Skip to content

AI token policies: How to govern model access by role, project, and environment

Updated July 14, 2026

TL;DR: AI token policies must be enforced at runtime, not analyzed after the fact. When an autonomous agent loops unchecked, it can exhaust an organization's entire token budget in minutes, and no retrospective log review stops that damage while it is happening. Effective governance separates technical constraints (context windows set by the model) from administrative controls (quotas and budgets set by your team), and enforces both at the system level across roles, projects, and environments. A self-hosted control plane is the only architecture that keeps governance logic, enforcement decisions, and audit logs inside your perimeter while remaining model agnostic and developer-transparent.

Engineering teams are deploying AI agents faster than governance processes can capture them. When token limits live in a developer's hardcoded config or a policy document that no one enforces, cost overruns and data leaks across environments are not edge cases. They are the expected outcome.

This playbook is written for both personas simultaneously: the governance leader (CISO, GRC director, or compliance owner) who needs evidence-ready policy controls, and the engineering or platform team responsible for implementing and operating them. Every section addresses the governance requirement first, then the implementation detail that satisfies it.

Why AI token policies matter for enterprise AI deployment

This article covers Scope B deployments: organizations governing both self-hosted models and third-party API endpoints under a single control plane, where enforcement policy, audit logging, and quota management must apply uniformly regardless of whether the model is internally hosted or externally provided.

Every AI application consuming a model API incurs token costs with each call. In single-turn, human-driven interactions, that cost is bounded by the pace of human input. In agentic systems, that constraint disappears entirely, because agents execute at machine speed across loops that can self-extend indefinitely without a hard ceiling.

For a CISO or GRC director preparing for a regulatory review, and for the engineering team that must produce the evidence that review requires, undocumented token usage is not just a line-item variance on an invoice. It represents an uncontrolled resource allocation, an unaudited interaction record, and a potential exfiltration vector if sensitive data passes to unauthorized external model endpoints. The OWASP Top 10 for Agentic Applications identifies ungoverned agent interactions, including identity failures, unbounded resource consumption, and observability gaps, as primary risk categories in production agentic deployments.

Preventing AI cost overruns and leaks

When an agent gets stuck attempting to complete a task, each iteration sends the accumulated context window to the model again. By step 20 of a failed loop, the agent is paying for the same system prompt and conversation history 20 times over, compounding at a rate that human oversight cannot catch at runtime. Unchecked agent loops running at machine execution speed can exhaust API budgets far faster than any human monitoring cadence can detect, and no retrospective log analysis prevents the damage while it is happening.

Beyond cost, ungoverned token flows create a data boundary problem. If a development agent can reach production model endpoints, sensitive production context can transit unauthorized paths. Runtime token governance closes both vectors simultaneously by enforcing who can call what, under which policies, and with what volume limits, before the call reaches the model.

What makes token governance different from traditional API management

Traditional API management governs request counts and latency. Token governance adds a second dimension: the computational weight of each individual request. Two requests to the same endpoint can carry a 100-token payload or a 100,000-token payload, and standard rate limiting treats them identically. The distinction matters because token governance operates across two fundamentally different constraint types.

Technical constraints vs. administrative controls

Dimension

Technical constraint (context window)

Administrative control (quota/budget)

Who sets it

Model architecture

Your governance team

Who enforces it

Model inference server

Control plane policy

Override possible

No

Yes, by policy update

Purpose

Maximum input/output capacity

Cost, security, fairness

Breach response

Model returns error

Control plane blocks or rewrites

The model's architecture defines the context window as a fixed upper bound for a given deployment configuration. The limit is set at the model and provider level, not by the calling application, though specific limits may vary across provider tiers and enterprise implementations. An administrative quota is a governance decision, and enforcing it requires your control plane to intercept the call before it reaches the model. As a standard estimation, 1 token is approximately 4 characters or 0.75 words in English, so a 100-word document requires roughly 133 tokens. Code and JSON typically consume more tokens than equivalent English prose, which affects how you budget for technical workloads differently from document analysis.

Defining the pillars of AI token governance

This playbook organises effective token governance across three practitioner-defined control dimensions: role, project, and environment. Each pillar addresses a distinct failure mode, and together they form a standards-aligned AI governance strategy anchored to AIUC-1, which consolidates the EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS, OWASP AIVSS, IBM AI Risk Atlas, and Cisco AI Security & Safety Framework into a single cross-framework reference that maps across Govern, Map, Measure, and Manage functions where applicable.

