A: Finance can see the bill, but it usually cannot determine which identity, application, or workflow generated the usage. That means approved use, accidental use, and unmanaged use can look the same. Governance fails when cost control is disconnected from identity control and there is no operational owner for exceptions.

Q: How can organisations tell whether AI consumption is actually under control?

A: Look for three signals: usage tied to accountable identities, clear approval paths for exceptions, and reporting that separates normal workflow consumption from unexpected spikes. If those three signals are missing, the organisation may be paying for AI without governing it. The real test is whether usage can be explained, not just billed.


Background and context

AI token usage governance and cost attribution

AI token usage is the consumption layer that many organisations do not yet govern like an identity-controlled asset. When usage is spread across SaaS applications, embedded copilots, APIs, and internal tools, the organisation loses a reliable record of who initiated the action, which identity paid for it, and whether the usage was authorised. That creates a governance gap between financial control and access control. Identity teams usually manage entitlement, while finance manages spend, but AI consumption cuts across both domains.

Practical implication: align AI consumption reporting to the identities and applications that generate usage, not only to the invoice.

Why existing tools miss AI spend signals

Most existing controls were built to see access, not consumption. IAM, SSO, and even many SaaS management tools can tell you that a user or service account can reach an AI-enabled platform, but not necessarily how much token activity occurred, which workflow triggered it, or whether the usage is routine, accidental, or excessive. That distinction matters because AI spend can escalate without any traditional access anomaly. In other words, the control gap is telemetry quality, not simply budget oversight.

Practical implication: review whether your current stack records AI activity at the level of user, app, and workflow rather than only at login.

Governance split across finance, IT, and security

When governance is split across several tools, the organisation gets fragmented accountability. Finance may focus on cost containment, IT on platform support, and security on access policy, but none of those views alone explains whether the AI use was appropriate, necessary, and traceable. This is especially important where AI consumption is tied to human users, delegated service accounts, or workflow automation. Identity governance becomes the joining fabric between these teams.

Practical implication: assign one control owner for AI consumption governance and define how finance, IT, and security share the evidence.


NHI Mgmt Group analysis

AI spend governance is now an identity governance problem, not just a finance problem. When AI consumption is spread across multiple tools, the organisation loses a consistent view of who is using what, under which authority, and for which business purpose. That is a classic governance failure because the same identity can drive both legitimate work and uncontrolled consumption. Practitioners should treat AI usage as an entitlement and attribution problem first, then a cost problem second.

Token consumption reveals the limits of tool-centric governance. Finance can track spend, and security can track access, but neither view alone answers the operational question of whether AI use was expected, approved, and attributable. This is where the named concept of AI consumption visibility gap: the organisation can see the bill but cannot reliably tie the spend to accountable identity and workflow. The implication is that governance models must join consumption telemetry to identity context.

AI usage control will increasingly sit between IAM, SaaS governance, and financial oversight. That intersection matters because AI services are already embedded inside everyday business applications, which means the control point is no longer a single platform. Organisations that keep AI spend in a separate finance workflow will continue to miss the access-control side of the problem. Practitioners should expect identity governance teams to own part of the operating model.

Shared accountability is the only workable model for AI consumption oversight. The article points to finance and IT leaders asking different questions about the same behaviour, which is a sign that governance has not yet converged. AI usage should be reviewed through one operating model that defines ownership, evidence, escalation, and exception handling. Practitioners should use this as a trigger to formalise cross-functional control ownership before usage scales further.

From our research:

What this signals

AI consumption governance will increasingly be measured by attribution quality, not just cost reduction. When usage is fragmented, the first priority is to make spend explainable by identity, application, and workflow. That is a governance requirement, not a finance preference, and it becomes more urgent as AI moves deeper into everyday business applications.

With 91% of former employee tokens remaining active after offboarding, according to our NHI research, identity lifecycle discipline remains the baseline control for any new AI consumption model. If organisations cannot reliably revoke stale access, they will struggle to distinguish sanctioned AI usage from lingering authority. The practical signal is whether your reporting can separate approved consumption from inherited privilege.

AI spend oversight will also force stronger alignment between identity operations and financial governance. The teams that get ahead of this will treat AI usage review as part of routine access and lifecycle management, not as an isolated budgeting exercise.


For practitioners

  • Define AI consumption ownership across teams Assign a named control owner for AI spend governance and document how finance, IT, and security each contribute evidence for usage approval, attribution, and exception handling.
  • Map AI usage to accountable identities Tie AI consumption reporting to the user, service account, or workflow that generated the activity so spend can be traced back to an accountable identity.
  • Review whether existing tools capture consumption telemetry Check whether your current IAM, SaaS, and monitoring stack records token usage at the level of identity, application, and workflow rather than only login events.
  • Build an exception process for unexpected AI usage Create a review path for unusual or unmanaged consumption so finance and security can quickly determine whether the activity was approved, accidental, or outside policy.

Key takeaways

  • AI spend is emerging as an identity governance issue because consumption without attribution is hard to control.
  • Existing tools often show access or cost, but not the identity context needed to govern AI usage end to end.
  • The practical response is shared ownership, identity-linked telemetry, and a clear exception process for unexpected consumption.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4AI consumption governance depends on managing and reviewing access permissions.
NIST SP 800-53 Rev 5IA-5Token-driven AI usage depends on authenticator and secret management controls.
NIST Zero Trust (SP 800-207)AI consumption oversight benefits from continuous verification of identity and context.

Apply zero-trust principles so AI usage is continuously validated rather than assumed from initial access.


Key terms

  • AI Consumption Governance: The discipline of controlling, attributing, and reviewing AI usage across tools, users, and workflows. It connects identity context to spending signals so organisations can tell whether consumption was approved, expected, and accountable rather than simply billed.
  • Token Usage Attribution: The process of linking AI token consumption back to the identity, application, or workflow that generated it. Without attribution, teams can see cost but cannot reliably explain who used the service, under what authority, or whether the activity was legitimate.
  • Identity Control Plane: The operational layer that ties identity, access, lifecycle, and telemetry together across systems. In AI governance, it is what allows security, IT, and finance to make the same decision from the same evidence instead of managing usage in separate silos.

What to expect at the briefing

1Password's full webinar covers the operational detail this post intentionally leaves for the source:

  • Live discussion with the CFO and advisory CISO on how finance and security should share ownership of AI spend oversight.
  • Practical examples of the AI consumption questions leaders should be able to answer before usage scales further.
  • The alternate session option for teams that need to join in a different time zone.
  • A candid conversation about how 1Password is approaching AI governance and spend control.

👉 The full 1Password webinar covers finance, IT, and security perspectives on AI consumption control

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org