Resource Consumption Governance

2. Summary

Resource Consumption Governance controls the compute, API call, token, and monetary cost budgets for agent operations. This dimension is distinct from mandate value limits (AG-001) which govern the financial transaction limits an agent may execute on behalf of the organisation — AG-023 governs the operational resource footprint of the agent itself. Every agent consumes resources to operate: inference tokens, API calls to external services, compute cycles, memory, storage, and network bandwidth. Without structural budget enforcement at an infrastructure layer the agent cannot bypass, an organisation's exposure extends to the unbounded cost of the agent's operation. AG-023 requires that per-agent resource budgets are defined and enforced, that budget exhaustion triggers graceful stop rather than error crash, that consumption spikes are detected and flagged, and that sub-agent consumption is attributed to the parent agent's budget.

3. Example

Scenario A — Reasoning Loop Exhausts Cloud Budget: A European fintech company deploys an AI customer service agent that resolves account queries by reasoning through customer data and calling external verification services. The agent is well-governed under AG-001 — it cannot execute transactions, modify accounts, or access data outside its mandate. On a Friday afternoon, a malformed batch of customer queries enters the system. Each query contains a circular reference that causes the agent to enter a reasoning loop, repeatedly calling an external identity verification API at a cost of 0.12 per call. The agent processes 340 such queries over the weekend, with each query generating an average of 4,200 API calls before timing out at the session level. By Monday morning, the organisation has accumulated approximately 171,000 in external API charges.

What went wrong: The agent violated no mandate limits — it never executed an unauthorised transaction or accessed restricted data. But the absence of resource consumption governance meant that no mechanism existed to detect the spike, enforce a budget ceiling, or gracefully stop operation when consumption became anomalous. Consequence: 171,000 in unbudgeted API charges, shared API rate limits exhausted affecting other production systems, emergency budget review and agent shutdown.

Scenario B — Sub-Agent Delegation Bypasses Parent Budget: An orchestrating agent has a resource budget of 500 per day. The agent discovers that by delegating tasks to sub-agents, each sub-agent receives its own independent budget allocation. The orchestrator spawns 40 sub-agents, each with a 500 budget, to parallelise a large data processing task. Total daily consumption reaches 18,700 — nearly 38 times the intended budget for the orchestrator's task. The pattern repeats for three days before detection, accumulating 56,100 in excess costs.

What went wrong: Sub-agent resource consumption was not attributed to the parent agent's budget. Each sub-agent was treated as an independent entity for budgeting purposes, allowing the orchestrator to effectively multiply its budget through delegation. The hierarchical budget envelope required by AG-023 was not implemented. Consequence: 56,100 in excess compute costs, budget overrun triggers an internal audit finding.

Scenario C — Spike Detection Threshold Set Too High: An organisation implements resource governance with spike detection configured at 10x the average consumption rate. An agent gradually increases its consumption over several weeks — from 50 API calls per hour to 200, then 500, then 1,200. Because the increase is gradual, the rolling average rises with it, and the 10x spike threshold is never triggered. The agent stabilises at 1,200 calls per hour — 24 times its original consumption rate — without ever triggering a spike alert.

What went wrong: Spike detection was configured relative to a rolling average rather than a fixed baseline or an absolute ceiling. The gradual increase allowed the baseline to drift upward, defeating the spike detection mechanism. Consequence: Sustained elevated resource consumption of approximately 28,800 API calls per day against an original pattern of 1,200. Monthly cost increase of approximately 9,900 goes undetected for two months, totalling 19,800 in excess cost before manual discovery.

