For Agentic AI, the Delegation Chain Is the Cost Chain

The last post ended at the control plane and a promise: that it already knows who acted, on whose behalf, and why.

Here is why it knows.

Every agentic action is an act of delegation

§ 01 — The delegation tree, and the two entities that can initiate spend

Every agentic action is an act of delegation. For example, when a human delegates authority to an agent (likely through on-behalf-of token exchange), that agent might then delegate narrower slices of authority to sub-agents, and they might do the same with their own sub-agents, and so on. The result is an execution map that looks like a tree, and the leaves of that tree are tool calls — the things that finally do the work. Each agent and sub-agent makes LLM calls which cost money in the form of LLM tokens, and each tool call costs money in the form of subscription or operational costs.

Furthermore, there are exactly three types of agent invocation: a human invoking an agent, an agent invoking another agent, and an agent acting autonomously (i.e. being invoked by some contextual stimulus — a condition that occurs and causes the agent to act). By combining one or more of these three scenarios, any real-world use-case can be modeled. This means that there are really only two entities that can initiate spending: a human who invokes an agent, or an agent that wakes up and chooses to do something… and even in the case where the agent makes the decision itself, you can bet that it answers to someone, and that someone is responsible for what it does (you can look up the various lawsuits that drive this point home!). So, if we want to trace the spending back to a single entity, we need to follow the delegation chain back to the initiator and/or the owner of that initiator.

As it turns out, this delegation chain is exactly what an authorization control plane needs to understand to answer the question it exists to answer: is this allowed? This is because authorization is fundamentally about identity and delegation — about who is acting, on whose behalf, for what purpose.

Cost attribution is that same question asking “who pays for this?” by walking the exact same chain.

With cloud, the system that metered the spend and the system that understood the business context were two different things, and you spent years trying to staple them together. With agents, they can be the same system. This is why agentic cost governance can be native in a way cloud cost governance never got to be. Because Agent Authority sits inline on every call, it captures each hop at the moment of the authorization decision, with the full picture attached: the human principal who originated the intent, the team or cost center behind them, the delegation that minted the agent's authority, the function being performed.

In cloud billing, the “tag” is a label someone has to remember to apply to every resource so the spend can be traced back later. Here there's no such label. The tag is the delegation chain itself, recorded inline as the work happens.

The most regulated industries already built this muscle

§ 02 — Regulated finance already runs action-level accountability

Accountability for every action, traced through delegated authority, is something one industry was already forced to build, long before agents existed. Every action traced back through its chain of authority sounds like new infrastructure built for agents. For one industry, it isn't new at all. The most regulated institutions built this muscle years ago, for reasons that had nothing to do with AI.

Watch the largest and most advanced financial institutions. They are already doing it, and they didn't wait for a cost crisis to start. Regulation forced these institutions to master action-level accountability years ago.

A tier-one bank already has to answer, for any action in its systems:

• who initiated this?
• under what authority?
• on whose behalf?
• against which policy?
• and can you prove all of it after the fact?

Audit trails, provenance, segregation of duties, least privilege, full reconstruction of a transaction's lineage. That is simply the cost of operating under regulators.

So when agents enter the picture, these institutions are not starting from zero. They already have the infrastructure: every action must trace back to an accountable principal through a chain of delegated authority. Agents are just a new kind of actor inside a discipline they already run.

Here is the move the sharpest of them are making. The same scrutiny they maintain for the regulator answers the CFO's question “who pays for this?” too. The delegation lineage that proves “this agent acted within its authority, on behalf of this human, under this policy” is the same lineage that says “and here is exactly what it cost, attributed to that person, that desk, that function.” They are taking the rigor they were required to build for compliance and pointing it straight at spend.

That is the tell. The most demanding operators in the world are treating agent accountability as the shared foundation for both control and cost, because to them those were never separate problems. The rest of the market tends to follow regulated finance into exactly these practices, usually later.

That is what SecureAuth's Agent Authority does. It sits inline on every agent action and records the chain as the work happens: the human who originated the intent, the authority that was delegated, the function performed, the tool invoked, the cost incurred.

Cloud taught a second lesson: the bill is a security signal

§ 03 — Abnormal spend as the first symptom of compromise

There was another lesson buried in the cloud cost story, and it landed hard enough to permanently fuse two functions that used to live far apart.

