Usage-based AI needs the same safety engineering as any “expensive actuator”: rate limits, quotas, and automatic shutdown thresholds. Otherwise a leaked key becomes an unbounded liability.

This reads like an “incident without guardrails”: per-project caps/quotas, anomaly alerts (minutes), env-split keys, and an automated kill-switch should be defaults for usage-based APIs. Billing emails are post-mortems.