The Agent Budget Becomes the Carbon Gate
A June 2026 arXiv paper turns agent cost and carbon from dashboard metrics into runtime constraints: a budget breach detected after the agent acts cannot un-spend the tokens or un-emit the carbon.
A carbon gate is not a sustainability claim by itself. It is a runtime admission rule for a proposed next action: forecast token cost, dollar cost, energy proxy, and carbon proxy; compare them with the remaining budget and the governing policy; then admit, down-route, stop, or escalate before execution.
From Dashboard to Gate
The paper, arXiv:2606.15954 [cs.SE], is Gaston Besanson's Green SARC: Predictive Cost and Carbon Governance for Agentic AI Systems. arXiv records submission on June 14, 2026, and lists Software Engineering as the primary subject, with Artificial Intelligence, Distributed, Parallel, and Cluster Computing, and Machine Learning as additional subjects.
The paper starts from a practical defect in agent operations. A normal model call has a bounded cost. A tool-using agent emits a runtime-determined sequence of model calls, tool invocations, retries, and sub-agent work. The bill and the energy draw are therefore properties of the execution trace, not only the prompt.
The important governance move is architectural. A month-end cost report can explain what happened, but it cannot reverse the spend. A carbon dashboard can display emissions, but it cannot undo them. Green SARC argues that cost and carbon controls should sit inside the agent loop before the next action fires.
Current Context
As of June 25, 2026, Green SARC is an arXiv v1 paper and an open-source alpha implementation, not a regulatory standard or proof that any deployed agent is sustainable. The repository describes v0.3.0 as adding runtime conformal calibration, real-arrival ablations on BurstGPT, real-grid sensitivity using ElectricityMaps zones, multi-step SWE-rebench trajectory analysis, and an adversarial threat model. That makes it useful evidence for runtime design, not a certification scheme.
The wider energy context makes the paper timely. IEA's 2026 update says global data-center electricity demand grew 17 percent in 2025, while AI-focused data-center consumption grew 50 percent. Its central projection keeps total data-center electricity demand close to a doubling path, from 485 TWh in 2025 to 950 TWh in 2030, with AI-focused data centers tripling over that period. IEA also warns that reasoning, video-generation, and agentic tasks can change the energy picture relative to simple text generation.
FinOps practice is also moving toward combined cost and sustainability accounting. The FinOps Foundation's sustainability capability calls for carbon and emissions data to be incorporated into cost allocation, forecasting, and unit economics. OpenTelemetry's GenAI semantic conventions give a parallel telemetry vocabulary for model and agent operations, including input tokens, output tokens, reasoning-output tokens, workflow names, tool execution, and retrieval. Green SARC sits where these threads meet: cost allocation, runtime telemetry, and carbon-aware execution.
The boundary should stay visible. The GHG Protocol Scope 2 Guidance standardizes corporate accounting for purchased electricity and energy instruments. A runtime carbon proxy can help choose or block an action, but it is not the same thing as an audited corporate greenhouse-gas inventory, a location-based or market-based Scope 2 disclosure, or proof that a clean-energy purchase was additional and deliverable.
Gate Boundary
The governed object is the admission event for an agent action, not the model in general and not the company's climate inventory. A useful gate has three separable parts: an estimator that predicts cost and carbon before execution, a policy that says which tradeoffs are allowed, and evidence that shows forecast, decision, actual result, residual error, and escalation path. Without the estimator, it is only accounting. Without the policy, it is only optimization. Without the evidence, it is only a private claim.
The carbon gate should also sit below higher-priority safety and rights constraints. If a task needs a stronger model, a longer context, an accessibility feature, a human review step, or a legally required retention path, the gate should reserve more budget, escalate, or deny the workflow. It should not silently degrade quality or oversight to make the carbon proxy look better. This is why the page belongs beside the safety-case release gate, AI safety cases, and model routing and AI gateways.
What Green SARC Enforces
Green SARC applies the SARC governance-by-architecture frame to financial and environmental cost. The four enforcement sites are a Pre-Action Gate, an Action-Time Monitor, a Post-Action Auditor, and an Escalation Router. The Pre-Action Gate forecasts whether the proposed action fits the remaining token budget and carbon ceiling. The monitor handles loop and marginal-cost limits. The auditor records predicted versus actual cost and carbon. The router sends exhausted or rejected work to a fallback or human review path.
The paper is careful to decouple cost from correctness. A cheap agent can still be unsafe or wrong. A correct agent can still be ruinously expensive. Green SARC governs token, dollar, and carbon predicates; it does not claim to govern truth, legality, or task quality. That separation is useful because it stops sustainability language from becoming a vague virtue claim. It asks for an enforceable predicate and a trace.
The gate is predictive rather than merely accounting-based. The paper discusses a Normal-sigma gate, split-conformal calibration, and adaptive conformal analysis for drift. The practical lesson is not that one statistical method is a permanent answer. It is that a deployment should record forecast, actual, residual, operating point, and what happened after a miss.