Assigning token quotas by role and principal type

Human users exhaust token budgets at cognitive speed. Autonomous agents exhaust them at machine speed. That difference requires separate identity security and access controls for Non-Human Identities (NHIs), which include autonomous agents, service accounts, and machine workloads that call model endpoints without human initiation. The OWASP Top 10 for Agentic Applications specifically addresses the risk of agents operating outside governed authorization boundaries, and token quotas are the primary administrative mechanism for bounding their resource consumption.

Mapping token access to organizational roles means treating each role class as a distinct principal with its own quota, model access permissions, and enforcement policy. Consider a hypothetical example: an NHI agent processing batch document extraction has fundamentally different access requirements from a read-only analyst reviewing AI-generated summaries. Collapsing these into a single quota tier creates the blast radius that runaway loops exploit.

Setting project-level AI usage caps

Project-level isolation prevents a single high-consumption initiative from exhausting an organization's entire token allocation. Consider a hypothetical financial services organization running three AI projects simultaneously, a document review assistant, a regulatory change monitor, and a client-facing summary generator, that needs budget fencing between them so a spike in one workload does not degrade availability for the others.

Project quotas also create the reporting granularity that business stakeholders need. In a hypothetical scenario, when a VP asks which AI initiative drove last quarter's cost variance, a project-level token ledger inside the customer's environment provides a defensible answer without relying on invoice line items from a third-party vendor.

Setting environment-specific guardrails

Development environments need enough access for engineers to test realistic workloads. Production environments need strict controls that prevent unauthorized model access and enforce data handling policies. Staging environments need to mirror production policies so that governance behavior is validated before release, not discovered after it.

Applying identical policies across all three environments creates friction in development without adding security to production. Applying no policies to development creates the pathway where a developer accidentally hits a production model endpoint with test data containing regulated content. The control plane eliminates both failure modes by enforcing differentiated policy sets across environments.

Universal AI access control strategy

A unified control plane applies all three pillar policies consistently across every model in the organization's AI system, whether that model is a self-hosted Llama deployment, a closed-vendor API endpoint, or a model accessed through a third-party integration.

Scaling AI governance with role-based limits

The following four steps translate the role, project, and environment pillars into a configured, operational control plane. Each step produces a concrete governance artifact: a quota tier, a budget ceiling, an enforcement action, or an audit log entry.

Step 1: Map AI access requirements to organizational roles

Classify every principal that sends requests to a model endpoint into a role tier. A tiered access table gives security and GRC teams a structured baseline to configure and audit.

Role-based token quota tiers (illustrative)

Role

Daily token quota

Model access

Credential scope

Read-only analyst

10K to 50K‡

Approved endpoints only§

Session-bound

Power user (interactive)

100K to 500K‡

Approved endpoints plus RAG§

Session-bound

Developer (testing)

500K to 1M‡

Dev environment models only§

API key expiry

Autonomous agent (NHI)

1M to 10M‡

Governed endpoints only§

60 to 300 seconds per capability token

†Credential scope values are illustrative examples reflecting common implementation patterns. No public governance framework prescribes specific credential TTL or scope configurations for any role tier. Consult your organization's identity and access management policy when defining production values.

‡Daily token quota ranges are practitioner-defined illustrative examples based on common usage patterns. No authoritative platform (including Azure OpenAI, Google Gemini, or OpenAI) or enterprise governance framework prescribes specific quota ranges for any role tier. Calibrate actual quotas against your organization's observed usage telemetry before finalising production configuration.

§Model access descriptors (such as "approved endpoints only" or "approved endpoints plus RAG") are practitioner-defined illustrative examples reflecting common role-scoping patterns. No authoritative platform (including Azure OpenAI, Google Gemini, or OpenAI) or enterprise governance framework prescribes specific model access configurations for any role tier. Define endpoint access lists according to your organization's AI asset inventory and access control policy.

As shown in table above, the Autonomous agent (NHI) row carries the highest illustrative quota range (1M to 10M tokens daily) and the shortest credential TTL (60 to 300 seconds per capability token) because agentic workloads operate at machine speed. A short-lived capability token limits the blast radius of a compromised credential to the duration of a single task execution.

Step 2: Define token budgets by role and use case

Calculate realistic budgets from historical usage logs combined with the context windows of the models in scope. The three most widely deployed model families carry the following specifications.

