The hidden cost of AI: Managing spend and risk across cloud and SaaS

Shadow AI refers to AI tools used by employees without IT knowledge or approval—such as ChatGPT, Gemini or DeepSeek accessed through web browsers, or cloud AI services spun up for experimentation. It's a problem because IT is typically aware of only one-third of the AI tools in use. The rest create untracked costs, data leakage risks and compliance exposure that compound rapidly as adoption scales.

AI services in public cloud environments use token-based and consumption-based pricing that can spike without warning. The webinar shares a real example: one organization incurred AUD $43,000 in a single day from Azure Cognitive Services left running during experimentation—a $1.3 million annualized run rate. Without anomaly detection and budget guardrails, these costs go unnoticed until the invoice arrives.

Flexera One SaaS Management uses browser-based discovery to identify AI and GenAI applications being accessed across the organization. It shows who's using each tool, how long they've been active, and categorizes applications by type (e.g., GenAI). It also integrates with Microsoft Defender CASB for risk and certification scoring, enabling teams to classify, approve or flag AI tools.

Flexera One Cloud Cost Optimization provides dedicated AI/ML dashboards that show consumption across AWS, Azure and GCP—including token utilization, service-level cost breakdowns and anomaly detection. Costs can be allocated to departments, projects or teams using organizational structures and policy-based reallocation, and budget thresholds trigger alerts before spend exceeds plan.

Yes. The webinar shows how Flexera One identifies like-minded applications within the same category—for example, multiple GenAI tools performing overlapping functions. Teams can then rationalize duplicates, redirect users to approved alternatives and reduce redundant spend. With 25% of AI tooling estimated to be duplicated, this is a significant cost optimization opportunity.

Nathan Stevens — 00:00 - 16:48

Two, one. Hello, everybody, and welcome to February, already two months into the year.

Thanks for those who are joining us and if you've been part of our webinar series to date. This is the continuation from last year, and for those that have joined, we're running these every month.

So just giving people a couple seconds to join us here stage, and then we'll kick things off in about ten seconds. Alright.

Awesome. I can see everybody coming into the session today.

So welcome, everyone. You know, as I said, today is February's session where we're gonna focus a little bit more on the hidden cost of AI.

It's obviously very topical at the moment. Everything is AI.

There's not a webinar software company out there that is not talking about this. We'll take the angle on this today, more about how do we manage the spend and risk associated with AI and the explosion of costs.

So for those that don't know me, so I'm Nathan Stephens. I look after the solution engineering team for Flexera here in APAC.

Denny is joining me today. He's one of our principal solution architects in the FinOps space.

A very smart man, much smarter than I am. So he's gonna do all the smart things at the end of this session as well.

So I'll try not to talk over him like I normally do. So I appreciate you joining us today.

So as we kick off, if there's any questions that you may have, please put them in the chat. We will try to grab them and answer them in flight or answer them at the end.

If we don't get around to those, we will address those after the webinar today. For those that have joined us in the past, these are the six sessions that we've run last year into this year.

They are all on demand, and Ash has kindly put the links to each of those within the chat window. So if you want to consume that content, please feel free to grab that, watch that, and also reach out if there's any questions about those.

So as we move into this year, so today we are focused on the hidden cost of AI. Next month we're running a session on data cloud optimization, so that's with the Databricks and Snowflake optimization, and we'll be joined by Chaos Genius team to help us navigate through some of the complexities and uniqueness around those particular areas of optimization.

And in April, we're going to run a session specifically on IBM audit readiness. So for those that are interested in how do we manage that around the ITAM side, how do we get prepped for IBM audits, that is the session for you guys to join as well.

So there are a number of those sessions. We have the Data Cloud One is open for registration right now.

The IBM order readiness will be available in the next week or so as well to register for that event. So you'll get the emails, you'll see it online, you'll see it on my LinkedIn.

Please subscribe, and please keep watching this, and please get the feedback to us about the things that you wanna see in the future as well. Alright.

