A pricing model that charges by the number of identities using a platform, rather than by stored secrets or underlying infrastructure. In secrets management, the identity may be a human user, service account, API key, bot, or CI/CD runner that consumes the service.
Expanded Definition
Identity-based pricing charges according to the number of identities that consume a platform, not by the volume of stored secrets or the size of the underlying infrastructure. In NHI and secrets-management programs, that identity can be a human user, service account, API key, bot, or CI/CD runner that authenticates to the service. The model is attractive because it maps cost to operational usage, but it also changes how teams think about onboarding, offboarding, and entitlement growth.
Definitions vary across vendors on whether an “identity” includes ephemeral workloads, nested service principals, or machine accounts created by automation. That ambiguity matters because pricing can influence architecture decisions, especially when engineering teams split workloads to reduce count-based spend. NHI Management Group treats the term as a billing construct, not a security control, even though it directly affects the economics of visibility and rotation. The most common misapplication is counting only named human users, which occurs when machine identities are excluded from procurement, forecasting, and renewal planning.
Examples and Use Cases
Implementing identity-based pricing rigorously often introduces forecasting friction, requiring organisations to weigh budget predictability against fairer cost allocation as identity populations change.
- A secrets platform bills separately for each service account and CI/CD runner that stores or retrieves credentials, so finance can attribute cost to application teams instead of shared infrastructure.
- A security team compares the pricing impact of onboarding all ephemeral automation identities against the operational benefit of centralized rotation and audit logging, using guidance from the Ultimate Guide to NHIs.
- A cloud-native engineering group tracks bot identities as first-class consumers because ignoring them would undercount real usage and create a hidden expense when access is later formalized.
- Procurement validates whether vendor counts include keys, workload identities, and federated agents, then maps those terms against the NIST Cybersecurity Framework 2.0 to keep the purchase aligned with governance expectations.
- During a platform trial, a team estimates how the bill changes when dozens of short-lived deployment identities are added, then reviews the findings against the patterns documented in the Top 10 NHI Issues.
Why It Matters in NHI Security
Identity-based pricing matters because it can either encourage accurate NHI governance or quietly discourage it. If a platform becomes more expensive as identities are discovered, organisations may delay inventory work, suppress visibility, or leave service accounts unmanaged to avoid cost spikes. That creates a direct security blind spot, especially because NHIs outnumber human identities by 25x to 50x in modern enterprises, according to the Ultimate Guide to NHIs by NHI Mgmt Group. In practice, the billing model can shape whether teams properly account for secrets, API keys, bots, and automation pathways.
This becomes especially important when incidents expose how many identities were never fully tracked in the first place. The 52 NHI Breaches Analysis shows how quickly unmanaged machine access turns into material exposure, while the same underlying pattern often appears in leaked tokens and forgotten runners. Security leaders should therefore treat pricing conversations as governance conversations, not only commercial ones. Organisations typically encounter the true operational cost only after a breach, audit, or renewal shock reveals the number of identities that had been left outside formal control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity scope and inventory accuracy affect how NHI consumers are counted and governed. |
| NIST CSF 2.0 | GV.PO-1 | Pricing policy decisions influence governance, inventory, and accountability for identities. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on knowing and controlling every identity that can request access. |
Classify every human and machine identity before procurement so billing and control scope match reality.
Related resources from NHI Mgmt Group
- How can organisations decide whether to move from seat-based to usage-based identity pricing?
- Why are identity-based attacks growing faster than traditional network attacks?
- What is the difference between network detection and identity-based discovery for AI agents?
- Why are identity-driven attacks harder to detect than malware-based attacks?