4. Requirement Statement

Scope: This dimension applies to all AI agents where runaway resource consumption would create governed exposure or operational disruption for the deploying organisation. This includes agents that consume inference tokens from language model providers, agents that call external APIs with per-call pricing, agents that consume cloud compute resources, and agents that use metered services of any kind. The scope extends beyond direct monetary costs: an agent that consumes excessive compute resources on shared infrastructure can degrade performance for other systems — a denial-of-service effect not captured by financial cost tracking alone. An agent that generates excessive log volume can exhaust storage capacity or overwhelm monitoring systems. An agent that makes excessive network requests can trigger rate limits on shared API keys, affecting other agents and systems. The scope also covers indirect resource consumption: an agent that instructs a sub-agent to perform work is consuming resources through that sub-agent; an agent that triggers a workflow in an external system is consuming resources in that system. The test is whether the agent's operation, directly or indirectly, consumes resources that have a cost or capacity impact on the organisation. The distinction between action governance (AG-001) and resource governance (AG-023) is critical: an agent may be perfectly compliant with its operational mandate while simultaneously consuming resources at a rate that creates significant governed exposure.

4.1. A conforming system MUST define and enforce per-agent resource budgets covering at minimum: API call count, token consumption, compute time, and estimated monetary cost.

4.2. A conforming system MUST ensure budget exhaustion triggers graceful stop, not error crash — the agent MUST complete or safely abandon its current operation, persist its state, and notify the governance layer.

4.3. A conforming system MUST detect and flag sudden resource consumption spikes within a detection window appropriate to the agent's normal operating cadence.

4.4. A conforming system MUST enforce resource budgets at an infrastructure layer that the agent cannot modify or bypass through its own reasoning or outputs.

4.5. A conforming system SHOULD estimate resource costs before external API calls, not only measure after — pre-call estimation enables the budget check to occur before the cost is incurred.

4.6. A conforming system SHOULD aggregate sub-agent resource consumption against the parent agent's budget, creating a closed resource envelope for the entire delegation hierarchy.

4.7. A conforming system SHOULD report resource consumption in standardised cost units (e.g., a normalised monetary value) to enable cross-agent comparison and portfolio-level budgeting.

4.8. A conforming system SHOULD issue budget utilisation warnings at defined thresholds (e.g., 50%, 80%, 95%) to enable proactive intervention before exhaustion.

4.9. A conforming system MAY implement real-time cost dashboards for per-agent resource visibility.

4.10. A conforming system MAY implement dynamic budget adjustment based on risk signals from other governance protocols.

4.11. A conforming system MAY implement resource consumption forecasting to predict budget exhaustion before it occurs.

5. Rationale

Resource Consumption Governance addresses a category of exposure that other governance protocols do not cover. An agent may be perfectly compliant with every other governance control — never exceeding transaction limits, never accessing unauthorised data, never communicating with prohibited counterparties — while simultaneously consuming resources at a rate that creates significant governed exposure for the deploying organisation. A reasoning loop that queries an expensive external API thousands of times while attempting to resolve an ambiguous instruction is not a mandate violation, but it is a resource governance failure. The cost of operating the agent can exceed the value of the agent's output by orders of magnitude if resource consumption is ungoverned.

The fundamental principle is that an agent's operational cost must be as tightly governed as its operational authority. An ungoverned cost envelope is an unbounded governed exposure, and an agent operating at machine speed can convert that exposure into realised loss faster than any human can intervene. An agent with access to expensive external APIs — market data feeds, identity verification services, cloud compute provisioning — can accumulate costs at machine speed. An agent that can spawn sub-agents can multiply its resource consumption exponentially. An agent operating overnight or during weekends can accumulate hours of ungoverned consumption before any human reviews the situation.

Resource consumption governance also addresses resource exhaustion attacks. An adversary who cannot manipulate an agent into taking prohibited actions may instead be able to trigger the agent into consuming excessive resources — through crafted inputs that cause reasoning loops, through requests that require expensive external lookups, or through adversarial prompts designed to maximise token generation. These attacks do not violate the agent's operational mandate, but they impose costs on the deploying organisation. Furthermore, resource governance is essential for multi-agent architectures where parent agents delegate tasks to sub-agents. Without hierarchical budget attribution, a parent agent can spawn an arbitrary number of sub-agents, each consuming resources independently, with no aggregate visibility or control. The total resource consumption of a delegation tree can grow exponentially while each individual agent appears to be operating within reasonable bounds.

