Start free trial

By Yair Knijn · January 22, 2026

The AWS account a team opened on a personal card, until finance found the spend

I trust my dashboards on everything they can see. The problem is the account nobody told me to look for, the one that was never joined to our AWS Organization. A product team needed an environment last quarter, the platform queue was two weeks deep, so an engineer opened a fresh account on a personal card and started shipping. It does not roll up into the consolidated bill. It does not draw from the commitment pool. It appears in no allocation report I run.

The mistake is assuming your account inventory equals the cloud you pay for. It only equals the cloud you chose to enroll. The gap between those two is where the money goes dark.

How a team opens an account you never see

Inside an organization you have CreateAccount and a clean audit trail. Outside it, nothing stops an engineer from hitting the signup page with a credit card and standing up a brand-new payer account before lunch. No API exists that lists every account your employees own under their own name. So the real question is not whether someone has done this. In most organizations of any size, someone has. The question is whether you catch it before the spend gets large enough to embarrass you in a board deck.

Spend that misses the commitment pool entirely

Here is where it costs you twice. Consolidated billing pools usage, so a Savings Plan or Reserved Instance bought against one account quietly covers identical usage in another. A shadow account sits outside that pool and pays full on-demand for the exact instance family you are already over-committed on elsewhere. You can carry unused commitment in the consolidated org and pay rack rate in the rogue account in the same hour, for the same workload, and never see the two facts side by side.

Volume tiering fails the same way. S3 and data-transfer pricing steps down as aggregate usage climbs, and consolidated billing sums every member account before it applies the tier. A shadow account starts its meter back at tier one. You lose a discount you already earned, on spend you cannot even attribute.

Why shadow accounts break showback and forecasting

Showback is a closed accounting of a known total. The moment a dollar lives outside that total, every percentage you report runs against the wrong denominator. The team on the shadow account looks cheaper than it is, because part of its bill never reached your model. Your forecast inherits that hole and carries it forward, month after month.

Organization-level controls and account discovery

You cannot tag your way out of an account you don't know exists, so discovery has to come before governance. Pull the signals you already hold: corporate-card transactions to aws.amazon.com, expense reports filed for cloud spend, DNS or SSO logs pointing at consoles you do not manage. A service control policy can block new standalone accounts under identities you control, and AWS now lets you stop members from leaving the organization. Both shrink the surface. Neither finds what already escaped. So treat discovery as a standing job, not a one-time sweep, and invite each found account into the org the day it surfaces.

Bringing rogue spend back under one bill

Once an account joins your organization the cleanup is fast. Its usage feeds the commitment pool, your existing Savings Plans start covering it, and its line items finally land in allocation. The spend was always yours. It was just uncounted.

Cloud Horizons treats account inventory as part of cost governance, so a new workspace gets flagged the moment it shows spend sitting outside your consolidated organization, well before it grows large enough to find you first. If you want every account on one bill and in one forecast, that is where to start. The lesson a director learns the hard way is plain enough: your cost governance is only as complete as your account list, and the accounts you forgot to count are the ones writing the biggest checks.