Subscribe to the Non-Human & AI Identity Journal

Monthly Active Token

A Monthly Active Token is a token that is retrieved and used to perform an action during a month. It represents active credential use, not passive storage, so it is a better indicator of operational access than a vault inventory alone.

Expanded Definition

Monthly Active Token is an operational measure of token use, not a vault count. It captures whether a token was retrieved and used during a month, which makes it useful for distinguishing live access from dormant inventory. In NHI programs, that distinction matters because a token can be safely stored yet still create exposure if it remains valid, over-scoped, or widely shared. Guidance varies across vendors on whether MAAT should include failed uses, renewal events, or only successful action execution, so the metric should be defined explicitly in policy before it is used for reporting or lifecycle decisions.

This term sits close to service account activity, API key telemetry, and token lifecycle governance, but it is narrower than generic identity activity. It focuses on credential use as evidence of operational reach across applications, pipelines, and agent workflows. For governance teams, the right question is not just how many tokens exist, but how many are still being exercised in a production month. The most common misapplication is treating every stored token as active, which occurs when vault inventory is used as a proxy for real access without usage telemetry.

For broader access governance context, NIST Cybersecurity Framework 2.0 reinforces the need to know what identities and credentials are actually in use, not merely what is recorded.

Examples and Use Cases

Implementing Monthly Active Token rigorously often introduces telemetry and revocation overhead, requiring organisations to weigh better visibility against the cost of instrumenting every token path.

  • A SaaS platform measures how many OAuth refresh tokens were used in the last 30 days to identify dormant integrations that should be reviewed or revoked.
  • A DevOps team tracks monthly use of API keys across CI/CD jobs, then compares that activity with expected deployment windows to surface overused tokens.
  • An agentic workflow platform records whether an AI agent actually retrieved and used its MCP-related credentials, rather than assuming the token is risky simply because it exists.
  • A security team correlates token activity with offboarding events to find former-employee credentials that are still being exercised, similar to patterns discussed in the Salesloft OAuth token breach.
  • Investigators use monthly activity data to compare real usage against the broader secret-sprawl patterns described in the Guide to the Secret Sprawl Challenge.

In practice, these examples help teams decide whether a token is business-critical, duplicated, or simply forgotten. They also support prioritisation when token fleets are large enough that manual review is no longer reliable.

Why It Matters in NHI Security

Monthly Active Token is important because token activity often reveals the difference between controlled access and hidden attack surface. A token that is used monthly may reflect a legitimate dependency, but it can also indicate overuse, weak rotation discipline, or an application chain that nobody has mapped end to end. NHIMG research shows that 44% of NHI tokens are exposed in the wild, being sent or stored in places like Teams, Jira, Confluence, and code commits, which means activity-based visibility becomes essential for prioritisation. In the same research set, 91% of former employee tokens remain active after offboarding, showing how easily “active” can become “unmonitored.”

For NHI security programs, the metric helps separate dormant credentials from those that need immediate control review, tighter scoping, or automated rotation. It is especially useful when paired with incident response because exposed tokens are often discovered only after misuse has already occurred. When paired with The State of Secrets Sprawl 2026, it becomes clear that activity and exposure are inseparable governance problems. Organisational teams typically encounter the real impact only after a breach review or offboarding investigation, at which point Monthly Active Token becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Token use and exposure map to secret handling and lifecycle control concerns.
NIST CSF 2.0 PR.AA-01 Identity and credential usage should be known and governed for active access.
NIST Zero Trust (SP 800-207) SC-7 Zero trust requires continuous validation of credentials and access paths.

Track token activity, rotate or revoke dormant credentials, and reduce unnecessary exposure paths.