AWS Ships FinOps Agent and Bedrock Token Attribution at FinOps X

Anyone who has tried to explain a surprise Bedrock invoice to a CFO knows the problem. The bill says "model inference." The CFO wants to know which campaign, which agent, which intern. At FinOps X 2026 in San Diego, AWS finally tried to close that gap.

The headline announcement was the AWS FinOps Agent, now in public preview, alongside granular per-session attribution inside Amazon Bedrock. Together they aim to make AI spend traceable down to the IAM role that fired the call. For performance marketing teams shovelling traffic through LLM-powered creative, scoring, and bidding pipelines, this is the first time the cost story matches the architecture story.

What Happened

At the FinOps X 2026 keynote on 18 June, Bradford Lyman, director of product management at AWS, walked through a slate of cost tooling updates that, as TechTarget reported, all orbit one theme: AI is now both the thing you pay for and the thing watching the bill.

The FinOps Agent went into public preview as an AI-powered system that analyses cloud spend, investigates anomalies, generates custom reports, and surfaces optimization recommendations through natural language queries. It plugs into Jira so that findings land in the queue of the engineer who actually owns the workload. Teams can run it on a schedule, trigger it on specific events, or just ask it questions on demand.

Crucially, it does not execute infrastructure changes or apply optimizations automatically. It reads, summarises, and routes. The data it reads comes from AWS Cost Explorer, Cost Anomaly Detection, Cost Optimization Hub, and Compute Optimizer. The clever bit: it correlates those signals with CloudTrail to trace cost changes back to the specific user or role that triggered them.

Alongside the agent, AWS shipped granular cost attribution inside Amazon Bedrock that maps token usage to IAM roles, with the data flowing into Cost Explorer and the Cost and Usage Report at line-item level, including input and output token counts. Lyman called it "the foundation of tokenomics."

The rest of the bundle: Savings Plans target planning inside the console, automatic root-cause explanations for cost and forecast changes, double the number of idle-resource recommendations, plus credit-level sharing controls and a new console view for earned credits, remaining balances, and which workloads are burning them.

Technical Anatomy

The architecture choice worth studying is the agent's read-only posture. AWS could have built something that auto-rightsizes EC2 or kills idle SageMaker endpoints. They didn't. From production incidents I've seen, that is the correct call. An autonomous agent with write access to billing-relevant infrastructure is the same risk profile as giving a junior on-call engineer root in prod at 3am. Recommendations into Jira are boring. Boring is what survives.

The Bedrock attribution model is the more interesting piece technically. By piping per-session model invocations through IAM identity and emitting input/output token counts at the line-item level of the Cost and Usage Report, AWS is effectively turning every Bedrock call into a structured billing event keyed on role. If your team has been disciplined about assigning distinct IAM roles per application, agent, or tenant, you already have campaign-level AI cost visibility. If you've been sharing one fat service role across the org, you have a refactor.

The FinOps Agent itself is a meta-layer on top of existing services. It does not invent new telemetry. It stitches together Cost Explorer trends, Cost Anomaly Detection signals, Compute Optimizer rightsizing data, and Cost Optimization Hub recommendations, and then uses CloudTrail as the forensic trail. The natural-language interface is the part that demos well. The CloudTrail correlation is the part that matters at 2am when a forecast doubles overnight and nobody remembers who deployed the new agent.

My take: the integration with Jira is the most consequential design decision in the entire announcement. Routing cost anomalies into the same queue as bugs collapses the FinOps-versus-engineering org chart. Teams that have spent years arguing about who owns the bill suddenly own it through their normal ticket flow.

Who Gets Burned

Performance marketing platforms running LLM-heavy stacks are exposed first, in both directions. The upside: you can finally show a media buyer the actual cost per generated creative, per scored audience, per real-time bid enrichment. The downside: so can your finance team, and a lot of those unit economics will not survive contact with daylight.

Ad-tech teams building Bedrock-backed copy generation, landing page personalisation, or attribution modelling have been operating on vibes. The token bill arrived monthly as one number. Now it arrives per IAM role, per session, with input and output tokens broken out. Teams I've worked with in similar billing transitions discovered that 20 percent of their workloads drove 80 percent of the cost, and that the expensive 20 percent was usually an experimental feature nobody had killed.

iGaming operators running personalisation agents against player sessions are in a particularly tight spot. If each player session triggers Bedrock calls under a shared role, you have aggregate cost but no per-cohort signal. Regulators in several European markets are already asking about algorithmic personalisation toward high-value players. "We can't tell you which sessions cost what" is not the answer compliance wants.

Fintech teams using Bedrock for transaction screening or support automation gain real audit value here. Per-role attribution into Cost Explorer means model spend can be mapped to product lines for internal cost allocation, which is something every multi-product fintech has been faking with spreadsheets.

The uncomfortable read: agencies and SaaS vendors who have been marking up opaque AI costs to clients now face customers who can see the underlying token line items if they share an account structure. Margin compression is coming.

Playbook for Performance Marketing

Action items for the next two weeks, in priority order.

First, audit your IAM role structure for any Bedrock-calling workload. If a single role serves multiple campaigns, applications, or tenants, split it before you turn on attribution. Otherwise the new Cost and Usage Report data is just aggregate noise with extra columns.

Second, enable the FinOps Agent in a non-production account and point it at your ad-serving and bidding workloads. Let it run for two weeks on a schedule. The goal is not to act on every recommendation. The goal is to see which anomalies it catches that your existing alerting misses, and how often it surfaces idle resources you forgot about. AWS doubled idle-resource recommendations in this release, so the surface area for low-effort wins just expanded.

Third, wire the agent's Jira integration into the same board your platform team uses for incidents. Do not create a separate FinOps board. Cost issues that live in a sidebar get ignored. Cost issues that block the sprint get fixed.

Fourth, set Savings Plans coverage targets in the console for your baseline compute. The new target planning feature removes the spreadsheet step. If you run steady-state ad-serving infrastructure, leaving it on-demand is two engineers worth of budget on a 10-person team, every year.

Fifth, for teams using attribution-side tooling like the Privacy Sandbox Attribution Reporting API alongside Bedrock-powered modelling, tag the Bedrock workloads with the same campaign identifiers you use downstream. End-to-end cost-per-conversion becomes a query, not a quarterly project.

Key Takeaways

• The AWS FinOps Agent is read-only by design, routing anomaly findings and optimization recommendations into Jira rather than executing changes. Correct architectural call.
• Bedrock now attributes token usage to IAM roles with input and output tokens at line-item level in the Cost and Usage Report. Per-role discipline is now a billing requirement, not a hygiene preference.
• Savings Plans target planning, doubled idle-resource recommendations, and automatic root-cause explanations move console-level FinOps from spreadsheet workflows into the AWS UI.
• Credit-level sharing controls and the new credit transparency view matter for any org running multi-account structures with negotiated AWS credits, especially agencies and platforms.
• Performance marketing teams running LLM stacks should split shared Bedrock IAM roles this sprint, before turning attribution on. Aggregate data is not actionable data.