Here is a fun game: you are a CTO and the AI bill just arrived

Look, the modern way to buy software is to give engineers a thing that bills by the token, tell them to use it judiciously, and then wait. The Information reported last month that Uber's CTO, Praveen Neppalli Naga, did the waiting and discovered that his full-year 2026 AI coding budget was already gone in April, which, as schedules go, is ambitious. Claude Code usage at the company nearly doubled in a quarter; by March, 84% of Uber engineers were classified as agentic coding users, and good for them. Per-engineer spend ranged from roughly $500 to $2,000 a month, with the CTO himself burning $1,200 in a two-hour personal demo — which is roughly the hourly billing rate of a junior associate at a midtown law firm, who would at minimum produce a timesheet. Uber's overall R&D line was $3.4 billion in 2025, so it isn't that they didn't have the room. It's that the model went looking for more room than they had, found some, and billed for it.

The post you would expect from a security-and-isolation company at this point is "use a sandbox." This is not that post. We wrote that one already, because of course we did. This is the other half of the same problem, the part where the invoice arrives, you can read it, and you cannot answer the only question anyone wants to ask, which is: fine, but for what.

The invoice is fine. The invoice is the problem.

Per-seat pricing was very easy to think about, and you should appreciate the per-seat era now that it is gone. You bought 200 seats of GitHub Copilot at $19 each, you got a line item for $3,800 a month, and when someone asked "what did we get for that," the answer was a shrug shaped like the industry — "tab completions, probably" — and everyone went back to their meetings. The thing about a shrug is that it scales. A $3,800 shrug is fine. A $1.8 million shrug starts to attract attention from the part of the building that has a fiduciary duty.

Token-priced agentic tooling is a different shape, and you have to think about it with your face. Two engineers on the same team, working on the same kind of feature, can differ in spend by a factor of forty. (Forty.) One of them opens a fresh session, asks for one thing, gets the thing, closes the session — $50, done, goes home and makes pasta. The other lets a parallel pack of agents hammer on a refactor for six hours, retries when the build breaks, retries again because a different model thought the first retry was wrong, retries a third time because at this point it is personal. Both engineers shipped code. One shipped at $50 of model time. The other shipped at $2,000. The invoice does not say which is which. The IDE does not say which is which. Finance gets a single aggregate number, engineering gets a Slack thread saying "Claude was amazing today," and neither of those, with respect, is a measurement.

The thing that makes this hard isn't the price. It's that none of the spend is attached to anything you can audit a quarter later. And so a PR landed. The PR has a diff. The diff has commits. The commits have authors. The author is a human. The human used an agent at some point — maybe. Used which agent? Which session? Which prompt? For how long? Doing what? The trail goes cold somewhere around the terminal scrollback, which has been closed, because nobody scrolls back. There is a name for this in finance, and it is "shrinkage," though in software we have not yet bothered to name it.

The middle box is everything you bought. It is also the only thing you cannot see.

Anyway, the shape of this problem is older than agentic coding, and if you have been in this industry long enough to be tired you will recognize it instantly. Cloud spend had the same arc. Five years of "the AWS bill is enormous and nobody knows why," then a generation of FinOps tooling started attaching dollars to teams and services and individual requests, and now the AWS bill is enormous and people know why, which, modest as that sounds, is the whole game. The fix was not to use AWS less. It was to make the spend legible.

Agentic coding is currently in pre-FinOps cloud. The spend is real, the tools are good, the productivity is genuinely there — none of that is in dispute. What's missing is the connective tissue between "this engineer, on this repo, in this session" and "these tokens, these commands, these files, this PR." Until that sentence exists, every dollar on the invoice is paid on faith, and the conversation with your CFO is one of those conversations.

What "visibility" has to mean, beyond the dashboard with the big number.

Everyone says "observability" and everyone nods, and almost nobody means the same thing by it. Coding agent vendors will happily show you a dashboard. The dashboard has token meters. It has adoption percentages. It has a slide-ready chart that goes up and to the right, which is the chart-shape of all software in 2026. None of this is an answer. "Your developers consumed 2.3 billion input tokens this week" is not an answer; it is a restatement of the bill in a larger font.

The thing a CTO actually needs, in order to defend a budget or raise one, comes in four parts.

Notice what isn't on that list. Token counts are not on the list. They are on the invoice. The point of the list is to put the invoice next to the thing it bought, so a finance team can do the division, an engineering team can stop arguing from vibes, and everyone can spend the meeting on the actual question.

How Bromure does the plumbing.

The agentic coding feature in Bromure was, in fairness, originally built for the security half of this conversation. Each coding agent runs inside a disposable Linux VM on your Mac. The VM has access only to the project folders you mounted; it has no SSH keys, no AWS credentials, no GitHub token sitting on disk. A credential broker on the host swaps stub tokens for real ones, but only at the wire, only for whitelisted endpoints. That is the story we told already, in which a poisoned npm package tries to walk off with your secrets and walks into a wall instead.

The observability story is the same plumbing, used for a different reason. The hypervisor sits between the agent and everything it touches. The agent doesn't open a file; the VM does. The agent doesn't run a shell command; the VM does. The agent doesn't make an API call; the proxy on the host does. Every one of those operations is — has to be, because the security half of the job demands it — a named event, with a timestamp, a session ID, an engineer identity, and a payload. Bromure already records all of this locally. It is called the Session Tracer and it ships with Agentic Coding today.