As soon as compute became elastic and on-demand, attackers noticed. A leaked access key committed to a public repository, a misconfigured service, a phished console login — and within minutes automated bots would spin up every expensive instance they could reach, across every region they could reach. The favorite payload was cryptocurrency mining: compute that costs the victim real money and pays the attacker directly. The genre earned a name: cloud jacking. And the defining detail of these incidents was almost never a tripped intrusion alarm. It was the bill. A developer's mistake at lunchtime could become a five- or six-figure charge before anyone in security knew something was wrong.

That rewired how serious organizations thought about cost. Abnormal spend stopped being purely a finance concern and became one of the earliest and clearest indicators of compromise. Cloud providers shipped billing anomaly detection partly as a security tripwire. FinOps dashboards and security operations started watching the same curves, because a sudden, unexplained spike in consumption meant one of two things: a workload was misbehaving, or someone who wasn't supposed to be there was spending your money. Cost analytics and cybersecurity stopped being separate disciplines and became two readouts of the same underlying truth — that something was doing far more than it should.

Agents are about to make that fusion total. The agentic version of cloud jacking is already visible in outline: a prompt-injected agent turned against its own principal, a stolen agent credential, a rogue agent looping through tools it was never meant to touch. Every one of those shows up first as consumption that doesn't fit. Tokens burned, tools hammered, a delegation chain doing far more than its purpose justifies. The earliest symptom of the attack and the earliest symptom of waste are the same symptom, and they arrive on the same wire.

The difference this time is where they arrive. With cloud, the cost signal and the security signal had to be correlated after the fact across two different systems. With agents, both originate at the control plane, because the control plane is the one place that holds the authorization decision (is this agent allowed to do this?) and the consumption it produces (what did it cost?) at the same instant, against the same identity, in the same chain.

From the bill to the decision

§ 04 — When spend attaches to the chain, it becomes a decision

Once spend is attached to the chain rather than dumped into a lump sum, the cost conversation changes the same way it eventually changed for cloud — except you get there without the years of pain.

Spend becomes attributable by human, by team, by business function, by agent, by tool, by end-to-end workflow. Instead of “we spent a lot on inference last quarter,” you get “the reconciliation workflow cost X, and seventy percent of it was one sub-agent re-fetching the same data on every loop.” That's a decision waiting to be made — about what to fund, what to cap, what to kill, and what to expand.

It's also how you prove the program is working. The same data that exposes waste demonstrates return: “this workflow burned a few thousand dollars in tokens and displaced two hundred analyst-hours” is the sentence that gets agentic AI funded for another year.

And because it's inline, you can act, not just report

§ 05 — Inline enforcement: one lever for waste and compromise

Cloud FinOps was largely a rear-view-mirror discipline. You rightsized after the overspend, bought reserved capacity after you understood your baseline, cleaned up after the sprawl. Optimization mostly happened after the money was gone.

An inline control plane can do something cloud billing never could: enforce in real time. A token budget becomes a policy. When an agent or an entire delegation chain crosses its allocation, the control plane can throttle it, downgrade it to a cheaper model, require a human to approve continued spend, or deny the next call outright. Cost governance becomes enforceable, not merely reportable.

This is also where the cost story and the security story collapse into a single control. Because the spike that means “waste” and the spike that means “compromise” arrive on the same wire, the budget you set to contain a runaway workflow is the same mechanism that contains a hijacked one. When a delegation chain blows past its allocation, you don't need to know in that moment whether the cause is an inefficient loop or an attacker riding a stolen agent credential. The control plane throttles, downgrades, demands human approval, or denies — and you investigate the why afterward. One lever, both problems. Cloud needed two systems and a correlation step to get there. The agentic control plane gets there by construction.

Learn the lesson early this time

§ 06 — Two cloud-era truths, learned before the expensive part

The cloud era taught enterprises two hard truths. The companies that got their spend under control didn't do it with a prettier dashboard; they did it by making someone accountable for the cost they caused, and by reconnecting every dollar to the intent behind it. And the companies that caught attackers early learned to read the bill as a security signal, because abnormal spend was often the first place a breach showed its face.

Agentic AI is offering the same two lessons and a rare gift alongside them: the chance to learn both before the expensive part, not after. The thread between human intent and token spend doesn't have to be reconstructed later from the wreckage of a billing report. It can be held from the start, at the control plane, where the delegation chain already lives, and where cost and compromise reveal themselves in the same place at the same time.

The institutions with the most to lose, the ones already living under a regulator's scrutiny, have figured this out. We've seen this movie before. This time, we get to skip to the part where we already know how it ends.