Cerbos pricing shows why monthly active principles fit identity governance

At a glance

What this is: This is a Cerbos podcast recap on pricing an authorization platform, and its key finding is that monthly active principles is a better commercial metric than active users alone because it includes human and machine identities.

Why it matters: It matters to IAM practitioners because pricing and governance models that ignore non-human identities will undercount real access demand, misstate scale, and hide the operational pressure created by service accounts and other machine identities.

👉 Read Cerbos' podcast discussion on pricing authorization for human and machine identities

Context

Authorization pricing becomes a governance signal once an organisation has to account for both human users and machine identities in the same access model. A metric built only around named users undercounts the identities that actually consume policy, audit, and administrative attention, especially when service accounts, workloads, and automated processes are part of the application stack.

Cerbos frames this as a commercial problem, but the underlying issue is identity scope. Once a platform has to govern more than people, the business model, audit model, and entitlement model all start depending on the same question: how many unique identities are interacting with the system, and what kind are they?

For IAM teams, that makes the pricing discussion useful beyond software procurement. It reflects the same structural shift that shows up in NHI programmes: the cost and complexity of access control grow with every additional identity type, not just every additional employee.

Key questions

Q: How should teams count identities when both users and machines access the same system?

A: Count by identity type, not by headcount alone. A practical model separates human users, service accounts, workload identities, and any automated principals that can request access or trigger policy decisions. That approach gives you a truer view of audit load, entitlement volume, and operational support demand than a user-only metric can provide.

Q: Why do non-human identities change the economics of access control?

A: Non-human identities change the economics because they increase the number of policies, reviews, logs, and lifecycle events without increasing headcount in the usual way. That means access governance costs grow with systems and workloads, not only with employees. Teams that ignore this tend to underbudget control work and overestimate their governance capacity.

Q: What do security teams get wrong about usage-based authorization pricing?

A: They often assume API calls or data volume will be easy to forecast and easy to tie back to business value. In practice, identity-based metrics are usually easier to understand because they map to real access populations. The mistake is choosing a billing unit that finance and security cannot both validate.

Q: How do organisations know if their identity metrics are actually useful?

A: A useful metric is one that a security lead, platform owner, and finance team can all calculate the same way without guessing. If it cannot forecast audit load, entitlement growth, or support effort, it is probably too abstract to guide governance or pricing decisions.

Technical breakdown

Why monthly active principles fits mixed identity populations

Monthly active principles is a usage metric based on the number of unique identities that interact with a system over a month, regardless of whether those identities are people or machines. That makes it broader than monthly active users, which only captures human accounts, and more aligned with authorization systems that serve applications, services, and automated workflows as well as employees. In practice, this kind of metric tries to measure policy load rather than just login volume. The useful distinction is that access decisions, audit events, and entitlement complexity all rise with identity diversity, not just with headcount.

Practical implication: measure commercial or operational scale by identity population, not just by employee count.

Open core authorization shifts complexity into the commercial layer

An open core model keeps the authorization engine free while charging for the control plane and enterprise features that make it usable at scale. The technical pattern is common in infrastructure software: the core performs the decisioning, while the higher layer adds audit logs, visibility, workflow, and administrative controls. That separation matters because the commercial layer often contains the features enterprises need once authorization becomes a governance function rather than a developer utility. The architecture also creates a clean boundary for self-hosting, but it pushes the hard questions into how much operational support and central management buyers actually need.

Practical implication: separate policy decisioning from governance controls when evaluating whether NHI or authorization tooling can scale.

Predictable authorization pricing is a control problem, not just a billing problem

Usage-based pricing becomes difficult when the pricing unit does not map cleanly to how customers understand their own environment. API calls and data volume can be too abstract for buyers to forecast, while identity-based metrics are usually easier to reason about because teams already track users, service accounts, and access populations. That is why predictability came through repeatedly in the discussion. The operational parallel is strong for identity governance: if teams cannot count the identities they are responsible for, they cannot forecast audit burden, control sprawl, or entitlement growth with confidence.