The piece that closes the loop for CTOs (and CFOs, and CISOs, and the procurement person who would like to know what they procured) is the cloud side. When the Bromure client on a developer's Mac is enrolled into your organization, those local traces stop being a local debugging aid and start being a structured record streamed to your Bromure enterprise server. Per engineer. Per session. Per project. Per model. Filterable, exportable, retainable. The product copy on the agentic coding page calls this "AI usage monitoring" and currently labels it coming soon, which, for the avoidance of doubt, this post is partly the reason for.

The reason the events are reliable is not a sidecar inside the agent, and it is not a wrapper around the model API, both of which the agent could in principle work around if it felt like it. The events are reliable because the agent is running inside a VM whose hypervisor has to know about every command and every file regardless of whether anyone is asking it to. The observability is, in a sense, free. You already paid for it. The bill said "isolation." The thing you got is also a log. And so you get the same record whether the engineer used Claude Code or Cursor in CLI mode or Codex or Aider or some internal agent we have never heard of — because the unit of recording is "thing the VM did," not "thing the vendor decided to expose this quarter."

What the conversation a quarter from now sounds like, instead.

The Uber number is a useful one to think with, because nothing about it is a failure. 84% adoption. Code shipped. A CTO who actually rolled up his sleeves and used the thing, which, by the way, more CTOs should do, even at $1,200 a demo. What broke was the conversation a quarter later. "Should we double down? Pull back? Tier our seats? Push people to cheaper models for some classes of work?" None of those decisions are makeable from an aggregate token bill. They are all perfectly makeable from a per-engineer, per-session, per-repo table. The decisions did not get harder. The table got removed.

A handful of questions that become answerable, more or less in the order that we hear them from people who are trying to defend a line item:

• Which engineers are getting outsize value, and what are they doing differently? Look at the engineers whose spend-to-files- changed ratio is in the good corner of the distribution. Read a few of their session traces. Some of what they are doing well is style, some is technique, some is just which model they reach for. None of it is visible without the record. ("How does Alice ship so much code for so little money" is the kind of question that produces a useful internal lunch-and-learn, but only if Alice's sessions are not a closed terminal somewhere.)
• Is the spend concentrated in one team, one repo, one kind of work? If 60% of your AI bill is coming from a single legacy service and the agent is mostly thrashing on flaky tests, that is a finding. It is also not a finding about AI.
• Which projects are productive with which model? "Claude is better than Cursor" is a tweet. "Claude shipped 3x more file changes per dollar than Cursor on our front-end repo last month, and the reverse on our Go service" is a procurement conversation.
• What did the agent install, and where? This is the security team's question, and it's the same query against the same table. Every npm install, every pip install, every apt-get the agent ran, per session, per repo, filterable by package name. The day a poisoned package shows up on a registry — which, gestures vaguely at most weeks of the calendar — the question "did any of our agents touch this" is a WHERE clause instead of a fire drill.

The thing worth being careful about: none of these questions are answerable from inside the model vendor's dashboard either, and they cannot be. The vendor sees tokens. The vendor sees, sometimes, prompts and completions for the duration of a request. The vendor does not see your repo, your file mutations, your shell commands, or which engineer in your org typed which thing. The vendor cannot. The vendor is on the wrong side of the wire. The visibility layer has to live on your side — on the developer's machine, in the VM, in your enterprise server — because that is where the work is actually happening. Token meters are a postcard from the field.

Disclaimers, because of course.

A few honest ones, because the worst version of a post like this is the one that promises an end-of-history finance report and then ships a dashboard.

Bromure's record tells you what the agent did. It does not tell you whether what the agent did was good. A session that wrote 40 files and shipped a PR can still have shipped 40 bad files. The record makes them easier to find, easier to talk about, and easier to revert. It does not, by itself, review them. Diff review is still on you, and on the human in the loop, and on the very tired senior engineer at 5pm.

Bromure's record covers what the agent does inside the VM. It does not cover what the engineer does in their head before they open the agent. The five-minute conversation an engineer has with Claude in their IDE before the actual session starts is not on this tape. That is a real gap. It is not one we pretend to fill, because we cannot fill it without a much weirder product.

Bromure's record is on your side of the wire, which is the entire point — but it also means your side of the wire is where the retention policy, the access controls, and the data-handling contracts have to live. Prompts include code. Code includes secrets your developers shouldn't have pasted in but absolutely did. The record is as sensitive as the work, and you should treat it that way. The storage is yours; the responsibility is yours. ("There is a name for this in finance, and it is 'shrinkage,'" except now the shrinkage is a SQL table and you can audit it.)

And finally, this is one piece of a bigger story. The other piece is the one we already covered — that running coding agents inside a VM with a credential broker is how you stop the next poisoned npm package from walking off with your SSH keys. The security story and the observability story are the same plumbing. They just file expense reports on different days.

Pay the invoice. But pay it knowing what it bought.

The Uber line — I'm back to the drawing board because the budget I thought I would need is blown away already — is going to be a lot of CTOs' line this year. It was always going to be. Per-token pricing on tools whose appetite is bounded only by how ambitious the model feels at 2pm is going to produce that sentence at every company that adopts it without instrumenting it. The agents are not the problem. The plumbing is.

Bromure Agentic Coding, reluctantly, is what the plumbing looks like when it does its job. Each agent runs in its own VM, each session is a structured record, each record streams to a place your finance team and your CISO can both query, and the agents you already love stay exactly as they were. You will still pay the invoice. You will just, finally, know what it bought — which, the last time anyone checked, was the bare minimum a credit card company asks of its customers.