Last Tuesday a Slack message landed in our FinOps channel that read, in full: "Why did the prod-ml-batch-eval workload's compute cost jump 38% week-over-week, and which account owns it?" It was answered in 14 seconds by the new AWS FinOps Agent, which produced a five-paragraph response tracing the cost spike to a specific SageMaker training-job change in the acme-ml-eval account, with the linked Cost Explorer view, the affected resource IDs, and a recommended action to cap the on-demand instance type that had been silently added to the autoscaling group the previous Friday.
That kind of question, asked in plain English and answered in plain English, is exactly what the AWS FinOps Agent is for. It is the third in a family of AWS-managed, pre-built "frontier agents" for IT operations: AWS DevOps Agent shipped in April 2026, AWS Security Agent followed in May, and AWS FinOps Agent is the June launch. The pattern is unmistakable. AWS is shipping purpose-built, domain-specific AI agents that you configure rather than build, and FinOps is the latest operational domain to get one.
This article is the deep dive I wanted before I let the agent loose on our production accounts. It covers what the agent actually does, the user experience inside Slack and Jira, the five things it does that DIY FinOps tooling does not, the four things it deliberately does not do, the comparison table against Kubecost, Vantage, CloudZero, and Spot.io, the FinOps maturity model that places it in the Walk tier, and the three anti-patterns to avoid when you turn it on.
What a "frontier agent" is, in AWS terms
The phrase "frontier agent" in the AWS product context has a specific meaning that is easy to misread. A frontier agent is a pre-built, managed AI agent that AWS ships as a service. You do not write the agent. You do not host the agent. You do not choose the model, the embeddings, the tool set, the system prompt, or the verifier. You configure the data sources (which AWS services it can read), the scope (which accounts, which OUs, which regions), the channels (which Slack workspaces, which Jira projects), and the policy (which actions require human approval, which can run autonomously). The agent itself is AWS-operated and AWS-updated, the same way a managed database or a managed Kubernetes service is.
This is a different product category from Bedrock Agents, which are building blocks you assemble yourself, and from a custom LangGraph / CrewAI / AutoGen agent you would build on top of the model APIs. The frontier-agent category is closer to a managed-service primitive: you get the operational capability, AWS owns the implementation, and the upgrade path is implicit. When AWS ships a new model, the agent gets it. When AWS adds a new cost data source, the agent gets it. You do not migrate.
The first two frontier agents in the family were:
- AWS DevOps Agent (April 2026) — investigates and remediates operational issues across ECS, EKS, Lambda, and EC2. Posts findings to Slack, opens Jira tickets for human follow-up, and runs pre-approved remediation actions like restarting a stuck pod or rolling back a bad deployment.
- AWS Security Agent (May 2026) — triages GuardDuty findings, correlates with VPC flow logs and IAM Access Analyzer, and drafts response playbooks inside Slack. The Security Agent does not run remediation actions autonomously; it is read-by-default with explicit human approval for any write.
The AWS FinOps Agent is the third. It follows the same architectural pattern — managed agent, configured scope, Slack/Jira-native UX, read-by-default with explicit policy on what can run autonomously — but the data sources are the cost-and-billing layer instead of the operational or security layer.
What the AWS FinOps Agent does, in detail
The agent's job is to answer cost questions and investigate cost anomalies in plain English, with the answer grounded in actual AWS billing data. The data sources it reads are the ones you would expect: AWS Cost Explorer, AWS Cost Anomaly Detection, AWS Budgets, AWS Cost and Usage Reports (CUR), and the Resource Explorer. It does not read CloudWatch metrics, CloudTrail events, or application logs — that is the DevOps Agent's job. It does not read GuardDuty findings or IAM Access Analyzer — that is the Security Agent's job. The FinOps Agent is scoped tightly to cost and billing.
The user experience lives in Slack and Jira, with the agent posting in channels you configure and answering direct messages from authorized users. A typical interaction follows this shape:
- User asks a question in Slack: "Why did yesterday's EC2 bill go up 22%?"
- Agent reads the Cost Explorer data for the previous 7 days, the Cost Anomaly Detection alerts in the same window, and the CUR for the affected accounts.
- Agent investigates: it correlates the 22% spike with specific instance launches, identifies the OU and account, checks the launch templates for recent changes, and cross-references the Billing & Cost Management console's recent changes view.
