My CoWork Agent Burned Through $800 in Credits Before Anyone Noticed A data scientist's Snowflake CoWork agent entered a 47-minute reasoning loop, consuming $800 in compute credits because no time or cost limits were configured. Snowflake positions CoWork as a secure enterprise agent platform, but teams often misconfigure privileges, granting incorrect permissions on semantic views, Cortex Search services, and agents. The incident highlights the need for proper RBAC and cost controls when deploying autonomous agents. It happened on a Friday afternoon. A data scientist on my team was testing a CoWork agent with broad tool access — three semantic views, two Cortex Search services, and an experimental SQL execution tool. The agent entered a reasoning loop: queried, evaluated, decided it needed more context, queried again with a broader filter, still wasn’t satisfied, repeated for 47 minutes. The compute bill for that single session: $800. The agent was doing exactly what it was configured to do. We just hadn’t configured limits on how long it could do it. Summit 2025 Context:Snowflake positions CoWork as the control plane connecting data, context, and enterprise systems to drive action. Christian Kleinerman EVP Product : “CoWork gives every employee a personal agent… all within a secure, governed environment they trust.” Admin-defined policies ensure autonomous actions stay within boundaries: “Admins will decide what an agent does on its own, what needs sign-off, and what it cannot use, with every action logged with its policy reason.” TheNatoma acquisitionadds enterprise MCP governance: secure connectivity, identity-aware authorization, and auditability for agents operating across enterprise systems. Reference:https://www.snowflake.com/en/blog/snowflake-cowork-personal-work-agent/ Every CoWork interaction runs under the user’s default role not the active session role . Object grants, row access policies, masking — all apply. The agent has no elevated privileges. Where teams stumble: the agent needs grants on tools , not just data. The user’s default role must be granted USAGE on the database, schema, and agent itself per official docs . Here’s the correct privilege set: -- ═══════════════════════════════════════════════════════════════════════-- COWORK AGENT RBAC — PRODUCTION TEMPLATE-- ═══════════════════════════════════════════════════════════════════════CREATE ROLE IF NOT EXISTS finance agent user;-- Data access underlying tables the semantic view references GRANT USAGE ON DATABASE analytics TO ROLE finance agent user;GRANT USAGE ON SCHEMA analytics.finance TO ROLE finance agent user;GRANT SELECT ON ALL TABLES IN SCHEMA analytics.finance TO ROLE finance agent user;GRANT SELECT ON FUTURE TABLES IN SCHEMA analytics.finance TO ROLE finance agent user;-- Semantic view: USAGE on database + schema, then SELECT on the view-- The privilege for semantic views is SELECT, not USAGE GRANT USAGE ON DATABASE cortex ai TO ROLE finance agent user;GRANT USAGE ON SCHEMA cortex ai.semantic views TO ROLE finance agent user;GRANT SELECT ON SEMANTIC VIEW cortex ai.semantic views.finance revenue TO ROLE finance agent user;-- Cortex Search service: USAGE on database, schema, and serviceGRANT USAGE ON SCHEMA cortex ai.search services TO ROLE finance agent user;GRANT USAGE ON CORTEX SEARCH SERVICE cortex ai.search services.finance policies TO ROLE finance agent user;-- Agent: USAGE object type keyword is AGENT, not CORTEX AGENT GRANT USAGE ON SCHEMA cortex ai.agents TO ROLE finance agent user;GRANT USAGE ON AGENT cortex