Model context window specifications

Model family

Input context window

Max output

Note

GPT-5.5 (OpenAI)

1,050,000 tokens

128,000 tokens

Released April 2026. Standard pricing applies up to 272,000 input tokens; requests above that threshold are billed at higher input and output rates. Verify current specifications at developers.openai.com/api/docs/models before finalising production budgets.

Claude Sonnet 4.6 (Anthropic)

1,000,000 tokens

64,000 tokens

Standard output limit is 64,000 tokens; up to 300,000 tokens is supported on the Message Batches API with the output-300k-2026-03-24 beta header. Verify current specifications at docs.anthropic.com before finalising production budgets.

Gemini 3.1 Pro (Google)

1,000,000 tokens

65,536 tokens

Released February 2026. Default maxOutputTokens parameter is 8,192; it must be explicitly configured to unlock the full ~64K output capacity. Verify current specifications at ai.google.dev/gemini-api/docs/models before finalising production budgets.

Model specifications change with provider releases. Consult current vendor documentation before finalizing production budgets.

A 200K-token context window means a single Claude request can carry the equivalent of roughly 150,000 English words as input. An agent that accumulates context across a multi-step loop can hit that ceiling quickly, with each call costing proportionally to the tokens included.

Step 3: Configure runtime enforcement at the control plane

The control plane intercepts each call, evaluates it against the applicable AI governance policy covering prompt injection defense, toxicity filtering, grounding verification, and runtime integrity, and then allows, blocks, or rewrites the request before it reaches the model. The control plane makes this decision on the inbound path at the moment of the call, not retrospectively through log analysis. The audit log provides a record of each enforcement action.

Step 4: Automate governance evidence logs

When the control plane enforces a policy decision, it generates a structured audit log entry covering the timestamp, the principal identity, the model endpoint targeted, the policy evaluated, and the enforcement outcome. The control plane formats that entry for the customer's SIEM, and the customer's ingestion pipeline consumes and stores it within their perimeter. No enforcement decision is captured only in memory. Every runtime check produces a durable, structured record inside the customer's environment.

Enforcing token budgets at the project level

Project-level enforcement addresses the failure mode where one high-consumption initiative silently exhausts capacity shared across the organization. The controls in this section create the budget boundaries and detection signals that prevent that outcome.

Setting project-specific token quotas

Project-level quotas should attach to specific API keys or project identifiers tracked within your governance architecture. When a project's allocation for the billing period is exhausted, the enforcement layer should block subsequent calls under that project identifier until the period resets or an administrator manually extends the quota. Implementing this boundary at the infrastructure level, rather than relying on developer-side configuration, prevents one initiative from silently consuming capacity allocated to another.

Detecting irregular token consumption

A runaway agent loop does not look like normal usage. Normal interactive usage shows a relatively smooth consumption curve across working hours. A loop typically produces a rapid, sustained consumption spike with the same tool call repeated against the same error class, with identical or near-identical request payloads, and a cost line that continues climbing until an enforcement action or manual intervention stops it. Treating token consumption anomalies as security events, not just billing surprises, is a recommended practice. The consumption pattern produced by a compromised credential can closely resemble that of a runaway agent loop. Without identity context in the enforcement record, differentiating between the two scenarios is significantly more difficult. Both warrant the same detection and escalation workflow.

Configuring automated violation alerts

When a quota breach event is generated, the control plane formats it as a structured detection event and forwards it to the customer's SIEM. The security team's existing alert routing handles escalation, which means a token runaway in a production AI agent can reach the same on-call queue as any other production security event, without a separate monitoring tool or a custom integration the engineering team maintains.

Isolating AI workloads with granular policies

Environment isolation closes the pathway where development credentials reach production model endpoints and test data transits regulated context. The controls below apply differentiated policy sets to production, staging, and development without requiring separate governance infrastructure for each.

Enforcing policy across AI environments

Production environments typically carry the strictest token and access policies: only registered, approved model endpoints are accessible, and every enforcement decision is captured as a structured, durable audit log entry, scoped to the log levels appropriate for production rather than the verbose output used in development and staging environments. In a typical implementation, development environments are configured with a broader set of permitted model endpoints under the same control plane, allowing developers to evaluate model alternatives without standing up separate governance infrastructure for each, though the specific access scope should be defined by your organization's AI access control policy.