- Agent responds in the Slack thread with a structured answer: the affected account, the resource IDs, the dollar amount, the percent change vs. baseline, the likely cause, and (where configured) a recommended action.
- If the recommended action is in the pre-approved policy (e.g., stop a specific instance, apply a specific Savings Plan recommendation), the agent takes it and posts the action receipt in the thread. If not, it drafts a Jira ticket for human review.
What makes the response useful is the investigation step. The agent is not just "what was my bill last month" — that is a Cost Explorer query. The agent is "trace this 22% spike to a specific resource and tell me why it happened," which is the thing most FinOps teams spend hours on in spreadsheets every month. The agent's investigation is grounded in actual CUR data, not in summaries, and the response links back to the Cost Explorer view it used so the human can verify.
The Jira integration is the same pattern in a different channel. A cost question raised in a Jira ticket (typical for a finance team, an FP&A partner, or an executive review) gets the same response shape, with the answer posted as a ticket comment and the linked Cost Explorer view embedded.
The 5 things AWS FinOps Agent does that DIY FinOps tooling does not
There is no shortage of FinOps tooling. CloudZero, Vantage, Spot.io, Kubecost, and the AWS native tools all give you cost visibility. What the AWS FinOps Agent adds is the natural-language investigation layer on top of that visibility, in the channels where cost conversations already happen. The five capabilities that are genuinely new in this combination:
1. Natural-language Q&A over cost data
Cost Explorer is powerful but it has a learning curve. The CUR is raw and unwieldy. Most engineering teams will never build a CUR query in their career. The FinOps Agent turns "what was the cost of the prod-ml-batch-eval workload last week, broken down by instance type" into a Slack message that returns the same answer a senior FinOps analyst would give you, with the supporting Cost Explorer view linked. No DSL to learn, no dashboard to read, no Slack message to your FinOps team asking them to look it up.
2. Auto-investigation, not just data retrieval
This is the biggest differentiator. Most FinOps dashboards tell you what your cost was. The FinOps Agent tells you why it changed, in the same response. The auto-investigation step is the one that turns a question into an answer: tracing a 22% spike to a specific resource, a specific change, a specific user, a specific ticket. That is the work a FinOps analyst does today; the agent does it in 14 seconds.
3. Slack and Jira as the primary UX
No new tool to learn, no new login, no new dashboard to check. The FinOps Agent lives in the channels where cost conversations already happen. For most engineering organizations, that is Slack. For most finance and FP&A teams, that is Jira. The agent meets the questioner where they are, which is the thing most FinOps platforms get wrong (they expect everyone to learn their platform, instead of meeting people in the tools they already use).
4. Cross-account and cross-OU correlation in one query
Most FinOps tooling shows you cost per account or per OU, and you have to pivot manually to see how a workload's cost distributes across linked accounts. The FinOps Agent correlates across accounts in a single response. For organizations running AWS Organizations with dozens or hundreds of linked accounts, this is a 10x reduction in the time it takes to answer "where did the spend go" — the agent does the cross-account join for you, instead of exporting three CURs to a spreadsheet and pivoting.
5. AWS-managed, with the upgrade path implicit
You do not host the agent. You do not upgrade the agent. You do not patch the agent. When AWS adds a new cost data source, the agent reads it. When AWS ships a new model, the agent gets it. The operational burden is "configure scope and channels" — everything else is AWS. For teams that already trust AWS-managed services for databases (RDS, Aurora), Kubernetes (EKS), or data warehousing (Redshift), trusting AWS to operate the FinOps Agent is a small additional step.
The 4 things AWS FinOps Agent does NOT do
Honest framing matters. The agent is not a replacement for the specialized FinOps tooling that exists today, and the limits are deliberate. Calling them out so the article is not a sales pitch:
1. Multi-cloud cost visibility (AWS only)
The agent reads AWS billing data and only AWS billing data. If you have a meaningful footprint in GCP or Azure — and the typical Stack Pulsar reader does, in 2026 — the agent will not see those costs. For multi-cloud FinOps, the right answer is still Vantage, CloudZero, or Spot.io by NetApp, all of which normalize spend across providers. The AWS FinOps Agent is the deep-AWS layer; the multi-cloud layer is something else.
2. Kubernetes cost attribution
The agent does not have visibility into Kubernetes namespace, deployment, or pod-level cost attribution. It sees the underlying EC2, EKS, and EBS costs, but not how those costs map to workloads inside a cluster. For Kubernetes-native cost attribution, Kubecost is still the right tool — the free tier handles single-cluster attribution, and the enterprise tier adds multi-cluster, chargeback, and efficiency recommendations. The AWS FinOps Agent and Kubecost are complementary, not competitive.