ai.agents.finance agent TO ROLE finance agent user;-- Cortex AI platform access required for AI function calls GRANT DATABASE ROLE SNOWFLAKE.CORTEX USER TO ROLE finance agent user;-- Warehouse for computeGRANT USAGE ON WAREHOUSE cowork finance wh TO ROLE finance agent user;-- Assign to business rolesGRANT ROLE finance agent user TO ROLE finance analyst;GRANT ROLE finance agent user TO ROLE finance manager; -- ═══════════════════════════════════════════════════════════════════════-- PRIVILEGE QUICK REFERENCE-- ═══════════════════════════════════════════════════════════════════════-- | Object Type | Correct Privilege | Common Mistake |-- |-----------------------|-------------------|-------------------------|-- | Semantic View | SELECT | USAGE invalid |-- | Cortex Search Service | USAGE | SELECT |-- | Agent | USAGE | CORTEX AGENT keyword |-- | Agent create | CREATE AGENT | on schema |-- | Agent update | MODIFY | on agent object |-- | Agent view threads | MONITOR | on agent object |-- | Tables underlying | SELECT | Forgetting these |-- ═══════════════════════════════════════════════════════════════════════ -- ═══════════════════════════════════════════════════════════════════════-- RESTRICTING ACCESS: CORTEX AGENT USER vs CORTEX USER-- ═══════════════════════════════════════════════════════════════════════-- CORTEX USER grants access to ALL Cortex features AI functions, agents,-- search, analyst, etc. . For users who should ONLY access agents:USE ROLE ACCOUNTADMIN;CREATE ROLE IF NOT EXISTS agent only role;GRANT DATABASE ROLE SNOWFLAKE.CORTEX AGENT USER TO ROLE agent only role;GRANT ROLE agent only role TO USER example user;-- To enforce this restriction, revoke CORTEX USER from roles that-- shouldn't have broad Cortex access:-- REVOKE DATABASE ROLE SNOWFLAKE.CORTEX USER FROM ROLE analyst role; -- ═══════════════════════════════════════════════════════════════════════-- PER-FUNCTION AI ACCESS CONTROL GA -- ═══════════════════════════════════════════════════════════════════════-- Control which AI functions specific roles can call. Useful when agents-- should only use certain functions e.g., AI COMPLETE but not AI EXTRACT .USE ROLE ACCOUNTADMIN;-- Remove blanket AI function access from PUBLICREVOKE USE AI FUNCTIONS ON ACCOUNT FROM ROLE PUBLIC;-- Grant only specific functions to the agent roleGRANT USE AI FUNCTION AI COMPLETE ON ACCOUNT TO ROLE finance agent user;GRANT USE AI FUNCTION AI CLASSIFY ON ACCOUNT TO ROLE finance agent user;GRANT USE AI FUNCTION AI EXTRACT ON ACCOUNT TO ROLE finance agent user;-- The role still needs CORTEX USER or AI FUNCTIONS USER database role-- already granted above via SNOWFLAKE.CORTEX USER -- Verify grants:SHOW GRANTS TO ROLE finance agent user; -- ═══════════════════════════════════════════════════════════════════════-- MODEL-LEVEL ACCESS CONTROL GA -- ═══════════════════════════════════════════════════════════════════════-- Restrict which LLM models a role can invoke. Prevents agents from-- accidentally using expensive models.USE ROLE ACCOUNTADMIN;-- Option A: Account-level allowlist simple, broad ALTER ACCOUNT SET CORTEX MODELS ALLOWLIST = 'mistral-large2,llama3.1-70b';-- Option B: Role-based model access fine-grained -- First, populate model objects:CALL SNOWFLAKE.MODELS.CORTEX BASE MODELS REFRESH ;-- Grant specific model access to the agent role:GRANT APPLICATION ROLE SNOWFLAKE."CORTEX-MODEL-ROLE-LLAMA3.1-70B" TO ROLE finance agent user;-- To use RBAC exclusively, block the allowlist:-- ALTER ACCOUNT SET CORTEX MODELS ALLOWLIST = 'None'; Test with end-user roles. Never ACCOUNTADMIN. ACCOUNTADMIN