So today, as we always start, these are two areas of our, you know, portfolio, our platform that we are focusing on.

So as we go into the live demonstration today, we'll cover our SaaS management capability and our cloud cost optimization capability within the platform.

These are two key areas we focus each time we do these sessions. We target a slightly different part of the solution.

So just to pinpoint you, if you're interested in the capabilities that you see today, these are the areas of the platform they do come from. Alright.

So to drill into some of the details. So when we look at technology spend in general within the market, what we're seeing and what the gardeners, the foresters of the world are also seeing is exactly what you at home are also seeing as well.

So there is an increase in spend. You know, the adage kind of is, you know, where outside of people spend within an organization, technology spend is a firm second, and AI is actually creeping up to be a large portion of that spend, even sometimes greater than the people spend.

So we've seen an increase in cloud spend over the last three years and SaaS spend in that same time period, but what we're seeing in terms of global AI spend is at that $644,000,000,000 mark.

So that spend is increasing year on year, the costs are exploding.

We need a way to govern and manage the spend and risk associated with that explosion in adoption and usage and trialing, and it's very important that we get control of that now, put the right policy and governance in place so we can manage that.

Now why has this become such a problem? And this is something that I put together to sort of explain the challenges across each of these different areas.

So when we start to look at shadow something had to be physically installed on a device. You know, you didn't really pay for it until you got the audit that came through.

And also sometimes there's a bit of an unknown cost, you know, you could remediate, you could negotiate.

As we moved into the shadow SaaS, probably in the last four to five years, maybe a bit longer depending on who you are, this is when we started to have the adoption of, you know, applications being accessed through web browsers.

So traditional discovery technologies, SCCM and the like, not picking up these type of applications.

We had the proactive payments on the subscriptions, so, you know, you're kind of locked into those agreements.

The software vendors can see what you're using.

The old, you know, concept of compliance kind of went away, but then we're also being monitored by those software vendors, and waste became a big problem.

Now we're seeing up to 25% in some cases, up to 50% not being used in some very, you know, highly costly type of those subscriptions.

But the shadow SaaS space is exploding and just easy access to those applications.

Next, in the last year or so, we've seen that explosion in ShadowAI.

So, you know, and this has become a lot more difficult to manage.

You know, people are signing up once again through SaaS, like ChatGPT or other programs, you know, Anthropic, Gemini, you name it, it's there.

Know, instances I've come into the cloud bills because I can turn it on and start using that service, but the license models have changed once again.

So we're seeing those models change as tokens in some instances and depends how you use those.

They can be quite complex to understand and quite easy to consume and quite expensive per token.

You know, interacting with sort of a Gen AI, each individual instance can be a token request, so the cost add up really quickly.

It's quite easy to switch on and forget about as well.

So we've had instances where, especially in the cloud space, experimentation is happening across some large language models.

They're left on, and you get that bill shock of what happened.

There's hundreds of thousand dollars of spend for this.

So we've seen exponential costs, we've seen unknown risks, the market's exploded.

And that's why it's such a big problem, particularly around the cost side, but also around the risk associated with you know, where the data is hosted, you know, where the data is being stored.

You know, we're all the infamous, you know, Samsung breach on chat GPT, you know, is still relevant, and that's why a lot of companies are putting policies in place around these things.

Now some of those, you know, I just mentioned a number of these, but the key drivers here.

So when we start to look at the decentralization of AI tools, so, you know, employees can often just pick up ChatGPT.

You know, we had that run of DeepSeek for a while as well, or the different JetAI image generators.

Everyone's going out using them, you know, to, you know, modify images and pictures and the explosion of costs around that.

And everyone's been told that they need to use those AI solutions as well.

We start to see as well the rapid growth.

So in last year, was and this is an interesting stat, was 92% of the Fortune 500 companies were using AI to generate internal reports and dashboards.

So there's a massive portion adoption of AI technologies, sometimes without understanding the full impact.

The data leakage risks associated with this as well.