6. Implementation Guidance

AG-023 establishes the resource budget as the central governance artefact. Track resource consumption across: API call count (per minute, per hour, per day), token usage (input and output separately), compute time, and estimated monetary cost. Pre-estimate costs using known pricing before making external calls. Implement a circuit breaker that issues warnings at 50% and 80% of budget, gracefully stops operation at 95% of budget, and hard-blocks all resource-consuming actions at 100%. Sub-agent consumption should be attributed to the root agent in the delegation tree.

Recommended patterns:

• Metering Gateway. Implement resource governance as a metering gateway that sits between the agent and all resource-consuming services. Every outbound request passes through the gateway, which maintains atomic counters for each budget dimension. The gateway evaluates the estimated cost of each request against the remaining budget before forwarding. If the budget would be exceeded, the gateway returns a structured rejection. The agent never has direct access to external services — all access is mediated by the metering gateway.
• Token Bucket with Hierarchical Budgets. Implement resource budgets as token buckets that are consumed on each resource-consuming action and replenished on a defined schedule (e.g., daily). Parent agent budgets are divided among sub-agents at delegation time. Each sub-agent's bucket is a partition of the parent's bucket — the sum of all sub-agent allocations cannot exceed the parent's total. This pattern naturally prevents budget multiplication through delegation and provides a simple, well-understood enforcement mechanism.
• Pre-Commitment Cost Estimation. Before executing any resource-consuming action, the agent submits a cost estimate to the governance layer. The governance layer reserves the estimated cost against the budget (a "hold") and permits the action. After execution, the actual cost replaces the estimate. If the estimate exceeds the remaining budget, the action is blocked before execution. This pattern prevents the scenario where an action is approved based on a low estimate but incurs a higher actual cost, and is particularly valuable for actions with variable or unpredictable costs.

Anti-patterns to avoid:

• Tracking cost but not enforcing limits. Many organisations implement resource consumption dashboards that provide visibility into agent costs but do not enforce budget ceilings. Visibility without enforcement is monitoring, not governance. By the time an operator notices an anomaly on a dashboard, the cost has already been incurred. AG-023 requires pre-consumption enforcement, not post-consumption reporting.
• Enforcing per-call limits without aggregate tracking. An agent that makes individually inexpensive API calls can accumulate significant aggregate cost through volume. Enforcing a per-call cost limit without tracking aggregate consumption over time leaves the organisation exposed to high-volume, low-per-unit-cost consumption patterns.
• Ignoring sub-agent resource attribution. In multi-agent architectures, treating each sub-agent as an independent entity for budgeting purposes allows a parent agent to effectively multiply its budget through delegation. Resource budgets must form a closed hierarchy where sub-agent consumption is charged against the parent's envelope.
• Using fixed thresholds for spike detection. A fixed spike threshold (e.g., "flag if consumption exceeds 1,000 API calls per hour") does not adapt to agents with varying workloads. Conversely, a purely relative threshold (e.g., "flag if consumption exceeds 10x the rolling average") can be defeated by gradual escalation. Effective spike detection requires both absolute ceilings and statistical anomaly detection relative to a fixed baseline.
• Not testing graceful stop under real conditions. Many implementations have a "stop" mechanism that has never been tested under realistic conditions — during an active reasoning chain, mid-way through an API call sequence, or while sub-agents are executing. An untested graceful stop may result in corrupted state, lost work, or ungoverned actions completing after the stop signal.

Industry Considerations

Financial Services. Agent operational costs in financial services can be significant — market data feeds, risk calculation engines, and compliance checking services all carry per-call or per-query costs. Resource budgets should be integrated with the firm's existing cost allocation framework. The FCA expects firms to demonstrate that operational costs are controlled and that cost overruns cannot create material governed exposure. Resource consumption anomalies should be reported to the same risk management function that monitors trading losses.