masks every privilege gap because it inherits all grants. The Summit announcement introduces a governance framework specifically for autonomous agent actions. Three tiers: Every action is logged with its policy reason. This is the “why was this allowed/blocked” audit trail that enterprise security teams demand. For proactive agents automations/subscriptions , this framework becomes essential. An agent running a Monday morning check autonomously needs clear boundaries: Resource monitors cap credit consumption at the warehouse level. They work for CoWork the same way they work for any warehouse-bound compute: CREATE RESOURCE MONITOR cowork finance monitor WITH CREDIT QUOTA = 50 FREQUENCY = DAILY START TIMESTAMP = IMMEDIATELY TRIGGERS ON 75 PERCENT DO NOTIFY ON 90 PERCENT DO SUSPEND ON 100 PERCENT DO SUSPEND IMMEDIATE;ALTER WAREHOUSE cowork finance wh SET RESOURCE MONITOR = cowork finance monitor; Why this isn’t sufficient alone: my $800 incident happened in 47 minutes — well within a reasonable daily budget. Resource monitors catch sustained overspend but not single-session spikes. They don’t give you per-session limits, rate-of-consumption alerting, or agent-specific attribution. Also: resource monitors apply to warehouse compute credits only. Cortex AI token costs from AI COMPLETE, AI EXTRACT, etc. are serverless and NOT captured by resource monitors. You need CORTEX AI FUNCTIONS USAGE HISTORY for those. -- Layer 1 — Warehouse sizing and auto-suspend:CREATE WAREHOUSE IF NOT EXISTS cowork finance wh WAREHOUSE SIZE = 'XSMALL' AUTO SUSPEND = 60 AUTO RESUME = TRUE INITIALLY SUSPENDED = TRUE STATEMENT TIMEOUT IN SECONDS = 120 STATEMENT QUEUED TIMEOUT IN SECONDS = 60; Layer 2 — Statement timeouts 120s : Kills runaway queries per iteration. Even if the agent loops 20 times, each step is bounded. -- Layer 3 — Governance tags for attribution:CREATE TAG IF NOT EXISTS cortex ai.tags.agent name ALLOWED VALUES 'finance agent', 'sales agent', 'operations agent';CREATE TAG IF NOT EXISTS cortex ai.tags.team ALLOWED VALUES 'finance', 'sales', 'operations', 'data platform';CREATE TAG IF NOT EXISTS cortex ai.tags.cost center COMMENT = 'Maps agent compute to internal cost centers';ALTER WAREHOUSE cowork finance wh SET TAG cortex ai.tags.agent name = 'finance agent', cortex ai.tags.team = 'finance', cortex ai.tags.cost center = 'CC-4200'; Layer 4 — Resource monitors as daily backstop see above . Layer 5 — Resource budgets for agent-specific monthly limits. Resource budgets GA for Cortex Agents and CoWork let you define monthly credit limits on tagged agent objects with automated actions when thresholds are reached. Budget evaluation runs periodically up to 8 hours standard, or 2 hours with latency-optimized option . CORTEX AI FUNCTIONS USAGE HISTORY tracks token-level consumption for all Cortex AI Functions AI COMPLETE, AI EXTRACT, etc. . Latency: up to 10 minutes. -- Daily credit consumption by function and model:SELECT DATE TRUNC 'day', START TIME AS usage date, FUNCTION NAME, MODEL NAME, SUM CREDITS AS total credits, COUNT DISTINCT QUERY ID AS query countFROM SNOWFLAKE.ACCOUNT USAGE.CORTEX AI FUNCTIONS USAGE HISTORYWHERE START TIME = DATEADD 'day', -30, CURRENT TIMESTAMP GROUP BY 1, 2, 3ORDER BY usage date DESC, total credits DESC; -- Monthly credit consumption by user identify top consumers :-- NOTE: USER ID in CORTEX AI FUNCTIONS USAGE HISTORY is VARCHAR.