So, you know, AI models typically require large amounts of data for either training or interaction or prompting, so there's a lot of information that's been handed over to something that quite often maybe we're not sure about.

You know, where that data's being stored or how that data's being used.

And, you know, which we had a number of, without those proper controls in place, you know, we can violate compliance, lead to IP loss, and also a number of data breaches as well associated with that.

I think the biggest thing on the list on the left hand side is really a lack of governance and policy in organizations.

So we don't typically have clear AI governance frameworks.

I don't know internally at Flexera, we spend a lot of time now with dedicated AI teams to design those frameworks and our internal use of those.

A lot of companies are trying to do the same things and typically lack those policies on responsible AI use.

What, you know, models, what, you know, generative AI solutions.

You know, thankfully, in some respects that Microsoft has standardized on Copilot and controlled sort of like within those tenancies.

But there's a lot of unknowns in this space and a lot of personal use that then seeds into corporate life as well.

On the right hand side, so this is where we have those key drivers accelerating.

This is the risk that's associated with it, and I call this it's about hijacking your cloud budget.

So in one instance, we had a New Zealand organization that we're working with that had a model that they're running for, you know, experimentation in the cloud space that ended up racking up a 43 k bill in AUD.

That is, in this case, on a day in using Azure Cognitive Services.

So if they didn't shut that down, that would have been close to $1,300,000 in unplanned, unbudgeted spend.

So quite quickly, it can add up immediately.

There's also, you know, 30% is the increase in cloud cost due to AI, Gen AI from the last year, so in 2025 in particular.

That's also amplified by the fact that in 2025 alone, there was 4,800 new apps that were released.

So whether that's from personal use or an organization's use, that's a massive explosion.

How do IT organizations get control of those and understand who's using what out there as well?

And lastly on here, if we look at 25%, so this is you know, app rationalization, it's a common practice that we try to implore everyone to rationalize what you're using, but 25% of those application and use case specific tooling is duplicated.

So there's a big push and demand as well to understand what's being used, to rationalize what AI tools are being used.

Now as we look into some of the numbers, this is just more facts about this space.

So do we need is guardrails or chaos?

So when we start looking at AI and the risk of AI at scale and shadow AI, one of the biggest stats around this was breaches involving shadow AI were costing an average of $4,630,000.

So which is it was crazy.

You know, we talk about vulnerability breaches and other breaches, but the ShadowAI breaches are costing the same, if not more, in a lot of those cases.

When we look at 2025, forty one percent of reported AI related privacy breaches involved GenAI tools.

So, you know, putting information out there that's not for public consumption.

And of those breaches, sixty three percent of those breaches were due to inadvertent prompt leaks.

So sharing too much data, sharing corporate sensitive data.

And where we look at that, why is it such a problem, is that only a third of what's being used is actually IT is aware of.

So if you think about that, it's this cat and mouse game I'm trying to keep up on the visibility scale.

So the other side of this is cybersecurity researchers have actually publicly exposed and this is this 1,000,000 on the slide here, but deep when we had the explosion on DeepSeek.

But publicly exposed DeepSeek cloud storage repository, that had over 1,000,000 sensitive entries.

So there's a data leak on those programs.

And it's guidance for anyone that's going into these new AI tooling is that this is the risk of adopting untrusted or, you know, untested new tooling in the market.

Four of Australia's major organizations TPG, Commonwealth Bank, Optus, Telstra, so all public information, went on a campaign to tighten the policy up and barred Deepsake's use in the Australian Government based on what they saw as security concerns at the time.

So this is the big thing in 2025.

And lastly as well, another concerning factor around AI usage is that Socrata found 65,000 entries across 111 countries due to misconfigured blob storage.

So the risk of once again, this comes back to the proper management and governance around what is being used out there.

Multiple data breaches have occurred through the improper use of AI tools, and that's why organizations need to stick with what's going to work for them in their organization.

So the CIOs, CTOs, you know, the people that are using these AI tools, we need to have that balance.

So innovation versus spend, but not at the detriment of risk.

