GitHub readies usage billing, Copilot Max

GitHub is doing two things at once with Copilot. It is making AI usage much more visible, and it is giving heavy users a more expensive place to go. That matters because Copilot is no longer a flat-fee helper sitting quietly in the editor — it is turning into a metered AI service with real compute costs behind every chat, agent run, and model choice. The timing is awkward, too, because a newly published vulnerability tied to Copilot and Visual Studio Code just reminded everyone that more AI in the dev workflow also means more security surface. (github.blog) ### What changed this week? On May 12, GitHub said enterprise admins can now download April usage reports showing how Copilot activity maps to GitHub AI Credits. Those credits become the new billing unit on June 1, 2026. The point is simple — GitHub wants customers to see the meter before the meter starts charging. (github.blog) The same day, GitHub also reset its individual Copilot lineup. Starting June 1, the plans will be Free, Pro, Pro+, and a new Max tier. GitHub says Pro and Pro+ will keep the same prices but include more total usage through “flex allotments,” while Max is meant for sustained, high-volume use. (github.blog) ### What are AI credits, really? Basically, GitHub is replacing a simpler request-count model with something closer to cloud billing. Instead of treating one premium request as one unit, usage will be calculated from token consumption — input, output, and cached tokens — using model-specific API rates. That means the cost of asking Copilot something depends more directly on how much model work you actually consume. (github.blog) That is a big philosophical shift. Flat-ish pricing is easy to understand but bad at reflecting how wildly different AI workloads can be. A short autocomplete and a long agentic coding session do not cost the same to run. GitHub is now saying the bill should show that difference. (github.blog) ### Why do the April reports matter? Because they are a dress rehearsal. Enterprises can look at April behavior and estimate what June billing may feel like before money is attached. That gives admins a chance to spot teams, tools, or workflows that are likely to burn through credits fast. It also helps with the unglamorous part — budgeting, internal chargebacks, and deciding whether some developers need guardrails. (github.blog) There is also a practical detail here. GitHub had already been changing the infrastructure around Copilot usage reports, including moving report download URLs to a GitHub-owned domain to make allowlisting easier for enterprise customers. That tells you these reports are becoming a core billing and operations surface, not a side dashboard. (github.blog) ### Why add a Max tier now? Turns out GitHub already hinted that demand was breaking the old shape of the product. In April, it paused some new sign-ups for paid individual plans and tightened limits, saying agentic workflows had fundamentally changed Copilot’s compute demands. Max looks like the release valve — a plan for users who were pushing beyond what Pro and Pro+ could comfortably absorb. (github.blog) So the new lineup is not just marketing. It is segmentation. Light users stay on Free. Regular paid users get more room through flex allotments. Power users get moved to a higher ceiling — and likely a clearer bill. (github.blog) ### Where does the security story fit? A CVE published on May 12, 2026 — CVE-2026-41109 — describes an injection flaw in GitHub Copilot and Visual Studio Code that can let an unauthorized attacker bypass a security feature over a network. The listed severity is high, with a CVSS score of 8.8. The bug is described as improper neutralization of special elements in output used by a downstream component. (cvefeed.io) The catch is that this is not directly part of the billing change. But it lands in the same moment, and that matters. As Copilot becomes more deeply embedded in coding, review, and agent workflows, buyers are being asked to think about two things at once — how much AI costs and how much new operational risk it introduces. (github.blog) ### So what is the real story? GitHub is turning Copilot into a more explicit utility. You can see usage. You can estimate spend. You can buy more headroom if you are a heavy user. That makes the business model more sustainable for GitHub, but it also makes Copilot feel less like a bundled perk and more like cloud infrastructure for software teams. (github.blog) The bottom line is that June 1 looks like the real pivot. That is when GitHub’s AI meter goes live, the plan lineup changes, and customers find out whether Copilot still feels cheap once every token has a price. (github.blog)