LLM10:2025Unbounded Consumption
Slide 22 of 27
Part 4 · PreventionSlide 22
Slide 22 · Mitigation Category 4 of 6
Enforce limits at the infrastructure layer, not just the application layer.
📄 OWASP LLM Top 10:2025 · LLM10 Prevention — API Gateway Controls
M4 — API Gateway Controls & Budget Alerts
Set hard spending caps and real-time budget alerts at the provider or gateway level
What OWASP Says

"Implement cost controls and budget alerts at the API gateway or provider level to prevent unexpected cost overruns." "Set spending limits that automatically cut off access when a threshold is crossed, not just alert."

How Missing This Made a Real Incident Worse

The Sourcegraph incident was detected by noticing a usage spike — after it had already resulted in massive consumption. Had a budget alert been configured at 2x normal usage, it would have fired within the first hour. Instead, the spike ran for most of the day before the team manually noticed it. No API-level kill switch was configured.

How to Do This Right

→ Configure spending limits at the provider level (OpenAI, Anthropic, Azure OpenAI all support this).
→ Set alerts at 50%, 80%, and 100% of your monthly budget — each to a different escalation path.
→ Hard cutoff: configure the provider to stop accepting requests when the hard limit is hit, not just alert.
→ Separate limits for production vs. development environments. Dev environments often have no limits at all.

How to Validate

Log into your LLM provider’s dashboard right now. Is there a spending limit configured? Is there an alert? If not, this control doesn’t exist. A $50 monthly alert is better than nothing.

← BackNext → M5: Monitoring & Alerting
📄 View sources for this lesson