So we need to make sure that we're always in a balance of making sure we're making sound decisions, that we have the right visibility in place to ensure that we understand, you know, the backgrounds, the sovereignty, the data storage compliance.

You know, a lot of organizations spend a lot of time going through security certification programs to to prove their trustworthiness.

So we need to balance risk spend and innovation in a way that doesn't lead to chaos and starting with visibility is a strong position to set the foundation to move forward.

So what I'll do now, I'm gonna hand over to Danny. We're gonna dive into the platform, check out a couple of those use cases that we just spoke about, and we wanna bring that to light for the audience today.

So I'm gonna stop sharing and hand over to Danny to take us away starting with SAS.

Denis Duri — 16:48 - 16:53

Perfect. Alright.

Let's do it.

Nathan Stevens — 16:53 - 20:16

So yeah. So just starting off with, I'm gonna deliver a talk over while Denny's talking here.

So when we start to think about AI, it's really comes down to two buckets at the moment. It's a SaaS AI, and it's the cloud, the public cloud AI.

And with the FlexeraOne platform, we can help in in both respects.

So what we wanna do is look at the applications that exist in the fleet that we found.

You know, we categorize each of the applications.

So we can dig in and drill into, you know, the in the gen AI category in this case, found ChatGPT.

Now this is an interesting one.

We've had some good stories from the field where one organization had a policy against using ChatGpt in their organization.

We were able to help them find over 3,000 users that were actually using ChatGPT through the browser based discovery.

Now so we can drill into that detail, understand who are the users that are using this particular product.

If it's ChatGpt, Gemini, you name it, Copilot.

We can actually see who's using it, how long they've used it before, when were they last active, the total days as well in regard to that usage.

So we can narrow down the field.

Some people may not be aware of the policy, may not be aware of the governance in place and controls, but if we've got those strict controls in place and people are still using those programs, it allows us to identify who they are, where they're from, how we put better controls in place to manage that risk.

The good thing about the SaaS management solution as well, if there's a new AI, Gen AI, you name it out there, we'll be able to categorize that information.

So on the right hand side, we actually provide the vendor, the description, the category and subcategory of those products that we found.

So we're constantly adding to the list of SaaS applications that we're discovering and detecting for our customers out there.

And then we provide links to the privacy policies, the website information.

This allows you to have a quick link back into, okay, well, we found this weird and wonderful new SaaS based application. What does it do?

What's the privacy of it?

Where is the data being stored?

What are their controls?

Are they certified?

All of these great things.

There's another benefit when using applications like Microsoft Defender, their CASB solution.

They can go we can actually bring in information as well about the risk and certification scoring where that's available from Microsoft.

So you can get a complete picture of that risk.

Now the thing in the middle as well, we can see the like minded categorization of applications.

So if there's anything that fits that profile, we can then help with, you know, getting rid of the duplicated applications in the environment through app rationalization.

Here's perfect because we've only got one that's doing Gen AI.

So it may be, in this case, it is the approved, but then we can also see what other applications fit that profile.

Are they approved or not?

Do we have subscriptions or not for those?

And really drive a more mature approach to governing the use of AI in our environment.

So I'll let Denny take over now and dig into more around the cloud side or in public cloud consumption of AI.

Denis Duri — 20:16 - 23:59

Excellent. Well done, Nathan.

Thank you.

So what I'll do is I'll dive into the visibility component of AI and ML.

It's the first step to governance and setting up those guardrails.

Just make sure that you can understand what you're using, where you're using it, how it's being used, and track that spend.

This is a default dashboard that we have set up, and it just gives you your overviews of your AI and ML in your different clouds.

So we can detect it in AWS, in Azure and GCP.

We'll give you an understanding of which of those services are being consumed today.

Your top service is being consumed, so you have a dollar value.

Token utilization as well.

As you can see here, we have a quick spike on the February 5.

We can drill right down into how they're being consumed so what parts of those services are doing what as well as the resources that sit behind them here.

