Cloudflare AI Gateway Adds Spend Limits and Identity Controls

Organizations racing to adopt AI have discovered a painful reality: without visibility into who is using which models, monthly bills can spiral out of control with no clear way to attribute costs or prevent overages.

Cloudflare is addressing this challenge with new spend limit controls in AI Gateway, now available in open beta, and a closed beta program for identity-driven budgets that integrate with existing identity providers through Cloudflare Access.

The AI cost visibility problem

The pattern has become familiar across enterprises. Companies distribute shared API keys to engineering teams, encouraging aggressive AI adoption. Usage accelerates rapidly. When the invoice arrives, finance teams face a black box: Was it the machine learning team training pipelines? An intern running expensive models on routine tasks? A runaway CI job consuming 50 million tokens over a weekend?

Without attribution or routing logic, employees rationally default to the most powerful—and expensive—models for every task, regardless of whether a code review summary actually requires the same computational power as a complex architecture refactor.

How the new controls work

AI Gateway sits between applications and AI providers, routing requests through Cloudflare before they reach OpenAI, Anthropic, Google, or other services. The platform already offered unified billing, cross-provider logging, response caching, and rate limiting.

The new spend limit feature, according to details first reported by Cloudflare, introduces true cost controls in the form of dollar-based budgets rather than token counts. Organizations can scope limits across multiple dimensions: specific models, providers, or custom attributes like user, team, or application. Time windows can be fixed (resetting monthly, weekly, or daily) or rolling.

When a budget limit is reached, AI Gateway blocks further requests by default. Alternatively, organizations can configure Dynamic Routes to automatically downgrade requests to cheaper fallback models, preventing hard stops that disrupt workflows.

Identity-driven attribution

The closed beta for identity-driven budgets takes cost control further by integrating with Cloudflare Access. When users authenticate through their existing identity provider, AI Gateway extracts identity information from the JWT and attaches it as metadata to each request.

This enables granular policies: individual contributors might receive $500 monthly budgets while senior engineers get $2,000. Machine learning teams could access frontier models like Claude Opus and GPT-4o, while interns are limited to open-source models on Workers AI. CI/CD pipelines and autonomous agents receive named identities through Access service tokens, making it possible to track that a code review bot consumed 5 million tokens while a documentation generator used 500,000.

Every log entry includes authenticated identity details—email, identity provider group, service token name—enabling cost-by-user-by-team breakdowns without custom development.

Why it matters

The inability to calculate ROI on AI investments without visibility into spending patterns represents a fundamental gap in enterprise AI governance. Every other business expense operates under budget constraints and team-level attribution; AI spend has largely escaped this discipline due to technical limitations rather than strategic choice. By making cost attribution automatic and budget enforcement granular, Cloudflare is addressing a pain point that has prevented many organizations from scaling AI adoption confidently. The company reports using this system internally to manage millions of requests and billions of tokens monthly across its workforce.

Cloudflare is also developing intelligent, task-based routing that would automatically direct requests to the most cost-effective model capable of handling each specific task.

Spend limits are available now for all AI Gateway users across all plans. Organizations interested in the identity-driven budgets closed beta can sign up through Cloudflare. These details were first reported by Cloudflare in a blog post announcing the features.