← Back to Blog

AI Coding Cost Anomaly Detection: How to Catch Runaway Token Bills Before They Hit $10,000

By Eric Bush · July 11, 2026 · 10 min read

Dashboard screen displaying real-time monitoring graphs with warning indicators

Why This Guide Exists

In July 2026, an AI startup founder let a coding agent run overnight with Full Access permissions. A shell variable resolved incorrectly, the agent executed a destructive command, and his entire Mac was wiped clean. In terms of token cost, the incident was cheap — the agent was doing "cleanup." But the same permission model that enabled the disaster can just as easily enable a $10,000 API bill overnight.

Runaway token bills happen when an AI coding agent enters a loop it can't escape: retry storms after tool failures, infinite reasoning chains on impossible tasks, or explosive fan-out when a subagent spawns hundreds of children. Without anomaly detection, the first signal is your monthly invoice — by then, the damage is done.

This guide walks through the four layers of anomaly detection every AI coding team should build, from basic thresholds to full pattern-detection systems.

Layer 1: Per-User Daily Budget Caps

The first line of defense is hard spending caps at the individual developer level. Every AI coding provider offers some version of this:

  • Anthropic API: Workspace-level spend limits, resettable daily/monthly.
  • OpenAI API: Per-key usage limits and organization-wide monthly caps.
  • OpenRouter: Per-key credit limits, per-model cost ceilings, and rate-limit-based cost approximation.
  • Cloud vendor gateways (Azure OpenAI, AWS Bedrock, Vertex AI): Quota-based limits enforced at the platform level.

Set the daily cap at 3-5x the individual developer's typical daily spend. That's high enough to allow occasional heavy usage days but low enough to interrupt genuine runaway loops. Example: if a developer typically spends $8/day, cap at $30-40/day.

Layer 2: Threshold Alerts

Hard caps stop bleeding but don't tell you why. Alerts fill that gap. Set alerts at:

  • 50% of daily budget consumed by noon: Warns of an unusually heavy morning without stopping work.
  • 2x typical hourly burn rate sustained for 30 minutes: Flags a possible loop.
  • Any single session exceeding $10 in output tokens: Individual sessions rarely need that much output; likely a hallucination loop or bloated code generation.
  • Aggregate team spend hitting 80% of monthly budget by day 20: Trajectory-based, gives 10 days to correct before overrun.

Deliver alerts to Slack or PagerDuty with enough context to act — user, session ID, model, current spend, and a 24-hour trend graph.

Layer 3: Anomaly Detection on Token Patterns

Thresholds catch obvious problems. Anomaly detection catches subtle ones. Effective patterns to monitor:

  • Retry storms: Same prompt hash executed 5+ times within 10 minutes. Usually indicates a tool call that keeps failing and the agent keeps regenerating similar attempts. Alert and require human confirmation to continue.
  • Explosive fan-out: A session spawning 20+ subagents. Legitimate for parallel research; often a bug for iterative work.
  • Context growth without progress: Cumulative input tokens climbing linearly while output tokens plateau. Signals an agent stuck in reasoning without making decisions.
  • Repetitive tool call patterns: Same tool called with near-identical parameters 10+ times. Often a symptom of a tool that returns unexpected output the model can't parse.
  • Cache miss anomalies: Cache hit rate suddenly dropping from 90% to 20% mid-session. Usually indicates the CLAUDE.md file changed or the system prompt was modified — sometimes a security incident.

Layer 4: Session-Level Kill Switches

The most important control is the emergency kill switch — the ability to terminate a running session immediately from a central dashboard. This requires:

  1. A gateway between developers and the model API (LiteLLM, OpenRouter, self-hosted proxy) that tags every request with a session ID.
  2. A revocation mechanism: when a session ID is added to the kill list, the gateway rejects all subsequent requests with that ID.
  3. A dashboard showing active sessions with real-time cost, tokens/minute, and a "kill" button.
  4. Optional: automatic kill triggers based on Layer 2/3 alerts, with manual override.