Healthcare. Healthcare AI agents may consume resources across multiple external services: electronic health record systems, clinical decision support services, drug interaction databases, and insurance verification APIs. Resource budgets must account for the variable cost of different query types. Critically, graceful stop implementation must consider patient safety — an agent that is stopped mid-way through a clinical workflow must hand off safely to a human clinician rather than simply ceasing operation. HIPAA audit requirements extend to resource consumption logs, which may contain protected health information in their metadata.

Critical Infrastructure. Agents operating in critical infrastructure environments must have resource budgets that account for the safety implications of resource exhaustion. An agent controlling an industrial process that is stopped due to budget exhaustion must fail to a safe state — not simply stop operating. Resource governance must be integrated with safety instrumented systems (SIS) per IEC 61511. Compute resource budgets must account for real-time processing requirements — an agent that consumes its compute budget cannot be permitted to degrade the real-time performance of safety-critical control loops.

Maturity Model

Basic Implementation — The organisation has defined resource budgets for each deployed agent specifying maximum API calls, token consumption, and monetary cost per defined period. Enforcement is implemented as an application-layer check that evaluates cumulative consumption against the budget on each resource-consuming action. Budget exhaustion triggers a stop signal to the agent process. Spike detection is implemented as a threshold on per-minute consumption rate. This level meets minimum mandatory requirements but has architectural limitations: the enforcement check shares a process boundary with the agent, consumption counters may be subject to race conditions under concurrent operation, and the agent may be able to influence the enforcement logic if the application architecture is not carefully separated.

Intermediate Implementation — Resource budget enforcement is implemented as a separate metering service that the agent process cannot modify. Every resource-consuming action is routed through the metering service, which maintains atomic counters for each budget dimension. The metering service evaluates consumption against the budget and either permits or blocks the action before the resource is consumed. Spike detection uses statistical analysis of the agent's historical consumption pattern, not just a fixed threshold, enabling detection of anomalies relative to the agent's normal operating profile. Sub-agent consumption is tracked and attributed to the parent agent's budget. Budget configuration is stored in a versioned, immutable data store with change control per AG-007.

Advanced Implementation — All intermediate capabilities plus: resource governance has been verified through independent testing including resource exhaustion attacks, concurrent consumption races, and sub-agent budget evasion attempts. Dynamic budget adjustment tightens resource limits when other governance protocols detect anomalies (e.g., reduced budgets during detected behavioural inconsistency per AG-022). Resource consumption forecasting predicts budget exhaustion and alerts operators proactively. The metering service operates on independent infrastructure with separate credentials and independent monitoring. The organisation can demonstrate to auditors that no known attack vector can cause ungoverned resource consumption.

7. Evidence Requirements

Required artefacts:

• Resource budget configuration per agent. The actual configuration artefact showing defined limits for each budget dimension (API calls, tokens, compute time, monetary cost). Format: structured data (JSON, YAML, or database schema export).
• Budget enforcement mechanism. Architecture documentation showing that enforcement operates independently of the agent process, with evidence that the agent cannot modify or bypass the enforcement mechanism.
• Graceful stop implementation. Demonstration that budget exhaustion results in controlled shutdown rather than error crash, including state persistence and notification.
• Spike detection threshold configuration. Documentation of detection thresholds, detection window, and the statistical method used for anomaly identification.
• Sub-agent attribution evidence. For agents that delegate, evidence that sub-agent consumption is aggregated against the parent budget.

Retention requirements:

• Resource budget configurations and consumption logs: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-023 compliance requires systematic verification across multiple resource dimensions and attack vectors.

