We store user information in the api_user table which is linked to the api_customer table. If a user with cross-account access makes a request to cost management, we look up their user in the api_user table and then grab their org/account from the api_customer table. This info will not correlate to the cross-account customer.

Instead, we should only utilize the org/account that comes from the request itself.

Maybe we should consider removing the user table entirely.