So the idea with this is that you now have a good amount of visibility into the who, what, where, when and why, with the ability to now allocate those costs to the right areas of the business.

So you have your visibility.

You can now do your cost allocation.

For example, what I've done is I've just clicked into a new tab, but this is my organizational structure.

Under Buyer Corp Inc, I've clicked on Finance.

I can see what finance is utilizing same dashboards, pre filtered down with what's being allocated for them, within the AI and ML services.

And the look and feel will be exactly the same, so the user experience is the same as well.

I have reordered this dashboard, so you can take a look at everything that's being utilized here.

The positive to this is that at an organizational level, can see everything at the business and departments level, projects, etc.

They can keep track of what they're using and how they're using it.

You can then look at how the services are used in a different view.

So this is this tabular view from this page here, just in a larger format.

This will give you where you have cost spikes as well.

A very quick informative view of your AI and ML usage, where there's spikes.

You can then drill into those spikes and understand what those anomalies are.

We use AI and ML to track anomalies.

We can track your AI and ML using AI and ML through anomaly detection.

We use it ourselves.

As you can see, the first one here gives you a $0 value on the eighth, but spikes to $285 on the ninth.

So we can notify you on that.

You understand where the anomalies come from.

So you have who the owners are, what services, the categories, what the workload was, and so forth.

You can also choose to put in here things like tag dimensions, rule based dimensions, so you get very fast feedback on tracking your AI and ML spend through the anomalies, through reporting.

Now you can make sure that the right person understands what's happening.

And as Nathan mentioned, we've had customers in the past where they've had these anomalies be detected quickly.

We've saved them from overspending and overshooting budget, because this is unbudgeted spend.

That way, they could spin it down, reevaluate what they're going to use it for, and then bring it back up at the appropriate levels.

That's a nice quick overview of cloud visibility for your AI and ML services.

We can now open it up to any questions that people may have.

Feel free to use the questions section.

I'm happy to answer them.

Nathan Stevens — 23:59 - 24:15

Yes. One question I've got, Denny, on this as well is how can we, I suppose, automate some of the decision making around what we do within the platform?

Denis Duri — 24:15 - 25:51

Okay. So I guess it depends on what you're trying to do.

Are you trying to automate the allocation of services?

Are you trying to automate notification and alerts from anomalies?

Do you want to understand budgets and forecasts against, say, your AI and ML type services?

So all that can be done in platform.

We alert based on anomalies.

So anything you see here can be notified to you quickly.

That way, you can make fast decisions around go no go, what's causing it, and turn it down, turn it up, or leave it.

The other one is around budget and forecasting tracking.

In cost planning, you could build in here the different types of workload services for each of the owners, and notify when services are at 80% cost, because you've set a budget for a set of services.

Other automation, I guess, we could do is around allocation of shared type services.

I have spoken to many organizations where they have a dedicated ML platform, large language models, that the business consumes, and they want to be able to capture that service as a whole, understand everything that's underpinning it, but then to allocate it to the consumers of that service across the business.

So now you can capture that information, reallocate it based on percentage of spend, fixed costs, or whatever that may be.

Now you have a service that's useful, but it's automatically being shared and allocated to the right area of the business, as required.

How does that sound, Nathan?

Nathan Stevens — 25:51 - 25:57

No. Great.

Can we just show quickly as well the cost allocation?

Denis Duri — 25:57 - 27:24

Sure. So at this point in time, cost allocation is done through a policy template.

And what that means is that you can build in what that allocation looks like.

So it may not be AI or ML related, but you could do proportional cost allocation.

I will go to schedule reporting.

Actually, it might be faster if I just do it in the advanced demonstration as I've applied it there.

We have templates for this in the policy catalogs.

So we have shared cost reallocation for AWS support, but we also have cost reallocation in general.

What that allows you to do is to choose what you will be selecting.

Where you're reallocating this to, and where it's coming from.

If you have your ML services tagged within specific accounts, by specific vendors, by specific service, you can provide all that information in here and say this is exactly what I want to allocate, and then say this is where it needs to go.