3. LLM cost attribution
The agent does not see token-level cost attribution for LLM workloads. If you are running inference on Bedrock, the agent can tell you the cost of the Bedrock service; it cannot tell you the cost of the customer-support-summarization workflow that is driving 60% of your Bedrock spend. For LLM cost attribution, the right tools are Helicone, Portkey, or Langfuse, all of which instrument the LLM call and attribute cost to workflow, model, and user. We covered this in detail in LLM FinOps 2026.
4. Custom FinOps policies and showback / chargeback
The agent answers questions and investigates anomalies. It does not enforce custom FinOps policies (the OPA / Cedar layer is still needed for that), and it does not produce showback or chargeback reports (the agent posts answers in Slack threads, not formatted financial reports). For the policy-engine and the finance-reporting layer, the right tools are still OPA, Vantage, CloudZero, or a homegrown system built on the CUR.
The comparison table: AWS FinOps Agent vs the FinOps tooling stack
Here is where the AWS FinOps Agent actually fits, and what it does not displace. Eight columns: the four FinOps-tooling incumbents plus the AWS FinOps Agent, on the eight capabilities that matter for a 2026 FinOps stack.
| Capability | AWS FinOps Agent | Kubecost | Vantage | CloudZero | Spot.io |
|---|---|---|---|---|---|
| Cost anomaly detection | Yes (auto-investigation in Slack) | Partial (alerts, not investigation) | Yes (alerts + recommendations) | Yes (anomaly + unit economics) | Yes (Spot interruption alerts) |
| Multi-cloud visibility | No (AWS only) | Partial (K8s layer only) | Yes (AWS/GCP/Azure) | Yes (AWS/GCP/Azure) | Yes (AWS/GCP/Azure) |
| Kubernetes cost attribution | No | Yes (the category leader) | Partial (K8s metadata, not allocation) | Partial (via integrations) | Yes (via Ocean for K8s) |
| LLM cost attribution | No | No | Partial (Bedrock cost only) | Partial (Bedrock cost only) | No |
| Natural-language Q&A | Yes (the differentiator) | No | No (SQL queries, dashboard) | No (dashboard, reports) | No |
| Slack / Jira native UX | Yes (the primary UX) | No (UI, Grafana) | No (web app) | No (web app) | No (web app) |
| AWS-native depth | Yes (CUR, Cost Explorer, Budgets, Anomaly Detection) | Partial (CUR + cluster) | Yes (deep CUR analysis) | Yes (deep CUR + tagging) | Yes (CUR + Spot automation) |
| Custom FinOps policy engine | No (pre-approved actions only) | No (recommendations) | Yes (policies + budgets) | Yes (unit-economics policies) | Yes (automation policies) |
The pattern that falls out of the table: the AWS FinOps Agent is the best-in-class answer for natural-language investigation of AWS spend, and it is complementary to everything else. A 2026 FinOps stack that pairs the AWS FinOps Agent with Kubecost (for K8s), Helicone (for LLM cost), and Vantage (for multi-cloud) covers the full surface. None of the four are displaced by the agent; each covers a different layer of the cost problem.
The FinOps maturity model with AWS FinOps Agent in the Walk tier
Most organizations move through three FinOps phases. The Crawl tier is visibility. The Walk tier is action on that visibility. The Run tier is cost as a first-class engineering constraint. Where the AWS FinOps Agent fits, and what each tier actually looks like in 2026:
Crawl: Cost Explorer + Budgets
You can see what you spent. Cost Explorer is on, budgets are configured, the monthly bill email goes to a distribution list. This is where most teams are in their first 6 months of FinOps work, and it is the prerequisite for everything that follows. The Crawl tier is necessary but insufficient: you cannot act on a problem you cannot see, but you also cannot optimize a system you only observe retrospectively.
The Crawl-tier cost is mostly awareness. The FinOps Foundation's 2025 State of FinOps report (which I cite in the Cloud FinOps pillar article) puts the typical Crawl-tier savings at 5-10%, mostly from right-sizing recommendations and untagged-resource cleanup.
