One governance framework. Two platforms. Every AI model your teams run on AWS.
FinOps Center governs AI spend across Amazon Bedrock and Claude Platform on AWS. The roles, approval workflow, and attribution model are consistent — the underlying mechanics differ by platform.
Choose Your Platform
Select the platform your teams are running AI workloads on. The governance principles are shared — the billing model, IAM primitives, and implementation chain differ.
Amazon Bedrock
FinOps Center attributes every Bedrock invocation to the IAM principal that made it — no tagging required. Model approval is scoped by account, region, and action scope. Agentic access is denied by default.
- IAM principal attribution via CUR 2.0
- Model approval catalog — account × region × action scope
- Default-deny agentic access with IAM condition keys
- Nightly drift detection for unapproved model usage
- MAP AI eligibility via Application Inference Profiles
Claude Platform on AWS
Claude Platform uses workspaces, not accounts, as the scoping primitive — and bills in CCUs rather than tokens. FinOps Center extends its governance model with a 3-task Cloud Engineer chain and passthrough Lambda attribution.
- Workspace-scoped approval — 5-dimension model
- 3-task Cloud Engineer chain: Create → Validate → Deploy Lambda
- Passthrough Lambda attribution (IAM principal via CloudTrail)
- Workspace tag allocation natively in CUR
- Day-one support for Claude Sonnet 4.6, Haiku 4.5, Opus 4.5
The Shared Governance Model
Same roles. Same separation of duties. Regardless of platform.
Whether your teams run models on Bedrock or Claude Platform, the governance operating model is identical. Approvers define what is permitted. Engineers implement exactly what was approved. Product Owners own the consumption estimates. The decision and the implementation are permanently linked.
- Approves each model with defined scope and action limits
- Defines which models are Approved, Restricted, or Blocked
- Reviews portfolio-wide AI spend in weekly governance cycle
- Approves expansions to agentic access scope
- Sets consumption estimates before a workload goes live
- Claims the application's IAM attribution anchor
- Approves weekly spend cards: actual vs estimate
- Requests access to unapproved models
- Receives implementation tasks with exact instructions
- Never makes governance decisions — executes what was approved
- Marks tasks complete, creating the implementation audit record
- Follows the 1-task Bedrock flow or 3-task Claude Platform chain
When a FinOps Lead approves a model, FinOps Center generates the Cloud Engineer task. The engineer executes what was decided — not what they think was intended. If the scope changes, a new approval is required. Decision and implementation are permanently linked and separately owned.
Platform Comparison
| Capability | Bedrock | Claude Platform |
|---|---|---|
| Billing unit | Per-token, per-model, per-hour | CCU aggregate (Marketplace line item) |
| Scope primitive | Account × region | Workspace × account × region |
| Model discovery | Auto via bedrock:ListFoundationModels | Static catalog in FinOpsCenter |
| Cloud Engineer tasks | 1 task: IAM role + condition key | 3 tasks: workspace → validate → Lambda |
| Attribution anchor | IAM role claimed by Product Owner | Lambda execution role claimed by Product Owner |
| CUR cost allocation | line_item_iam_principal per invocation | Workspace tags on CCU line items |
| MAP eligibility | Supported via Inference Profiles | Not applicable |
| Agentic governance | aws:ViaAWSMCPService deny | Separate approval tier (same model) |
Ready to govern every AI model your teams run on AWS?
FinOps Center deploys in minutes from the AWS Marketplace. Both platforms, one governance layer, every stakeholder accountable for their scope.