Subscribe to the Non-Human & AI Identity Journal

Customer acquisition cost

Customer acquisition cost is the total spend required to turn a prospect into a paying customer. In identity-heavy flows, it includes marketing, onboarding friction, manual review, and abandonment losses, so it is affected by both product design and security controls.

Expanded Definition

Customer acquisition cost, or CAC, is the full cost of converting a prospect into a paying customer. In identity-heavy journeys, that total includes media spend, sales effort, onboarding review, verification steps, abandoned sign-ups, and the operational drag created by security controls that are too strict or too manual.

For NHI security and agentic AI environments, CAC is not only a marketing metric. It also reflects whether identity proofing, access approval, and onboarding workflows are aligned with risk tolerance. The tighter the control environment, the more likely CAC will rise if teams add repeated verification, human review, or exceptions that slow conversion. That is why CAC must be read alongside access governance, not just growth dashboards.

Definitions vary across vendors when AI agents, service accounts, or machine-initiated onboarding are involved, because some teams count only commercial marketing costs while others include technical and compliance overhead. NIST SP 800-53 Rev. 5 provides a useful control baseline for understanding how access, verification, and audit requirements can affect acquisition workflows without weakening security. The most common misapplication is treating CAC as a pure sales metric, which occurs when security, onboarding, and identity verification costs are excluded from the conversion path.

Examples and Use Cases

Implementing CAC rigorously often introduces friction between conversion speed and assurance, requiring organisations to weigh growth efficiency against fraud resistance and governance quality.

  • A SaaS provider adds step-up verification for enterprise sign-ups, increasing CAC slightly but reducing fake accounts and later support burden.
  • An API platform routes high-risk registrations through manual review, which raises onboarding cost but prevents low-trust service accounts from entering production.
  • A product team simplifies self-service access to reduce abandonment, then compensates with stronger post-registration monitoring and secret handling controls.
  • An enterprise compares paid-acquisition cost against the cost of identity proofing, because repeated failed onboarding attempts can make a “cheap” channel expensive in practice.
  • A governance team uses the Ultimate Guide to NHIs to benchmark how service-account sprawl and weak lifecycle management can increase downstream acquisition and support costs.

For control design, NIST guidance on access and auditability helps teams distinguish necessary friction from unnecessary friction. In practice, CAC becomes a more accurate planning tool when the organisation counts onboarding checks, exception handling, and abandonment loss as part of the customer journey instead of treating them as separate overhead lines.

Why It Matters in NHI Security

CAC matters in NHI security because poor identity design often creates hidden acquisition costs that only appear after scale, incidents, or churn. When service accounts, tokens, or API keys are difficult to provision safely, teams either slow down growth or bypass controls. Both outcomes are expensive. NHIMG research shows that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage, which means insecure onboarding and weak secret handling can turn acquisition efficiency into later remediation cost. The Ultimate Guide to NHIs also notes that 96% of organisations store secrets outside secrets managers, a pattern that inflates risk and often leads to manual controls that further increase CAC.

Good practice is to reduce avoidable identity friction while preserving assurance, using controls from NIST SP 800-53 Rev 5 Security and Privacy Controls as the governing baseline. Organisations typically encounter the real cost of CAC only after onboarding failures, fraud events, or secret exposure force them to rebuild the customer journey, at which point the term becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-1 Identity proofing and access decisions shape CAC in risk-based onboarding.
NIST SP 800-63 IAL2 Identity assurance levels influence how much verification cost is added to acquisition.
NIST Zero Trust (SP 800-207) No single control ref Zero Trust pushes continuous verification that can affect acquisition workflow cost.
OWASP Non-Human Identity Top 10 NHI-02 Secret handling errors drive downstream cost and increase acquisition friction.
NIST AI RMF GOVERN Governance requires balancing business value, risk, and operational cost in AI-enabled journeys.

Reduce onboarding friction without weakening access checks by tuning identity controls to risk.