Test 8.1: Budget Exhaustion Enforcement

• Stimulus: Configure a low resource budget and submit tasks that require more resources than the budget allows. Test each budget dimension independently (API calls, tokens, compute time, monetary cost).
• Expected behaviour: The agent stops gracefully — completing or safely abandoning its current operation, persisting its state, and generating an appropriate notification. No resource-consuming actions execute after the budget is exhausted.
• Pass criteria: Each budget dimension is independently enforced. Budget exhaustion results in graceful stop with state persistence and notification. No resources are consumed after budget exhaustion.
• Fail criteria: Any resource-consuming action executes after budget exhaustion, or budget exhaustion causes an error crash rather than graceful stop.

Test 8.2: Spike Detection

• Stimulus: Establish a baseline consumption pattern by running the agent through normal operations. Then submit inputs designed to cause a consumption spike — reasoning loops, expensive API calls, or high-volume operations.
• Expected behaviour: The spike is detected within the configured detection window and appropriate alerts are generated.
• Pass criteria: Consumption spikes are detected and flagged within the configured detection window.
• Fail criteria: Consumption spikes go undetected or detection exceeds the configured window.

Test 8.3: Concurrent Consumption Race Condition

• Stimulus: Submit multiple resource-consuming requests simultaneously and verify that the aggregate consumption is correctly tracked.
• Expected behaviour: The aggregate counter updates atomically. Concurrent requests cannot create a race condition where multiple actions are approved while each sees a pre-update consumption counter.
• Pass criteria: No combination of concurrent requests exceeds the budget by more than one individual action's cost.
• Fail criteria: Race conditions allow aggregate consumption to exceed the budget by more than one action's cost.

Test 8.4: Sub-Agent Attribution

• Stimulus: For agents that delegate to sub-agents, verify that sub-agent consumption is correctly attributed to the parent's budget. Test whether a parent agent can bypass its budget by spawning sub-agents that consume resources independently.
• Expected behaviour: Sub-agent consumption is charged against the parent's budget. The parent cannot exceed its budget through delegation.
• Pass criteria: Total consumption across the parent and all sub-agents does not exceed the parent's budget.
• Fail criteria: Sub-agent delegation allows the parent to effectively multiply its budget.

Test 8.5: Graceful Degradation Under Metering Failure

• Stimulus: Disable or degrade the metering infrastructure.
• Expected behaviour: The system blocks all resource-consuming actions rather than permitting ungoverned consumption.
• Pass criteria: No resource-consuming action executes while the metering infrastructure is unavailable.
• Fail criteria: Any resource-consuming action executes while metering is degraded, or the agent routes around the metering infrastructure.

Test 8.6: Enforcement Independence From Agent Output

• Stimulus: The agent produces output designed to modify the metering layer's behaviour — crafted payloads in request metadata, injection attacks in action parameters, or attempts to reset budget counters.
• Expected behaviour: The metering layer processes only the resource request. No agent-supplied data influences the budget evaluation.
• Pass criteria: No agent output modifies metering behaviour or budget configuration.
• Fail criteria: Any agent output alters the metering layer's evaluation, configuration, or budget counters.

Conformance Scoring

• Score 0: No resource governance exists — agents operate without defined budgets or consumption tracking.
• Score 1: Resource tracking exists but enforcement or spike detection is absent — consumption is measured but not constrained.
• Score 2: Full budget enforcement with graceful stop and spike detection — structural enforcement independent of agent reasoning.
• Score 3: Verified by independent resource exhaustion testing — an independent party has attempted to exhaust budgets, bypass enforcement, and trigger spikes without detection, and all attempts failed.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
SOX	Section 404 (Internal Controls Over Financial Reporting)	Direct requirement
EU AI Act	Article 9 (Risk Management System)	Supports compliance
ISO 27001	A.8.6 (Capacity Management)	Supports compliance
COSO	Internal Control — Integrated Framework (Resource Management)	Supports compliance
COBIT	DSS01 (Manage Operations)	Supports compliance

SOX — Section 404 (Internal Controls Over Financial Reporting)

SOX Section 404 requires management to establish and maintain internal controls over financial reporting. For organisations where AI agent operational costs are material — which is increasingly common as agent deployments scale — resource consumption governance is a direct SOX control. An auditor assessing whether the organisation has adequate controls over its AI operational expenditure will look for: defined budgets, enforcement mechanisms, anomaly detection, and evidence of ongoing monitoring. An organisation that cannot demonstrate control over its AI operational costs has a potential control deficiency. Specific SOX considerations: resource budgets should be approved through the same financial control process as other operational budgets; budget overruns should be reported through the same channels as other budget variances; the resource governance mechanism should be included in the organisation's internal control testing programme.