Walk: AWS FinOps Agent + Cost Anomaly Detection + alerts in Slack
You act on the visibility. The agent investigates cost anomalies, posts answers in Slack, and runs pre-approved remediation actions. Cost Anomaly Detection is on, with alerts routed to the FinOps channel. Budget alerts are wired to PagerDuty for the 90% threshold. Right-sizing recommendations from Cost Explorer are reviewed weekly, not quarterly.
The Walk tier is where the AWS FinOps Agent lives, and it is the right answer for the 60-70% of organizations that are past Crawl but not yet at Run. The agent's natural-language investigation is the missing tool that turns the Walk tier from a monthly-staff-meeting exercise into a real-time-engineering discipline. A Walk-tier team typically sees 15-25% cost reduction in the first 6 months of agent deployment, with the savings coming from faster anomaly detection (caught in minutes instead of the end-of-month bill) and pre-approved remediation actions (resources stopped before they cost real money).
Run: Vantage / CloudZero + custom policies + per-team chargeback
Cost is a first-class engineering constraint. Each team has its own budget, its own cost dashboard, and its own chargeback report. Custom FinOps policies (OPA / Cedar) block non-compliant resources at deploy time. Multi-cloud cost is normalized across AWS, GCP, and Azure. The FinOps practice has its own engineering owner, its own OKRs, and its own quarterly review.
The Run-tier cost is 25-40% below the Walk-tier baseline, but the savings are mostly structural (right-sized architecture, not tactical stop-this-instance actions). The Run tier is also where the multi-cloud and Kubernetes layers become material — the Vantage / CloudZero / Kubecost pair is what makes the cross-cloud, cross-cluster cost story coherent. The AWS FinOps Agent can still be part of a Run-tier stack, but it is one tool of many, not the primary interface.
The 3 anti-patterns to avoid with AWS FinOps Agent
The agent is a force multiplier. Force multipliers amplify both the good patterns and the bad ones, and the FinOps Agent is no exception. Three anti-patterns I would call out before turning it on in a production environment:
Anti-pattern 1: Treating it as a replacement for K8s / LLM cost tools
The agent does not see Kubernetes namespace-level cost. It does not see LLM token-level cost. If you turn on the agent and decommission Kubecost and Helicone, you will lose the visibility that those tools provided and the agent will not recover it. The right pattern: the agent is the natural-language layer on top of AWS-native cost data. Kubecost, Helicone, and the LLM-observability stack remain in place to cover the layers the agent does not see.
Anti-pattern 2: Letting it make autonomous changes without a human-in-the-loop
The agent can run pre-approved actions: stop an instance, apply a Savings Plan recommendation, cap an autoscaling group. Pre-approved is not the same as safe. Every pre-approved action should have a corresponding dry-run mode, a Slack thread where the action is announced before it runs, and a rollback path. The defaults that AWS ships with the agent are conservative (read-by-default, write-only-on-explicit-approval) — keep them conservative, and add to the approved list only after each action has been observed in dry-run for a full billing cycle.
Anti-pattern 3: Ignoring the data-residency implications for EU enterprises
The agent is an AWS-managed service. The cost data it processes is the same data you already share with AWS, but the natural-language Q&A flow adds an LLM inference layer to the data path. EU enterprises subject to GDPR, the EU Data Act, or sector-specific data-residency rules need to confirm that the agent's inference path stays in-region (which is the AWS default for most regions, but should be explicitly verified), and that the data the agent sees (account IDs, resource IDs, Slack workspace IDs, Jira project keys) is captured in the DPIA for the agent deployment. The agent is sovereign-friendly by design, but sovereign-by-default is a configuration choice, not a guarantee.
How to deploy the AWS FinOps Agent: a 30-day plan
For teams that want to do this systematically, here is a realistic 30-day plan that produces a useful answer in production without disrupting the existing FinOps practice.
Days 1-7: scope the deployment. Identify the AWS accounts and OUs the agent will see (start with one OU that has high cost variance, not the whole org). Identify the Slack channels the agent will post in (typically the FinOps channel and a per-team cost channel). Identify the Jira projects the agent will file tickets in. Write a one-page scope document and get sign-off from FinOps, Security, and the platform team.
Days 8-14: turn it on in observe-only mode. Configure the agent with no pre-approved actions. Let it answer questions and investigate anomalies, but do not let it take any write actions. Run a set of test questions through the Slack interface: cost spikes, cost trends, account-level breakdowns. Review the answers for accuracy. Adjust the scope if the agent is seeing too much or too little.