Organizations hosting open-source models locally within their own infrastructure face a specific governance challenge: those models have no external provider enforcing rate limits or monitoring usage. All token governance for locally hosted models must originate from the control plane. The same governance policies that apply to a third-party API endpoint apply identically to a self-hosted Llama or Mistral deployment, governed by the same runtime enforcement logic.

Preventing unauthorized model access across environments

As a recommended security practice, a developer API key scoped to a development environment should be restricted from reaching production model endpoints or querying production knowledge bases, treating environment boundaries as an explicit policy enforcement point rather than a configuration convention. Preventing this requires the control plane to evaluate not just "is this call within the token budget" but "is this identity authorized to reach this endpoint in this environment." Every call is verified against the full policy set, regardless of origin.

Governing AI token policies with Prediction Guard's sovereign AI control plane

This section describes how Prediction Guard's self-hosted control plane implements the governance architecture covered in earlier sections. Each subsection maps a product capability to the specific compliance or operational requirement it satisfies.

Self-hosted architecture for data sovereignty

Prediction Guard deploys the entire control plane inside the customer's own infrastructure, whether that is a self-hosted server cluster, a cloud VPC, or an air-gapped environment. The control plane runs all governance logic inside the customer's environment and generates the audit log there as well. No request payload, no token count, and no policy decision transits Prediction Guard's infrastructure. For organizations handling CUI, ITAR-controlled data, or regulated financial records, this is the architectural requirement that external gateways cannot satisfy.

Vendor-agnostic AI token management

Prediction Guard is model agnostic. The same governance policies (prompt injection defense, toxicity filtering, grounding verification, and runtime integrity monitoring) apply uniformly to open-source model families like Llama and Mistral, closed-vendor endpoints, and self-hosted models under one control plane.

Mapping policies to ISO/IEC 42001, OWASP, and NIST AI RMF

Framework alignment for AI token governance

Capability

ISO/IEC 42001 clause

OWASP Agentic AI / LLM item

NIST AI RMF function

Role-based token quotas

6.1.3 (risk treatment)

LLM10: Unbounded Consumption

GOVERN 2.1 (roles and responsibilities)

Runtime enforcement, block on breach

8.1 (operational planning and control)

LLM10: Unbounded Consumption

MANAGE (response)

Project-level usage caps

8 (operation)

LLM10: Unbounded Consumption

MAP 1.5 (risk tolerance)

Structured SIEM-ready audit log

9.1 (monitoring)

LLM02: Sensitive Information Disclosure

MEASURE (monitoring)

NHI/agent identity governance

8.1 (operational planning and control)

ASI03: Identity and Privilege Abuse

GOVERN 3 (oversight of AI systems)

ISO/IEC 42001 clause numbers reference the 2023 standard version.

The AI Unified Compliance initiative (AIUC-1) consolidates AI-specific frameworks only, including the EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS, OWASP AIVSS, IBM AI Risk Atlas, and Cisco AI Security & Safety Framework. The AIUC-1 crosswalks (aiuc-1.com/crosswalks) bridge AIUC-1 to adjacent governance standards including NIST 800-53, SOC 2, and HIPAA, so compliance teams do not need to maintain parallel mapping exercises. For teams managing AI governance across multiple regulatory regimes simultaneously, AIUC-1 provides a consolidated view across these AI-specific standards.

Adapting workflows for token governance

The following implementation detail is directed at the engineering team; governance owners can use it to confirm that the control plane imposes zero developer friction, which removes the adoption resistance that leaves token policies unenforced. Developers do not change their code. Existing OpenAI-compatible (/chat/completions, /responses) and Anthropic-compatible (/messages) SDK calls work unchanged. The only modification is pointing base_url at the Prediction Guard control plane endpoint. Security and GRC teams configure quota tiers, environment policies, and model access rules on the Govern page of the Admin Console, and those policies apply to every call regardless of which framework or SDK the developer used. For teams already using LangChain, the langchain-predictionguard package connects directly to the control plane without rebuilding the existing toolchain.

Bridging AI governance and enterprise compliance

Runtime enforcement produces governance evidence, but that evidence only satisfies a regulatory requirement when it maps to a named control in the applicable framework. This section traces each enforcement action to its corresponding AIUC-1, ISO/IEC 42001, and OWASP Agentic AI obligation.