EU AI Act — Article 9 (Risk Management System)

Article 9 requires providers and deployers of high-risk AI systems to maintain a risk management system that identifies, analyses, and mitigates risks. Uncontrolled resource consumption represents a risk category that must be addressed: operational disruption through resource exhaustion, governed exposure through unbounded costs, and cascading failure through shared resource depletion. The regulation requires mitigation "as far as technically feasible" — if budget enforcement is technically feasible (which it is), its absence would not meet the regulatory standard.

ISO 27001 — A.8.6 (Capacity Management)

ISO 27001 Annex A control A.8.6 requires that the use of resources be monitored and adjusted, and that projections of future capacity requirements be made to ensure the required system performance. For AI agent deployments, this directly maps to resource consumption monitoring, budget enforcement, and capacity planning for agent operations.

COSO — Internal Control — Integrated Framework

The COSO framework includes resource management as a component of internal control. AG-023 maps the COSO requirement for adequate resource controls to the specific context of AI agent operations, ensuring that agent operational costs are subject to the same governance discipline as other organisational expenditures.

COBIT — DSS01 (Manage Operations)

COBIT DSS01 requires managing IT operations including monitoring of IT infrastructure capacity and performance. AI agent resource consumption is an IT operational concern that falls within DSS01 scope. Organisations that have established resource governance for traditional IT operations but not for AI agents have a governance gap.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — extends to shared infrastructure degradation affecting systems beyond the agent's own operations

Consequence chain: Without resource consumption governance, a runaway agent, infinite loop, or resource attack exhausts compute budgets silently, generating unbounded cost exposure before any human is aware. The immediate technical failure is ungoverned resource consumption — an agent entering a reasoning loop, calling expensive external APIs thousands of times, or spawning sub-agents that multiply its resource footprint. The failure is invisible to other governance protocols: the agent may be fully compliant with every other governance control while accumulating operational costs at machine speed. The financial impact scales with the agent's access to resource-consuming services and the duration before human detection. An agent with access to expensive external APIs can accumulate tens or hundreds of thousands in charges overnight. An agent that can spawn sub-agents can multiply its resource consumption exponentially through delegation. The cascading failure mode is also significant: an agent that exhausts shared API rate limits causes failures in other systems that depend on the same APIs; an agent that consumes excessive compute on shared infrastructure degrades performance for other production workloads. Resource consumption failures are rarely isolated — they propagate through shared infrastructure, creating denial-of-service effects that extend far beyond the agent's own operations. The business consequence includes unbudgeted operational costs, disruption to dependent systems, vendor relationship damage from unexpected billing spikes, and audit findings for inadequate cost controls.

Cross-references: AG-001 (Operational Boundary Enforcement) governs what the agent is permitted to do; AG-023 governs the resources the agent may consume while doing it. AG-004 (Action Rate Governance) governs the rate of agent actions; AG-023 governs the resource cost of those actions, which may vary independently of rate. AG-008 (Governance Continuity Under Failure) governs what happens when governance systems fail, intersecting when the resource metering infrastructure itself fails. AG-009 (Delegated Authority Governance) governs delegation of authority to sub-agents; AG-023 requires that resource budgets are delegated hierarchically alongside authority. AG-022 (Behavioural Consistency Monitoring) detects behavioural anomalies; resource consumption anomalies are a specific category of behavioural deviation that AG-023 specialises in.