Days 15-21: tune the auto-investigation. Add a small set of pre-approved actions (typically: stop an instance that has been idle for 14+ days, alert on a 50%+ cost spike in any account, file a Jira ticket for any anomaly above a dollar threshold). Run each in dry-run mode first. Watch the Slack threads for false positives. Tune the thresholds.
Days 22-30: expand scope and document the policy. Add the remaining OUs to the agent's scope. Add the next tier of pre-approved actions (Savings Plan recommendations, Reserved Instance modifications). Document the policy: which actions are pre-approved, which require human approval, which are not allowed. Train the FinOps team on the agent's capabilities and the on-call rotation for the agent's output.
By the end of 30 days, a typical team running 50+ AWS accounts in a multi-account org should see:
- 15-25% reduction in time spent on cost-anomaly investigation (the agent does the cross-account correlation)
- Faster detection of cost spikes (minutes instead of end-of-month bill)
- A real-time FinOps practice that lives in Slack and Jira, not in monthly meetings
- Measurable cost savings from the pre-approved actions, typically 8-15% of total AWS spend in the first quarter
Conclusion: the frontier-agent era is here
AWS just shipped its third frontier agent for IT operations. The DevOps Agent was the operational layer. The Security Agent was the security layer. The FinOps Agent is the cost layer. The pattern is unmistakable: AWS is building a managed-agent family that covers each major operational domain, and the agents are designed to meet teams in the channels where the work already happens — Slack and Jira, not a new dashboard.
The honest read: the AWS FinOps Agent is the best-in-class answer for natural-language investigation of AWS spend, and it is complementary to the rest of the FinOps tooling stack. Kubecost still wins on Kubernetes cost attribution. Helicone and Portkey still win on LLM cost attribution. Vantage and CloudZero still win on multi-cloud. The agent does not displace any of them; it adds the natural-language investigation layer that the rest of the stack does not have.
The teams that win on FinOps in 2026-2027 are the ones that turn the agent on, pair it with the right complementary tooling, and resist the temptation to over-trust the pre-approved actions. The agent is a force multiplier. Use it to multiply the FinOps practice you already have, not to replace the parts of the practice that the agent does not cover.
For the broader FinOps pillar coverage — including the Cloud FinOps guide, LLM FinOps strategies, Kubernetes cost optimization, and the per-workflow AI cost pattern — see Cloud FinOps in 2026, LLM FinOps 2026, Kubernetes Cost Optimization, and AI Cost by Workflow. For the broader agentic-infrastructure context, see Agentic AI Infrastructure for DevOps and Platform Engineers.
Tools that help
Vantage is the multi-cloud cost visibility layer that pairs with the AWS FinOps Agent. The agent handles natural-language Q&A over your AWS spend; Vantage handles the GCP and Azure spend, the multi-cloud normalization, and the per-team chargeback reports. Together they cover the full cost surface — AWS via the agent, multi-cloud via Vantage, Kubernetes via the Kubecost integration.
CloudZero is the cost-intelligence platform for engineering teams that need unit economics — cost per customer, cost per feature, cost per deployment. The unit-economics layer is what the AWS FinOps Agent does not do. If you need to answer 'what does it cost us to serve customer X,' CloudZero is the right tool. The AWS FinOps Agent is the natural-language investigation layer; CloudZero is the per-customer cost-attribution layer.
Kubecost is the Kubernetes-native cost attribution layer that the AWS FinOps Agent does not replace. The agent sees the underlying EC2 and EKS cost; Kubecost sees the namespace, deployment, and pod-level attribution that the agent does not. Together: the agent answers cost questions across AWS accounts in plain English, and Kubecost attributes that cost to the specific workloads inside the cluster. The free tier handles single-cluster attribution; the enterprise tier adds multi-cluster and chargeback.
Helicone is the LLM cost attribution layer that the AWS FinOps Agent does not replace. The agent sees Bedrock cost at the service level; Helicone sees the token-level, per-workflow cost of every LLM call. If you are running LLM inference at scale, the per-workflow cost dashboard is the missing visibility. Helicone integrates with the agent-friendly observability stack (OpenTelemetry, Langfuse, Arize Phoenix) and is the standard answer for LLM FinOps.
Free Newsletter
Get one analysis like this every week
The Stack Pulse covers production AI incidents, FinOps playbooks, and infrastructure patterns - written for engineers who operate at scale.
Subscribe Free