You can group the costs if you need to, but the idea is that you can decide what needs to be allocated at what time.

Nathan Stevens — 27:24 - 28:15

Awesome. And just another question that's come in, Denny.

Probably both will maybe tackle the answer to this one, but how does the integration work with homegrown AI solutions and the need to track costs, including large language model, API costs and the risks at the same time?

So from a SaaS management perspective, there's one side as well.

So we have the ability to track custom SaaS based applications.

So if you have a service that you're exposing via the web internally within the organization, we can track the users who are using those for the browser based discovery.

Denny, from a large language model perspective, let's be build a public cloud. Just go into that for me, please.

Denis Duri — 28:15 - 29:09

Yep. So this is the AML views.

So the see, the idea is that you know what you're using because you've got something out there.

You just don't know how it's being used or what is being consumed under the bonnet.

With the ability to see into the resources themselves, you can understand what service is being used.

So, for example, there's some API requests coming from, there's table pages being processed, there's documents being scanned.

So you have a good view of exactly what part of that process is being used, and understand the consumption against that and the costs associated to it as well.

So we can show you all this information, so that way you can make the decision of, Is this being used appropriately?

Is it being overused?

Do we want to set limitations on tokens per month?

Are we having it open?

And so forth.

So all that information is within the platform.

Nathan Stevens — 29:09 - 30:24

Awesome. Thanks for answering that one.

Just a question from someone from a Snow user's perspective.

So is this an add on or available?

So if you're an existing SaaS management customer or the Flexera one SaaS management, Snow Atlas SaaS management, the same thing, you'll have access to do the first section on the screen that Denny was showing around the GenAI browser based discovery of those applications.

What Denny has on screen right now is the cloud cost optimization.

So this is the FinOps solution side, which is an an additional module, which focuses more on cloud cost and spend in in that space.

Denny, one other question that's come through in twenty seconds.

I was trying to cut you short, but most of the cloud providers already have some level of this visibility.

What else are we doing over the top of that visibility?

Besides us bringing multi cloud and everything in one, we've recategorized everything to make it a lot easier to get to these views.

What else are we doing on our platform?

Denis Duri — 30:24 - 31:14

It's a great question.

So We will do the focus formatting for you as well, in regards to those categorizations, so AI machine learning being a focus category.

We'll give you your utilization in one place across all your services.

Something the hyperscalers won't do is tell you who's using it, or allocate those costs to someone.

So we're doing that in platform.

We'll give you percentage of changes.

We'll give you the ability to do anomaly detection against those as well.

We drive budgets against the resources and services that are being consumed.

The hyperscalers are great at telling you you're using something, but it takes a little bit of time to drill in.

And we can put all the providers, as Nathan said, in a single platform, so you see all the different AI and ML services being consumed across all your clouds, as opposed to trying to find it in each cloud.

Nathan Stevens — 31:14 - 32:40

Yep. And there's also the platform as well.

So AI is not just a public cloud problem.

It's also a massive SaaS problem for us.

So we have the ability for a complete technology perspective to pick up the different parts of SaaS AI that exist in SaaS and cloud.

So it's much broader than just the public cloud players, hyperscale as as Denny mentioned.

So thanks for the questions today.

We're slightly over time, Denny.

So I just want to pop up the last slide on my side.

So if there is any other questions, look, please feel free reach out to myself and the team.

You know, we're here to answer the questions that you may have, get into some deep dive on what you've seen today.

But was just more of a glimpse of what we can do around the management of AI, help starting to get that governance and policy and risk management in place.

Feel free to connect with me on LinkedIn.

I'm more than happy to chat through what we can do to help solve some of those problems for you.

So once again, appreciate your time today.

Look out for the invites for Data Cloud coming up on the I believe it's also the March 18.

So look forward to seeing you all again then then soon.

Thank you all.

Thanks, Danny.

Denis Duri — 32:40 - 32:40

Thank you.