Uber Burned Its 2026 AI Budget in Four Months. Here's What the Audit Trail Would Have Shown
Uber's president said it publicly: they torched the 2026 AI budget on Claude Code in four months, with cost forecasts missing by 10–50%. The question isn't whether they had visibility into what was being spent. They did. The question is whether they had visibility into why each authorization to spend was granted, at the moment it was granted.
Those are not the same thing.
NOTE: routing to devto article channel — HN is the signal source but doesn't support article publishing. article touch maps to Dev.to.
The Monitoring Trap
Every team deploying AI agents at scale eventually builds spend monitoring. Dashboard, alerts, budget caps. You can see the number going up. What you can't see — until EU AI Act Article 12 enforcement starts August 2 — is the governance record.
Article 12 asks a different question than spend monitoring. It doesn't ask "how much did the agent spend?" It asks "for each agent action, what policy authorized it, what context justified that policy evaluation, and who or what was the delegated authority?" A transaction log answers the first question. An Article 12 audit trail answers all of them.
The Uber situation is the spend monitoring trap in concrete form: you can see the $X/month number in a dashboard, but you can't trace a specific Claude Code invocation back to the authorization decision that permitted it, the context that was in scope at that moment, or the policy that evaluated it. Budget alerts fire after the spend. Audit trails record the authorization before it.
Why CFOs Are About to Start Asking About This
The spend monitoring problem and the compliance problem are converging. CFOs who look at a 50% cost forecast miss on AI spend are going to ask for governance records — not just dashboards. Auditors doing EU AI Act compliance checks are going to ask for the same records. The teams that conflated "we have logs" with "we have an audit trail" are going to find out the difference in Q3.
The numbers from the enterprise risk landscape: 88% of organizations had AI agent incidents in 2026 YTD. Only 21% have actual visibility into what their agents can access. 63% can't enforce purpose limitations at runtime. That's not a monitoring gap — that's an authorization architecture gap with a compliance deadline attached.
What Closing the Gap Actually Takes
Closing the gap between spend monitoring and Article 12 compliance requires three things that most teams don't have wired up yet:
- Governance decision records — captured at the moment the agent was authorized to act, not reconstructed from transaction logs afterward
- Six-month retention on those records, with tamper-evident storage (not the 14–30 day verbose log retention most teams set years before agentic AI was in scope)
- Queryable structure — the records need to support an audit query like "show me every authorization decision for tool X between March 1 and April 30" in a format an EU auditor can consume
The BizSuite AI Audit maps exactly what a team currently has against this standard: a 2-hour working session against your architecture, prioritized remediation plan in 48 hours, $997. The August 2 deadline is 52 days out — enough time to close the gap if you start now, not enough time if you wait for the CFO to ask.
Top comments (0)