-- Join to USERS view requires TO VARCHAR cast on USERS.USER ID.SELECT DATE TRUNC 'month', h.START TIME AS usage month, u.NAME AS user name, u.LOGIN NAME, SUM h.CREDITS AS total credits, COUNT DISTINCT h.QUERY ID AS query countFROM SNOWFLAKE.ACCOUNT USAGE.CORTEX AI FUNCTIONS USAGE HISTORY hLEFT JOIN SNOWFLAKE.ACCOUNT USAGE.USERS u ON h.USER ID = TO VARCHAR u.USER ID WHERE h.START TIME = DATEADD 'month', -3, CURRENT TIMESTAMP AND u.DELETED ON IS NULLGROUP BY 1, 2, 3ORDER BY usage month DESC, total credits DESC; -- ═══════════════════════════════════════════════════════════════════════-- AGENT-SPECIFIC COST TRACKING using CORTEX AGENT USAGE HISTORY -- ═══════════════════════════════════════════════════════════════════════-- Verified columns: START TIME, END TIME, USER ID, USER NAME,-- REQUEST ID, PARENT REQUEST ID, AGENT DATABASE NAME, AGENT SCHEMA NAME,-- AGENT NAME, TOKEN CREDITS, TOKENS, TOKENS GRANULAR, CREDITS GRANULAR,-- METADATA---- NOTE: There are NO columns named CREDITS, INPUT TOKENS, or OUTPUT TOKENS.-- Use TOKEN CREDITS for cost, TOKENS for total count.-- Token breakdown input/output lives in TOKENS GRANULAR ARRAY .SELECT DATE TRUNC 'day', START TIME AS usage date, AGENT NAME, AGENT DATABASE NAME || '.' || AGENT SCHEMA NAME AS agent location, SUM TOKEN CREDITS AS total token credits, SUM TOKENS AS total tokens, ROUND AVG TIMESTAMPDIFF 'second', START TIME, END TIME , 1 AS avg duration seconds, COUNT AS invocation count, COUNT DISTINCT USER NAME AS unique usersFROM SNOWFLAKE.ACCOUNT USAGE.CORTEX AGENT USAGE HISTORYWHERE START TIME = DATEADD 'day', -7, CURRENT TIMESTAMP GROUP BY 1, 2, 3ORDER BY total token credits DESC; Per official docs: “If a request starts in Snowflake CoWork and invokes a Cortex Agent, that usage is attributed to Snowflake CoWork.” Agent-scoped resource budgets do NOT capture CoWork-initiated requests. You need BOTH an agent budget AND a CoWork budget for full coverage. -- CoWork usage includes agent calls made through CoWork UI :SELECT DATE TRUNC 'day', START TIME AS usage date, USER NAME, SUM TOKEN CREDITS AS total token credits, SUM TOKENS AS total tokens, COUNT AS request countFROM SNOWFLAKE.ACCOUNT USAGE.SNOWFLAKE INTELLIGENCE USAGE HISTORYWHERE START TIME = DATEADD 'day', -7, CURRENT TIMESTAMP GROUP BY 1, 2ORDER BY total token credits DESC; -- Weekly reporting by tagged agent warehouse:WITH tagged warehouses AS SELECT object name AS warehouse name, tag value AS agent name FROM snowflake.account usage.tag references WHERE tag name = 'AGENT NAME' AND domain = 'WAREHOUSE' SELECT DATE TRUNC 'week', wmh.start time AS week start, tw.agent name, ROUND SUM wmh.credits used , 2 AS total credits, ROUND SUM wmh.credits used 3.00, 2 AS estimated cost usdFROM snowflake.account usage.warehouse metering history wmhJOIN tagged warehouses tw ON UPPER wmh.warehouse name = UPPER tw.warehouse name WHERE wmh.start time = DATEADD week, -4, CURRENT TIMESTAMP GROUP BY 1, 2ORDER BY 1 DESC, total credits DESC; From official Snowflake docs — monitors total monthly AI function spend and sends email when threshold exceeded. CREATE OR REPLACE NOTIFICATION INTEGRATION ai cost alerts TYPE = EMAIL ENABLED = TRUE ALLOWED RECIPIENTS = 'admin@company.com', 'finops@company.com' ;-- Track alert state to prevent duplicate notifications per month:CREATE TABLE IF NOT EXISTS cortex ai.monitoring.ai functions alert state ALERT NAME VARCHAR NOT NULL, ALERT MONTH DATE NOT NULL, SENT AT TIMESTAMP LTZ DEFAULT CURRENT TIMESTAMP , CREDITS AT ALERT NUMBER 38,6 , PRIMARY KEY ALERT NAME, ALERT MONTH ;-- Alert that fires when monthly AI function spend exceeds threshold:CREATE OR REPLACE ALERT cortex ai.monitoring.ai functions monthly spend alert WAREHOUSE = cowork finance wh