Operationalizing AIUC-1 controls for token governance

AIUC-1 consolidates the governance obligations from the EU AI Act, NIST AI RMF, ISO 42001, and aligned frameworks into a unified control surface. Within that consolidated view, the Govern function, present across NIST AI RMF and ISO/IEC 42001 clause 6, establishes accountability structures, defines policies, and ensures oversight across the AI lifecycle, all of which can be implemented at the system level through runtime token enforcement.

Defining a token quota for an NHI agent and enforcing it at the API call produces continuous, per-request enforcement evidence: the kind of artifact an ISO/IEC 42001 certification body or AIUC-1 assessor expects to demonstrate that policy is actively applied, not simply documented and assumed to operate. ISO/IEC 42001 clause 9.1 and the NIST AI RMF Measure function both require tracking actual consumption against established budgets. The structured audit log generated by every enforcement decision provides that measurement artifact automatically, without a manual data collection step.

Mapping token policies to OWASP Agentic AI risks

The OWASP Top 10 for Agentic Applications is the primary community guidance anchor for agentic AI risk, covering identity and authorization failures, unbounded resource consumption, observability gaps, and sensitive data leakage across autonomous agent pipelines. For token governance specifically, the Agentic AI Top Ten addresses related risks at the agent execution layer (notably ASI08: Cascading Failures), covering the risk that agents operating without hard resource ceilings exhaust infrastructure budgets, trigger cascading failures, or expose sensitive context through uncontrolled output.

The OWASP LLM Top Ten's LLM10: Unbounded Consumption extends that coverage to the model API layer, addressing Denial of Wallet, variable-length input floods, resource-intensive queries, model extraction, and side-channel attacks. Both sets of guidance converge on the same runtime control pattern: rate limiting, user quotas, input size limits, timeouts on resource-intensive operations, and graceful degradation under heavy load. A control plane configured with role-based output token limits, context window thresholds, and per-agent step count ceilings directly enforces these recommendations across both frameworks within a single enforcement surface. The quota blocks unbounded consumption at the model API layer, the step ceiling bounds agent execution behaviour, and the audit log satisfies the observability requirement. Which controls apply depends on how each is configured for the workloads in scope.

Structured audit logs for model usage

The technical flow from enforcement to audit evidence works as follows:

  1. A request arrives at the control plane endpoint.
  2. The control plane evaluates the call against the applicable role quota, project budget, environment policy, and security rules.
  3. The control plane allows, blocks, or rewrites the call based on that evaluation.
  4. The control plane generates a structured audit log entry recording every dimension of that decision.
  5. The control plane formats that log entry to match the field structure expected by the customer's SIEM (Splunk, Datadog, or syslog-compatible targets).
  6. The customer's existing SIEM ingestion pipeline, operating under the customer's credentials and within the customer's perimeter, delivers and retains that record.

Prediction Guard does not hold SIEM API keys, HEC tokens, or credentials of any kind. It formats the audit log output. The customer's infrastructure handles delivery and storage, keeping governance records entirely within the controlled environment.

Operationalizing token limits across environments

Quota configuration without correct breach-handling produces the retry loops that token policies are designed to prevent. The subsections below cover the enforcement mechanism distinctions, budget assignment approach, and agentic exposure controls that make runtime limits operational rather than theoretical.

Distinguishing token and rate constraints

Governance owners should note the architectural implication of this section: without correct retry handling at the engineering layer, a single quota breach can cascade into a runaway retry loop, the exact failure mode token policies are designed to prevent. The implementation detail below is what prevents that.

When Prediction Guard enforces a limit, your application must handle a 429 (rate limit, temporary) differently from a 403 (quota exceeded, requires intervention), because the first signals a transient condition while the second requires administrative action. Agents that retry on 429 without backoff logic will loop on a rate limit breach and consume additional tokens in the retry attempts, compounding the original problem. Designing retry logic with exponential backoff and a hard retry ceiling is a prerequisite for any agentic system in production.

Assigning token budgets per role

For initial deployment, establish a provisional quota for each tier based on your organization's available usage telemetry or representative workload estimates, then refine the limits based on observed consumption once the control plane has been logging calls for a sufficient baseline period. The length of that baseline should reflect your organization's deployment cadence and operational risk tolerance. Starting with more permissive limits and tightening based on actual consumption is one common approach to preventing developer disruption, because every call is logged from the first request and the telemetry needed to calibrate tighter limits accumulates from day one.