Response time matters. A runaway session burning $50/minute can consume $3,000 in an hour. If your kill switch takes 15 minutes to invoke (find the session, get approval, execute), you've lost $750. Automate the common cases.

Common Runaway Patterns and Their Fixes

From incident reports across dozens of teams, five patterns account for most runaway bills:

1. The "just one more iteration" loop: Agent is told to "keep improving until the tests pass," tests keep almost-passing, agent keeps making small tweaks for hours. Fix: Hard cap on iterations (typically 10-15 for coding tasks).

2. The infinite subagent tree: Agent spawns subagents that spawn subagents. Fix: Limit subagent depth to 2 (rarely 3) and hard cap total spawned count per session.

3. The context bloat loop: Agent reads a large file, gets slightly wrong output, re-reads the file, re-reads again, cumulative input tokens explode. Fix: File-read deduplication in the tool layer.

4. The abandoned session: Developer closes laptop with an autonomous agent still running. Fix: Session timeout after 30-60 minutes of no human interaction (some CLI tools do this by default; some don't).

5. The wrong-model runaway: Developer accidentally configures the most expensive model as default for a routine task. Fix: Model selection defaults enforced at the gateway level, not the CLI.

Building the Stack

For a 10-100 developer team, the practical anomaly-detection stack looks like:

  • Gateway layer: LiteLLM Proxy or self-hosted OpenRouter-alike ($50/month cloud host)
  • Metrics store: Postgres or ClickHouse (free-$100/month)
  • Alerting: Slack webhook + PagerDuty free tier ($0-$25/month)
  • Dashboard: Grafana on the metrics store (free) or Retool/Metabase (~$50-200/month)

Total cost: $100-$400/month, plus 20-40 hours of setup time. For a team burning $10K+/month in AI coding, this pays back on the first prevented incident.

Want to calculate exact costs for your project?

Frequently Asked Questions

How much can a runaway AI coding session cost?

In documented incidents, single-session overruns have hit $500-$5,000. A subagent explosion or infinite-iteration loop on a top-tier model like Claude Fable 5 ($10/$50 per M tokens) can burn $30-$100 per minute of active generation. Overnight loops on autonomous agents have generated $8,000+ bills before the developer noticed the next morning.

What's the simplest anomaly detection setup for a small team?

Start with Layer 1 (per-user daily hard caps set at 3-5x typical daily spend) and Layer 2 (Slack alerts at 50% budget consumed by noon, and any session exceeding $10 in output tokens). This catches 80% of incidents with minimal infrastructure — just the vendor's built-in usage APIs plus a small script polling every 15 minutes.

How fast should a kill switch respond to a detected runaway?

Target under 60 seconds from detection to session termination. A runaway session burning $50/minute can consume $750 in 15 minutes — the difference between a fast automated kill and a slow manual review is often thousands of dollars. Automate kill triggers on retry storms and explosive fan-out; keep manual review for edge cases.

What patterns should I monitor for AI coding cost anomalies?

Five high-value patterns: (1) retry storms — same prompt hash repeated 5+ times in 10 minutes. (2) explosive fan-out — 20+ subagents in one session. (3) context growth without progress — input tokens climbing while output plateaus. (4) repetitive tool calls with near-identical parameters. (5) cache miss anomalies — hit rate dropping suddenly mid-session. Each maps to a different failure mode.

Should I use my AI provider's built-in limits or a custom gateway?

Use both. Vendor limits (OpenAI usage caps, Anthropic workspace budgets) are your last line of defense — they prevent catastrophic overruns even if your custom systems fail. But vendor limits are typically monthly and don't offer session-level intervention. A custom gateway (LiteLLM, self-hosted proxy) gives you real-time visibility, session kill switches, and cross-vendor unified alerting that no single provider offers.