SCHEDULE = 'USING CRON 0 UTC' IF EXISTS SELECT 1 FROM SNOWFLAKE.ACCOUNT USAGE.CORTEX AI FUNCTIONS USAGE HISTORY WHERE START TIME = DATE TRUNC 'month', CURRENT TIMESTAMP HAVING SUM CREDITS 1000 -- adjust threshold THEN CALL SYSTEM$SEND EMAIL 'ai cost alerts', 'admin@company.com', 'AI Functions Monthly Spend Alert', 'Monthly AI Function credit consumption has exceeded 1000 credits. Please review usage.' ;ALTER ALERT cortex ai.monitoring.ai functions monthly spend alert RESUME; -- ═══════════════════════════════════════════════════════════════════════-- AUTONOMOUS AGENT COST ALERT-- ═══════════════════════════════════════════════════════════════════════-- For proactive agents automations/subscriptions that run without-- interactive sessions. Monitors warehouse-level compute spikes.CREATE OR REPLACE ALERT cortex ai.monitoring.autonomous agent cost alert WAREHOUSE = cowork finance wh SCHEDULE = '5 MINUTE' IF EXISTS SELECT 1 FROM snowflake.account usage.warehouse metering history WHERE start time = DATEADD hour, -1, CURRENT TIMESTAMP AND warehouse name LIKE 'COWORK % WH' GROUP BY warehouse name HAVING SUM credits used 10 THEN CALL SYSTEM$SEND EMAIL 'ai cost alerts', 'platform-team@company.com', 'ALERT: Autonomous Agent High Cost', 'An agent consumed 10 credits in the last hour without interactive session.' ;ALTER ALERT cortex ai.monitoring.autonomous agent cost alert RESUME; From the official docs pattern — enforces per-user monthly credit caps on AI function usage by revoking the AI FUNCTIONS USER ROLE when limits are exceeded. A monthly task restores access at the start of each billing period. Prerequisites run as ACCOUNTADMIN : See: https://docs.snowflake.com/en/user-guide/snowflake-cortex/ai-func-cost-management https://docs.snowflake.com/en/user-guide/snowflake-cortex/ai-func-cost-management for the full implementation with stored procedures. Detects AI function queries exceeding a credit threshold and cancels them. Uses IS COMPLETED = FALSE to identify still-running queries. Note: cancelled queries still incur charges for credits consumed prior to cancellation. Key insight from docs: CORTEX AI FUNCTIONS USAGE HISTORY splits usage into one-hour windows, so a long-running query produces multiple rows. Aggregate by QUERY ID and check BOOLOR AGG IS COMPLETED = FALSE to find still-running queries. -- Detect runaway queries still running, exceeding credit threshold :SELECT QUERY ID, USER ID, FUNCTION NAME, MODEL NAME, MIN START TIME AS first window, MAX END TIME AS latest window, TIMESTAMPDIFF 'minute', MIN START TIME , CURRENT TIMESTAMP AS running minutes, ROUND SUM CREDITS , 4 AS credits consumed so far, BOOLOR AGG IS COMPLETED AS is completedFROM SNOWFLAKE.ACCOUNT USAGE.CORTEX AI FUNCTIONS USAGE HISTORYWHERE START TIME = DATEADD 'hour', -6, CURRENT TIMESTAMP GROUP BY 1, 2, 3, 4HAVING BOOLOR AGG IS COMPLETED = FALSE AND SUM CREDITS 2ORDER BY credits consumed so far DESC; -- Automated cancellation procedure:CREATE OR REPLACE PROCEDURE cortex ai.monitoring.cancel runaway ai queries credit threshold NUMBER DEFAULT 5, lookback hours NUMBER DEFAULT 4 RETURNS TABLE query id VARCHAR, credits NUMBER, action VARCHAR LANGUAGE SQLASBEGIN LET res RESULTSET := WITH runaway queries AS SELECT QUERY ID, ROUND SUM CREDITS , 4 AS total credits FROM SNOWFLAKE.ACCOUNT USAGE.CORTEX AI FUNCTIONS USAGE HISTORY WHERE START TIME = DATEADD 'hour', -:lookback hours, CURRENT TIMESTAMP GROUP BY 1 HAVING BOOLOR AGG IS COMPLETED = FALSE AND SUM CREDITS :credit threshold SELECT QUERY ID, total credits AS credits, 'DETECTED' AS action FROM