Curbing agentic AI exposure with token policies

By design, the control plane's registration step requires every model endpoint, Model Context Protocol (MCP) server, and tool integration to be declared within the control plane before calls to that asset are subject to policy evaluation. Assets that have not been registered cannot be governed, which makes the registration step the primary mechanism for closing the gap where integrations are deployed faster than governance processes capture them. This produces the AI System inventory and the AIBOM export as byproducts of the governance setup.

Defining default token overrun policies

The control plane can be configured to respond in three ways when a call breaches a configured limit:

  • Block the call: Return an HTTP error response to the calling application, typically 429 (quota exhausted, period-bound) or 403 (quota exceeded, requires administrative intervention) depending on the limit type breached, preventing the request from reaching the model and ensuring no tokens are consumed beyond the configured limit.
  • Flag and allow: Permit the call but generate a policy violation event forwarded to the SIEM, preserving the test result while creating an auditable record.
  • Rewrite the request: Apply a policy-defined modification to the call before it reaches the model, such as stripping unsafe prompt content or enforcing output format constraints, allowing the call to proceed at a reduced scope rather than being blocked outright.

Which behavior applies depends on the sensitivity of the model endpoint and the criticality of the application. Production agents handling regulated data warrant a hard block. Development workloads may warrant flag-and-allow with an alert, so engineers see the violation without losing the test result.

Start enforcing token governance at the system level

A wiki document is not governance. Governance requires system-level enforcement. If your current approach depends on developers remembering token limits rather than the system enforcing them, the next runaway loop or adverse finding from an FFIEC examiner, CMMC C3PAO, or ISO/IEC 42001 certification body is a matter of when, not if.

Book a deployment scoping call to assess whether Prediction Guard's self-hosted control plane fits your infrastructure and compliance requirements.

FAQs

How do I estimate token usage from raw text?

As a standard estimation, 1 token is approximately 4 characters or 0.75 words in English. Code and JSON typically consume more tokens than equivalent English prose, so budget separately for technical workloads.

What is the recommended TTL for agent capability tokens?

To minimize the blast radius of a compromised credential, capability tokens for tool servers should expire within 60 to 300 seconds. Higher-privilege tokens warrant the shortest TTL the system can support reliably.

Does Prediction Guard store our SIEM credentials or audit logs?

No. Prediction Guard does not hold SIEM API keys or store logs. It formats the audit log output natively for your SIEM, and your existing ingestion pipeline handles delivery and storage entirely within your perimeter.

What is the relationship between the OWASP Top 10 for Agentic Applications and OWASP LLM10: Unbounded Consumption?

The OWASP Top 10 for Agentic Applications addresses resource risks at the agent execution layer: unbounded resource consumption by autonomous agents operating without hard ceilings. OWASP LLM10: Unbounded Consumption addresses the same risk class at the model API layer, covering Denial of Wallet, variable-length input floods, resource-intensive queries, model extraction, and side-channel attacks. For agentic systems, both apply simultaneously: the Agentic AI Top Ten governs the agent's execution behaviour, while LLM10 governs the model calls the agent generates. Token-based runtime enforcement at the control plane addresses both layers within a single policy.

Can Prediction Guard govern both self-hosted and third-party model endpoints under the same policy?

Yes. Prediction Guard is model agnostic and enforces the same governance policies across self-hosted models, open-source model families, and closed-vendor API endpoints under one set of governance policies without requiring separate policy configurations per model.

Key terms glossary

Sovereign AI control plane: An internal software system deployed within a customer's secure perimeter to compose, secure, and govern disparate AI models, tools, and services.

Runtime enforcement: The active interception and evaluation of AI inputs and outputs at runtime, allowing, blocking, or rewriting calls before they complete.

Agentic AI exposure: The security and compliance risk associated with deploying autonomous AI agents that make unmonitored outbound tool calls or model requests.

Non-Human Identity (NHI): An autonomous software agent, service account, or machine workload that requires distinct identity security and access controls separate from human users.

AIBOM: An AI Bill of Materials, an exportable inventory of an organization's registered AI assets (models, tools, datasets, and dependencies) in CycloneDX format, produced as a byproduct of AI System registration in the control plane.

Unbounded resource consumption: A risk category addressed by both the OWASP Top 10 for Agentic Applications (at the agent execution layer) and OWASP LLM10: Unbounded Consumption (at the model API layer), covering Denial of Wallet, variable-length input floods, resource-intensive queries, model extraction, and side-channel attacks on AI systems.