CASE 90 · EMBER · 2026
AI model access, scoped to who is allowed to use which.
An AI products company let any engineer call any Bedrock model in any region. Compliance was uncomfortable; finance was alarmed at the spend per individual experiment. We rolled out SCPs that scoped model access per OU, with named-model approvals and region restrictions.
AI products
LANDING ZONE
2026
RESULTS
What changed, by the numbers.
AI BILL VOLATILITY
−72%
GOVERNED MODEL ACCESS
100%
REGIONS RESTRICTED
17 → 3
ETHICS-REVIEW SLA
INTEGRATED
HOW IT WENT
A single unsupervised Claude Opus run during a weekend hackathon had cost more than a junior engineer’s monthly salary. The CFO had a conversation about it. Nobody wanted to slow legitimate experimentation, but the floor had to come up.
SCPs scoped Bedrock access at the OU level. The production OU allowed only approved models in approved regions. The experimentation OU allowed broader access with monthly caps. The legal/compliance OU allowed only models that had cleared ethics review.
AI bill volatility dropped 72% month-over-month — predictable spend means predictable budgets. Production model access is 100% governed; ethics review is gated into the model-approval workflow. Engineers can still experiment, but the experimentation has guardrails.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.