The Default Is Wrong
Snowflake Cortex Code ships with a permissive stance: any user with access can hit any model, including Claude Opus at $15 per million tokens for output. Snowflake's Pierre-Mickaël Chancrin published the counter-pattern this week: set CORTEX_MODELS_ALLOWLIST = 'None' at the account level, then rebuild access through explicit RBAC roles with per-user daily credit limits. If you deployed Cortex Code in Q4 2025 without doing this, you handed junior analysts a corporate Amex with no limit.
The problem compounds when you layer Agentforce or custom Agent Bricks on top of Cortex Code. Agents loop. A poorly scoped agentic SQL generation task can burn 500 credits in an afternoon if it's recursively calling Opus to refine queries. The Snowflake script Chancrin published uses dynamic SQL to walk the role hierarchy and apply CORTEX_CODE_SNOWSIGHT_DAILY_EST_CREDIT_LIMIT_PER_USER per tier: 2 credits for Standard (analysts), 5 for Enhanced (senior devs), 15 for Premium (architects). That's the floor, not a suggestion.
What This Means for Multi-Cloud Stacks
If you're running Agentforce + Data Cloud with Snowflake as the warehouse and Bedrock or Vertex as the model layer, you have three independent cost surfaces: Salesforce Agentforce credits, Data Cloud query credits, and now Cortex Code LLM credits. Maple sees this every month: a FinTech customer spins up an agentic pipeline that hydrates Data Cloud from Snowflake, calls Cortex Code for anomaly explanations, and feeds summaries back to an Einstein Copilot action. Without governance, that pipeline can cost more than the compute for the underlying ETL.
The Snowflake script is valuable because it forces you to answer: who needs Opus-level reasoning, and for what? In practice, the answer is almost no one. Standard tier (GPT-4o-mini equivalent, Sonnet 3.5 base) handles 80% of SQL generation, debugging, and inline documentation. Premium tier is for schema inference on messy data, complex agentic orchestration, or multi-step reasoning where a cheaper model fails three times and you need it done. Chancrin's script makes that distinction explicit in code, not a Slack thread six weeks later when finance flags the bill.
The Audit Trail You Actually Need
The script also separates Snowsight (UI) limits from CLI limits. That matters because agentic workloads and CI/CD pipelines hit Cortex Code through service accounts, not human users clicking buttons. If your Agent Bricks or Mosaic AI agents are calling Cortex Code via REST, they're subject to the CLI constraint, which the script sets independently. You need both. A human can self-regulate when they see the Snowsight quota warning; an agent will loop until the account-level cap kills it.
Snowflake's RBAC is also the durable audit layer. If compliance asks who had access to Opus in Q1, you grep the role grants, not query logs. That's especially relevant for HealthTech companies under HIPAA, where you need to show least-privilege access to AI-generated PHI summaries. The script builds that from day one.
The hard part is not the script; it's the conversation with the VP of Engineering who wants everyone on Premium because "we're an AI company." The script gives you a falsifiable answer: show me the workload that justifies 15 credits per user per day, or we tier it. Most teams can't.
What to do next
Take the Readiness Assessment