runaway queries ; RETURN TABLE res ;END;-- Schedule runaway detection every 10 minutes:CREATE OR REPLACE TASK cortex ai.monitoring.runaway detection task WAREHOUSE = cowork finance wh SCHEDULE = '10 MINUTE'AS CALL cortex ai.monitoring.cancel runaway ai queries 5, 4 ; See: https://docs.snowflake.com/en/user-guide/snowflake-cortex/ai-func-cost-management https://docs.snowflake.com/en/user-guide/snowflake-cortex/ai-func-cost-management Official pattern using SNOWFLAKE.CORE.BUDGET class. Budget enforcement: up to 8 hours standard, 2 hours low-latency. -- Step 1: Tag the agent for budget associationALTER AGENT cortex ai.agents.finance agent SET TAG cortex ai.tags.cost center = 'CC-4200';-- Step 2: Create budget instanceUSE SCHEMA cortex ai.monitoring;CREATE SNOWFLAKE.CORE.BUDGET IF NOT EXISTS agent finance budget ;-- Step 3: Set monthly spending limit credits CALL agent finance budget SET SPENDING LIMIT 500 ;-- Step 4: Associate tag with budgetCALL agent finance budget SET RESOURCE TAGS SELECT SYSTEM$REFERENCE 'TAG', 'cortex ai.tags.cost center', 'SESSION', 'applybudget' , 'CC-4200' , 'UNION' ;-- Step 5: Email notification at 80%CALL agent finance budget SET EMAIL NOTIFICATIONS 'ai cost alerts', 'finops@company.com' ;CALL agent finance budget SET NOTIFICATION THRESHOLD 80 ;-- Step 6: Check budget usageCALL agent finance budget GET SERVICE TYPE USAGE V2 DATE TRUNC 'month', CURRENT DATE ::VARCHAR, CURRENT DATE ::VARCHAR ; Cortex AI Guardrails detect prompt injection and jailbreak attempts. Essential for production agent deployments. -- Enable guardrails account-level, run once :ALTER ACCOUNT SET AI SETTINGS = $$ guardrails: advanced prompt injection: - enabled: true$$;-- Monitor flagged requests potential attacks :SELECT USAGE TIME, USER NAME, AGENTIC SOURCE, REQUEST ID, GUARDRAILS SIGNAL, GUARDRAIL RESULTSFROM SNOWFLAKE.ACCOUNT USAGE.CORTEX AI GUARDRAILS USAGE HISTORYWHERE GUARDRAILS SIGNAL = TRUE AND USAGE TIME = DATEADD 'hour', -72, CURRENT TIMESTAMP ORDER BY USAGE TIME DESCLIMIT 50;-- Guardrails alert fires on prompt injection detection :CREATE OR REPLACE ALERT cortex ai.monitoring.guardrails flag alert WAREHOUSE = cowork finance wh SCHEDULE = '15 MINUTE' IF EXISTS SELECT 1 FROM SNOWFLAKE.ACCOUNT USAGE.CORTEX AI GUARDRAILS USAGE HISTORY WHERE GUARDRAILS SIGNAL = TRUE AND USAGE TIME = DATEADD 'minute', -15, CURRENT TIMESTAMP THEN CALL SYSTEM$SEND EMAIL 'ai cost alerts', 'platform-team@company.com', 'SECURITY: Guardrails Flagged Prompt Injection', 'Cortex AI Guardrails detected a possible prompt injection in the last 15 minutes.' ;ALTER ALERT cortex ai.monitoring.guardrails flag alert RESUME; | View | Tracks || ------------------------------------------- | -------------------------- || CORTEX AGENT USAGE HISTORY | Agent token/tool usage || CORTEX AI FUNCTIONS USAGE HISTORY | AI function tokens/credits || CORTEX CODE CLI USAGE HISTORY | Cortex Code CLI || CORTEX CODE SNOWSIGHT USAGE HISTORY | Cortex Code in Snowsight || CORTEX ANALYST USAGE HISTORY | Cortex Analyst messages || CORTEX FINE TUNING USAGE HISTORY | Fine-tuning time || CORTEX PROVISIONED THROUGHPUT USAGE HISTORY | PTU hours || CORTEX SEARCH DAILY USAGE HISTORY | Search serving + tokens || SNOWFLAKE INTELLIGENCE USAGE HISTORY | CoWork/Intelligence tokens || CORTEX REST API USAGE HISTORY | REST API tokens currency || CORTEX AI GUARDRAILS USAGE HISTORY | Guardrails tokens | | Feature | Budget Type || ------------------------ | -------------------------------------- || Cortex Agents | Resource budgets, shared resource || Cortex AI Functions | Shared