A usage metric that counts the unique identities interacting with a system over a month, including people and machines. It is useful when the access surface includes users, service accounts, workloads, and other non-human principals that all consume policy, audit, and operational capacity.
Expanded Definition
Monthly Active Principles is a capacity and exposure metric for NHI environments: it counts the unique identities that authenticate, execute, or receive policy decisions within a month, across both people and machines. In practice, it is broader than a user-only “monthly active users” count because it includes service accounts, workloads, APIs, bots, and other non-human principals that consume entitlements, logs, secrets, and review effort.
Because no single standard governs this term yet, usage in the industry is still evolving. Some teams count only principals that successfully authenticate; others include any principal that is granted policy coverage or appears in audit events. For NHI governance, the metric is most useful when paired with identity type, privilege tier, and business owner so that activity can be interpreted rather than merely tallied. It aligns naturally with guidance in the NIST Cybersecurity Framework 2.0, which emphasizes inventory, access control, and continuous monitoring across the identity surface.
The most common misapplication is treating Monthly Active Principles as a proxy for entitlement quality, which occurs when teams use the count without separating human users from machine identities or checking whether dormant accounts remain provisioned.
Examples and Use Cases
Implementing Monthly Active Principles rigorously often introduces reporting complexity, requiring organisations to weigh better visibility against the cost of identity normalization across directories, cloud accounts, and CI/CD systems.
- A platform team tracks all principals that touched production in the last 30 days, then separates humans from service accounts to reveal hidden NHI sprawl and ownership gaps.
- A security operations team uses the metric to estimate review load before quarterly access certification, especially where service accounts and API keys create a large audit footprint.
- An engineering leader compares monthly active principals before and after workload automation to see whether bot consolidation actually reduced identity surface area.
- An incident responder uses the count to identify which principals were active during a suspicious window, then prioritizes review of privileged machine identities first.
- A governance team benchmarks the metric against the lifecycle guidance in Ultimate Guide to NHIs and validates whether high activity correlates with unmanaged secrets or stale access.
For implementation semantics, teams often compare the metric with identity telemetry and workload inventory guidance from the NIST Cybersecurity Framework 2.0, then define whether “active” means authenticated, authorized, or merely observed in logs.
Why It Matters in NHI Security
Monthly Active Principles matters because the identity surface in modern enterprises is dominated by machines, and unmanaged growth quickly becomes an access, audit, and remediation problem. NHIMG research shows that NHIs outnumber human identities by 25x to 50x in modern enterprises, which means a small change in machine identity activity can create a large shift in operational burden. That is why the metric is useful for forecasting secret rotation work, access review volume, and policy drift before they become incident-response tasks. The Ultimate Guide to NHIs also reports that only 5.7% of organisations have full visibility into their service accounts, making active-principal counts an important approximation until authoritative inventory is in place.
Used well, the metric helps leaders distinguish genuine business automation from identity sprawl caused by duplicated workloads, abandoned integrations, or overprovisioned secrets. Used poorly, it can hide risk by rewarding volume rather than control quality. Organisations typically encounter the true cost of Monthly Active Principles only after an outage, breach review, or failed access recertification, at which point the metric becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity inventory and visibility are core to counting active non-human principals. |
| NIST CSF 2.0 | PR.AC-1 | Access control programs depend on knowing which principals are active and authorized. |
| NIST Zero Trust (SP 800-207) | JA.1 | Zero Trust requires continuous identity-aware evaluation of every active principal. |
Apply continuous verification to all monthly active principals, including service and workload identities.
Related resources from NHI Mgmt Group
- What happened in the demo account left active in production scenario and what does it reveal?
- Why do Active Directory service accounts complicate zero trust programs?
- How should security teams govern Active Directory service accounts?
- What is the difference between direct access and effective access in Active Directory?