Measurement Boundary
The measurement chain has several links: tokens, model route, tool calls, context length, batch behavior, accelerator and server energy, facility overhead, region, time, grid carbon intensity, price table, and accounting method. Green SARC's paper uses a linear per-token energy proxy and then tests sensitivity with measured hourly carbon-intensity data for Italy and California. That is a useful experimental boundary, but it is still a proxy.
A production carbon gate should therefore say what it is enforcing. It might enforce token budget, dollar budget, estimated watt-hours, estimated grams CO2e, region-specific carbon intensity, time-of-day intensity, or a combined policy. Those are related but not identical. Routing to a cheaper model can lower dollars without lowering tokens. Routing to a lower-carbon region can lower estimated emissions while changing latency, data residency, or reliability. A scope cap can reduce tokens while also reducing quality or truncating useful work.
The strongest claim a gate can make is operational: under this estimator, at this confidence level, with this carbon-intensity source and this budget, the system admitted or rejected this next action. Broader claims about sustainability, net-zero progress, avoided emissions, or grid impact need separate evidence.
The State Snowball
The paper names the "State Snowball": a multi-agent loop in which each step resubmits the full accreted context, making cumulative prompt cost grow quadratically with loop depth. On 3,000 SWE-rebench OpenHands trajectories, the paper reports positive quadratic curvature for every trajectory, with median curvature 216 exceeding the constant-accretion prediction of 134.
That result is narrower than a slogan about chat. The same paper reports that real ShareGPT conversation replay is concave rather than convex in depth. Ordinary chat does not automatically produce the snowball. Naive multi-agent orchestration can, especially when tool outputs, re-reads, and long plans keep returning to the prompt.
Savings Are Policy Dependent
The most important numbers in the abstract are not free money. The paper reports 47-55 percent end-to-end token, dollar, and carbon savings, but also says the magnitude is policy-dependent and set by a scope-cap knob rather than by gate rejections. In the BurstGPT real-arrival ablation, a prompt scope cap drives token and carbon reduction; routing adds dollar and carbon reduction without changing tokens; the circuit breaker is dormant because the trace has no retry storms.
Under binding budgets, the gate matters more directly. The paper reports 0 percent over-budget incidence in synthetic and BurstGPT binding-budget sweeps. It also compares the architectural gate with a soft Lagrangian penalty tuned to hit the budget in expectation; the soft penalty breaches the budget on 91.5 percent of seeds, while the gate reports 0 percent breaches in that experiment.
Limits That Matter
The paper is unusually explicit about limits. The headline synthetic workload is constructed. BurstGPT is real Azure OpenAI traffic, but it lacks session identifiers, so trajectories are reconstructed by a time-window heuristic. The carbon model uses a linear per-token energy proxy, while real inference energy depends on hardware, batching, utilization, and context length. The paper's measured-grid analysis uses a 24-hour window from ElectricityMaps for Italy and California, which captures diurnal contrast but not seasonal variation.
The adversarial study also matters. Scope-cap-aware padding can stay inside the admission contract while extracting maximum legitimate work. Continuation inflation and model-substitution gaming can defeat the forecast and are caught after the fact by the auditor. That means the four-site architecture is stronger than the gate alone, but it is still not magic. Some failures are prevented; some are detected, escalated, and used to update the estimator.
Failure Modes
Dashboard theater. The organization shows cost and carbon charts after execution but has no authority to stop the next expensive action before it fires.
Proxy laundering. A token-to-carbon estimate is presented as measured emissions, or a runtime proxy is treated as audited Scope 2 accounting. The estimator may be useful while still being too thin for corporate climate claims.
Scope-cap austerity. A cap reduces tokens by cutting context, tool use, or continuation depth, but the governance record does not track whether quality, safety review, accessibility, or user outcome degraded.
Routing externalization. A policy routes work to a cheaper or lower-carbon region without recording latency, data residency, model capability, reliability, privacy, or jurisdictional consequences.
Adversarial budget gaming. Users or sub-agents learn how to pack work under the forecast bound, force continuation inflation, or induce model substitution that defeats the estimator.
False green fallback. The system down-routes to a weaker model, trims context, or skips review and records a lower carbon proxy while the defect, complaint, appeal, or rework burden rises elsewhere.
Budget fragmentation. Sub-agents, vendor gateways, retrieval systems, and tools each keep separate meters, so no one authority reserves and commits the full trajectory budget.
Telemetry overcollection. The audit store preserves prompts, tool outputs, customer records, source code, or employee work traces longer than needed to govern cost, debug failures, or investigate incidents.
Minimum Runtime Record
A useful agent cost-and-carbon receipt should record: workflow owner, agent identity, task class, model route, proposed action, tool calls, estimated input tokens, estimated output tokens, reasoning or hidden tokens where available, estimated tool or retrieval cost, price table, carbon-intensity source, region and time, energy model, confidence level, remaining budget, gate decision, fallback or escalation path, actual tokens, actual spend, actual carbon proxy, residual error, outcome status, human override, data classification, retention rule, and estimator update.
