Every foundation model approved before the first API call.
The FinOps Lead owns the model catalog. Foundation models from Anthropic, Amazon, Meta, Mistral, and AWS Marketplace are approved for specific accounts and regions, with automated Cloud Engineer tasks generated on approval and scope coverage tracked per model.
Why Model Governance
Without a catalog, any developer can call any model.
No approval. No accountability.
Foundation models are available to any IAM principal with the right permissions. Before FinOps Center, a developer could enable and invoke Claude Opus 4.7 in a production account with no FinOps Lead knowledge, no Business Request, and no budget owner. Model Governance closes that gap.
- Any developer enables any model in any account
- No record of which models are approved for which workloads
- Spend appears in Cost Explorer with no workload owner
- New model launches land in production before Finance knows
- Every model approved for specific accounts and regions only
- Approval carried forward into every Business Request review
- Allocation Gaps surface any model called outside approved scope
- New model launches require FinOps Lead review before use
- Model Governance dimension score in the AI Governance Scorecard
- Scope coverage table per model: which accounts have it implemented
- CE tasks generated one per account and region automatically
- Implemented badge when the CE marks the scope complete
The Model Catalog
Approved models, Implemented scope,
and pending reviews in one view.
The FinOps Lead manages the model catalog from the AI Governance Models tab. Models are filtered by vendor (Anthropic, Amazon, Meta, Mistral) and platform (Bedrock, Marketplace, Claude Platform). Each model shows its approval status, how many account-region scopes are covered, and whether scope is Approved or fully Implemented.
The FinOps Lead has approved the model for a specific account and region. A CE task has been generated. The Cloud Engineer has not yet completed the enablement steps. Product Owners cannot claim this model in Spaces yet.
The Cloud Engineer has completed all 4 steps: verified model access, created the IAM role, applied the permission policy, and marked the task Implemented. The model is now available to Product Owners for Business Requests in this account and region.
Approval Workflow
FinOps Lead approves. CE implements.
Model is available. Scope is tracked.
Opens Add Model to Catalog. Selects vendor (Anthropic, Amazon, Meta, Mistral), finds the model, and adds it. The model enters the catalog in Pending Review status.
Reviews the model and selects the account-region scope to approve. Writes a rationale. Approval generates one CE task per account-region combination in the Engineering Tracking queue.
Picks up the task. Completes 4 steps: verify model access, create IAM role, configure permission policy, mark Implemented. Scope flips to Implemented. Model is available to Product Owners.
When a workload needs the same model in a new account or region, the FinOps Lead uses Add Scope on the existing model entry. This generates an additional CE task for the new scope without requiring a full new catalog entry or approval flow. Scope can also be added from the Out of Approved Scope Allocation Gap when CUR shows usage in an unapproved account or region.
Supported Models
- Claude Opus 4.x
- Claude Sonnet 4.x
- Claude Haiku 4.x
- Amazon Nova Pro
- Amazon Nova Lite
- Amazon Nova Micro
- Llama 3 70B Instruct
- Llama 3 8B Instruct
- Mistral Large 2402
- Mixtral 8x7B Instruct
Model catalog sourced from AWS Bedrock listFoundationModels at onboarding. Marketplace models available via the Marketplace platform filter. Claude Platform workspace access governed separately via the Claude Platform workflow.
Every model. Every account. Every region. Approved before use.
The FinOps Lead owns the model catalog. The Cloud Engineer implements it. Product Owners request what they need. Governance is the gate, not the bottleneck.