Practical implication: choose identity metrics that security and finance teams can both audit and forecast without guesswork.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Monthly active principles is a more honest identity metric than monthly active users. Once machine identities enter the access model, user-only counting stops describing the real governance surface. Service accounts, workloads, and automated actors all create policy decisions, audit burden, and lifecycle overhead, so the relevant unit is the identity that consumes control, not the person who owns the account. Practitioners should treat identity populations as mixed by default.

Authorization pricing reveals the same blind spot that NHI governance keeps encountering. Organisations often build commercial and operational models around the human user as the unit of account, then discover that non-human identities dominate real control complexity. That pattern explains why entitlement reviews, audit logging, and support planning all become harder once machine identities scale. The implication is that access governance cannot remain person-centric if the environment is not.

Identity sprawl becomes visible when a business has to assign a cost to it. Open core pricing forces a company to decide which identity and access capabilities belong in the free layer and which belong in the governed, enterprise layer. That is the same decision IAM teams face when deciding where operational ownership ends and formal governance begins. Practitioners should use pricing debates as a proxy for whether the programme truly understands its own identity surface.

Predictable access economics matter because unpredictable identity growth breaks planning. If teams cannot forecast how many identities they have or how much control overhead each category creates, they will underbudget governance work and overestimate their ability to absorb new workloads. That is especially true where NHI populations are growing faster than human accounts. The practical conclusion is that identity strategy must be built on measurable populations, not assumptions about user count.

From our research:

• Organizations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• For a broader identity baseline, see Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

Identity-led pricing is a useful proxy for identity-led governance. When a platform can only price itself accurately by counting unique identities, it is already telling you that the real unit of control is not a user, but an access-bearing principal. That same logic should shape NHI programmes, because the organisations that can count their identities are usually the ones that can govern them. For context, read the Ultimate Guide to NHIs , Why NHI Security Matters Now.

As more platforms accept that human-only metrics are too narrow, teams should expect their own reporting, chargeback, and entitlement models to become more identity-aware. That shift will expose hidden machine populations that have never been part of human access reviews. The control lesson is straightforward: if you cannot measure the population, you cannot manage the privilege.

For practitioners

• Count identities by actor type, not only by users Break reporting into human users, service accounts, workload identities, and automated principals so access demand reflects the real control surface.
• Map governance overhead to the identities that consume it Track audit events, entitlement reviews, and support tickets against each identity category to see where complexity is actually accumulating.
• Use forecastable identity metrics in procurement and budgeting Choose a unit of measure that finance, security, and platform teams can all calculate without a trial deployment or a custom estimate.
• Separate policy decisioning from governance features in evaluations Assess whether a platform only makes access decisions or also provides the audit, visibility, and lifecycle controls needed for enterprise operation.

Key takeaways

• The article’s central lesson is that authorization programs become harder to govern once machine identities are included in the same accounting model as human users.
• Identity-based scale is more operationally honest than user-only scale because it captures policy load, audit burden, and support demand together.
• Teams should adopt metrics they can forecast, validate, and review across security and finance, or they will continue to undercount real access complexity.

Key terms

• Monthly Active Principles: A usage metric that counts the unique identities interacting with a system over a month, including people and machines. It is useful when the access surface includes users, service accounts, workloads, and other non-human principals that all consume policy, audit, and operational capacity.
• Open Core Model: A product structure where a free open source core handles the base function and a paid layer adds enterprise controls, support, or management features. In identity tooling, this often separates decisioning from visibility, audit, and lifecycle governance.
• Identity Population: The full set of identities that can interact with a system, including human users, service accounts, workloads, and automated principals. It is a governance concept, not just a directory count, because each identity type creates a different amount of risk, review effort, and administrative overhead.

Deepen your knowledge

Monthly active principles and identity-led access governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building reporting and governance around mixed human and machine populations, it is worth exploring.

This post draws on content published by Cerbos: an episode of The Business of Open Source on pricing authorization for mixed identity populations. Read the original.