That record should be small enough to retain safely and structured enough to audit. It should follow data minimization and the site's privacy and data commitments: retain estimator inputs, decisions, residuals, and overrides without preserving the full prompt or every sensitive tool result unless incident response, debugging, or legal hold requires it. The point is to preserve evidence about permission to spend, not to build a permanent surveillance archive around every agent run.
Governance Standard
An agent release should ship with a cost and carbon control plane, not only a usage dashboard. The record should name the budget unit, model and route options, token estimator, carbon-intensity source, region and time assumptions, scope cap, loop cap, rejection policy, fallback path, audit store, and how predicted-vs-actual residuals retrain the next forecast.
Procurement should ask where the control sits. If a vendor can only show after-the-fact spend reports, it has observability, not enforcement. If it can forecast the next action, reserve the budget, log the actual, and stop or route the task when the remaining budget is gone, then it has the beginnings of a real agent FinOps and GreenOps system.
Release review should also ask what the gate is allowed to sacrifice. A carbon gate that silently lowers model quality, drops context, disables accessibility features, or routes regulated data across a boundary is not automatically good governance. The admissible tradeoffs need to be part of the policy, not hidden inside the optimizer.
For safety-critical, rights-affecting, or regulated workflows, the gate decision should be one release artifact among others. The cost-and-carbon record can show why an action was admitted or rejected, but it cannot replace a safety case, a privacy review, a human-oversight plan, or a quality benchmark. A budget policy that conflicts with those duties should escalate the task rather than making the cheapest admissible action look legitimate.
The Spiralist rule is simple: an agent budget is not a spreadsheet cell. It is an authority boundary. The system should know what it is still allowed to spend before it acts, and the public record should show how that permission was predicted, used, missed, or denied.
Source Discipline
Use the Green SARC paper and repository for claims about the architecture, enforcement sites, alpha status, experiments, calibration, State Snowball result, savings decomposition, adversarial study, and limitations. Cite the 47-55 percent savings as benchmark, workload, estimator, and policy results, not as generic production savings. Use IEA for data-center electricity-demand context and task-mix cautions, not for a per-agent runtime carbon formula. Use FinOps Foundation materials for cost allocation and sustainability-reporting practice. Use OpenTelemetry for telemetry vocabulary. Use GHG Protocol for corporate electricity-emissions accounting context. Use NIST for lifecycle risk-management context, not for a claim that Green SARC is certified.
Do not collapse source types. A model-call trace is not a facility meter. A carbon-intensity API is not a corporate greenhouse-gas inventory. A lower token count is not proof of better work. A lower estimated carbon number is not proof of lower marginal grid emissions. A repository badge is not an audit. A gate that prevents overspend on a benchmark is evidence about a tested policy, estimator, and workload, not proof that every production agent is governed.
Related Pages
- The Token Meter Becomes the Budget
- The Agent Runtime Becomes the Governance Plane
- The Agent Resource Budget Becomes the Incentive Contract
- The Agent Loop Becomes the Stopping Problem
- The Evaluation Score Becomes the Inference Budget
- The Data Center Becomes a Civic Machine
- The Interconnection Queue Becomes AI Governance
- AI Energy and Grid Load
- AI Data Centers
- AI Compute
- Inference and Test-Time Compute
- Model Routing and AI Gateways
- AI Agent Observability
- AI Audit Trails
- Data Minimization
- AI Safety Cases
- AI Procurement
- The Safety Case Becomes the Release Gate
- Privacy and Data
Sources
- Gaston Besanson, Green SARC: Predictive Cost and Carbon Governance for Agentic AI Systems, arXiv:2606.15954 [cs.SE], submitted June 14, 2026; reviewed June 25, 2026.
- arXiv PDF: Green SARC, reviewed June 25, 2026 for the SARC enforcement sites, State Snowball theorem, SWE-rebench and BurstGPT results, conformal-gate discussion, binding-budget comparison, adversarial study, alpha status, and limitations.
- Companion repository: besanson/Greensarc; software DOI: 10.5281/zenodo.20692196, reviewed June 25, 2026.
- International Energy Agency, Key Questions on Energy and AI: Executive summary, April 2026, reviewed June 25, 2026 for 2025 growth, 2030 projection, AI-focused data-center growth, power-density context, and policy principles.
- International Energy Agency, Energy demand from AI, 2025, reviewed June 25, 2026 for data-center electricity-demand baselines, uncertainty, and infrastructure load context.
- FinOps Foundation, Sustainability capability, FinOps Framework, reviewed June 25, 2026.
- FinOps Foundation, Allocation capability, FinOps Framework, reviewed June 25, 2026.
- OpenTelemetry, GenAI semantic conventions attribute registry, reviewed June 25, 2026 for token, workflow, tool, and retrieval telemetry fields.
- Greenhouse Gas Protocol, Scope 2 Guidance, reviewed June 25, 2026 for purchased-electricity emissions accounting, contractual instrument quality criteria, and disclosure context.
- NIST, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, reviewed June 25, 2026 for lifecycle risk-management context.