diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index 8af8d8a..5f295bd 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -415,7 +415,8 @@ resource "aws_iam_role_policy_attachment" "compliance_reporter_logs" {
 
 # --- resource-tagger role ---
 resource "aws_iam_role" "resource_tagger" {
-  name = "${var.project}-resource-tagger"
+  name                 = "${var.project}-resource-tagger"
+  permissions_boundary = "arn:aws:iam::${var.aws_account_id}:policy/${var.project}-developer-boundary"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
@@ -944,7 +945,8 @@ resource "aws_sns_topic_policy" "budget_enforcement" {
 
 # --- budget-enforcer role ---
 resource "aws_iam_role" "budget_enforcer" {
-  name = "${var.project}-budget-enforcer"
+  name                 = "${var.project}-budget-enforcer"
+  permissions_boundary = "arn:aws:iam::${var.aws_account_id}:policy/${var.project}-developer-boundary"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
diff --git a/terraform/platform/monitoring/main.tf b/terraform/platform/monitoring/main.tf
index 40e80ab..c75ed42 100644
--- a/terraform/platform/monitoring/main.tf
+++ b/terraform/platform/monitoring/main.tf
@@ -501,8 +501,13 @@ resource "aws_dynamodb_table" "alert_dedup" {
 # Cost Allocation Tags
 ################################################################################
 
+# Cost allocation tags must exist on at least one billed resource before
+# activation. Tags are added in phases:
+#   Phase 1 (now): team, service, environment, managed-by — already on resources
+#   Phase 2 (after first apply with new tags): repo
+#   Phase 3 (after resource-tagger runs): created-by, commit
 resource "aws_ce_cost_allocation_tag" "tags" {
-  for_each = toset(["team", "service", "repo", "environment", "managed-by", "created-by", "commit"])
+  for_each = toset(["team", "service", "environment", "managed-by"])
   tag_key  = each.key
   status   = "Active"
 }