resource budgets || Cortex Code CLI | Shared resource budgets, credit limits || Cortex Code in Snowsight | Shared resource budgets, credit limits || Snowflake CoWork | Resource budgets, shared resource || Cortex Search | Planned not yet available || Cortex Analyst | Not supported nor planned || Cortex Fine-tuning | Not supported nor planned | Budget enforcement timing: actions can take up to 8 hours under normal operation, or up to 2 hours with latency-optimized option. Budgets support stored procedure triggers at percentage thresholds. The surprise: Statement timeouts Layer 2 are more effective than resource monitors for controlling agent costs in real-time. Capping per-query execution at 120s prevents worst-case scenarios entirely — even if the agent loops 20 times, total compute is bounded. The limitation the docs don’t make obvious: Three latency gaps stack: CORTEX AI FUNCTIONS USAGE HISTORY has up to 10 minutes latency. Budget evaluation adds 2–8 hours on top. Tag changes reflected in budgets can take another 8 hours. Combined, there’s a meaningful window between an agent overspending and any automated response. The other limitation: Agent budgets and CoWork budgets are separate scopes. A request entering through CoWork that calls your agent is attributed to CoWork, not the agent. If you only budget the agent, CoWork usage flies under the radar. Budget both. My recommendation: One X-Small warehouse per agent domain. Don’t share with analytics workloads. Agents are bursty and iterative; shared warehouses make attribution impossible and risk loops affecting scheduled jobs. Pair with CORTEX AGENT USAGE HISTORY TOKEN CREDITS column, not CREDITS and SNOWFLAKE INTELLIGENCE USAGE HISTORY together for complete coverage across direct agent and CoWork-initiated calls. Governing CoWork requires solving two problems: data access existing RBAC with correct privilege types — USAGE on semantic views, search services, and agents and compute consumption layered cost controls across warehouse and serverless dimensions . Resource budgets and CORTEX AI FUNCTIONS USAGE HISTORY close the serverless visibility gap, but budget enforcement latency 2–8 hours means statement timeouts remain your fastest line of defense. Admin-defined policies add a third dimension: action governance — what agents do autonomously vs. what needs human sign-off. With proactive agents coming, this three-dimensional governance model access + compute + action becomes non-negotiable for enterprise deployment. Next: Article 5 — CoWork in Production: Monitoring, Troubleshooting, and Performance Patterns. Deployment Code: The complete SQL scripts, stored procedures, and task definitions from this article are available on GitHub. If this was useful — give it a clap 👏, share it with someone building on Snowflake, and subscribe to Snowflake Chronicles https://medium.com/@snowflakechronicles so you don’t miss the next one. Every piece is practitioner-first and production-focused. Let’s connect on LinkedIn https://linkedin.com/in/satishkumar-snowflake . Disclaimer: All views expressed are my own and do not reflect those of any current or former employer. SnowflakeChronicles Snowflake AIGovernance CortexAgents DataArchitecture My CoWork Agent Burned Through $800 in Credits Before Anyone Noticed https://pub.towardsai.net/my-cowork-agent-burned-through-800-in-credits-before-anyone-noticed-56e15319f6c3 was originally published in Towards AI https://pub.towardsai.net on Medium, where people are continuing the conversation by highlighting and responding to this story.