TL;DR: Agentic identity and machine-to-machine flows now have formal pricing definitions for Monthly Active Consents, Monthly Active Tokens, and M2M Exchanges, clarifying how consent, token retrieval, and token exchange are counted across MCP, downstream apps, and AI agent connections, according to Descope. The real takeaway is that agentic identity is becoming a governed access layer, not just an integration detail.
At a glance
What this is: Descope's update formalizes how agentic identity and M2M authentication are measured and priced, with clear units for consent, token use, and token exchange.
Why it matters: It matters because IAM and NHI teams need to understand which access events become billable, governable, and auditable as AI agents and service-to-service flows expand.
👉 Read Descope's pricing update for the Agentic Identity Hub and M2M auth
Context
Agentic identity is the set of access patterns created when AI agents and connected services request, exchange, and use credentials at runtime. The governance problem is not simply authentication, but how consent, token retrieval, and token exchange are counted, controlled, and audited as those actors interact with product APIs, MCP servers, and downstream services.
Descope's pricing update is a useful signal because it turns those abstract flows into explicit metering units. For IAM, NHI, and platform teams, that means the boundary between identity governance and product integration is tightening, especially where agentic systems can move from consent to action in a single transaction.
Key questions
Q: How should security teams govern consent-based access in MCP and agentic workflows?
A: Security teams should tie consent to named resources, approved scopes, and accountable owners, then log every consent event as part of the access record. Consent alone is not governance. It needs lifecycle review, audit visibility, and a clear link to the downstream systems the token can reach.
Q: When does token exchange become a higher-risk identity event?
A: Token exchange becomes higher risk when it changes audience, scope, or downstream trust boundary. At that point, the system is not simply passing a credential along. It is creating a new authorization context, which should be treated as a privileged identity action and reviewed accordingly.
Q: What do IAM teams get wrong about active token use?
A: Teams often focus on where tokens are stored and miss when tokens are fetched and used. Active use is the moment credentials become operational privilege, so that is where audit logs, policy checks, and blast-radius controls need to be strongest. Storage controls alone do not show real exposure.
Q: How can organisations align human IAM and NHI governance for agentic systems?
A: Organisations should use one governance model for approval, scope, review, and revocation across humans, service accounts, and AI agents. Agentic systems should not sit outside existing identity lifecycle processes. If they do, access decisions, recertification, and offboarding will drift into separate exception handling.
How it works in practice
Monthly active consent in MCP and inbound app flows
Monthly Active Consent, or MAC, is a counting model for user-authorised access to a specific resource and scope within a month. In Descope's framing, that resource can be an MCP server or a protected API, and the consent occurs only after the user approves the requested scopes. The technical point is that consent is tied to resource-specific approval events, not to repeated logins or repeated use of the same scopes. That matters because agentic interfaces compress request, approval, and subsequent access into one runtime path, which makes consent metering part of identity governance rather than just billing logic.
Practical implication: map which consent events create durable access paths and ensure those events are logged, reviewable, and tied to scope governance.
Monthly active tokens and downstream credential use
Monthly Active Token, or MATK, tracks when a token is fetched and used to perform an action against a downstream or third-party service. This is the point where a credential vault becomes an operational control plane, because token retrieval is the moment access is converted into action. In agentic workflows, that distinction matters: a user prompt can trigger token use without the user directly handling the downstream system. For IAM and NHI teams, the important technical boundary is not storage, but active retrieval and use, because that is where authorization, audit, and blast radius all converge.
Practical implication: instrument token retrieval events separately from storage events so downstream access can be governed at the moment of use.
M2M exchanges and delegated audience changes
An M2M exchange is any token exchange that results in a new audience or different scopes, such as client credentials, OAuth token exchange, or exchanging an access key for a JWT. Descope also counts policy enforcement for MCP servers and AI agents in this bucket because the exchange is what enables delegation between actors. Technically, the control question is whether the system is issuing a new credential for a new context or simply reusing an existing one. That distinction is central to non-human identity governance because every exchange can widen scope, create a new trust boundary, or make a downstream action possible that was not directly available before.
Practical implication: treat audience-changing exchanges as privileged events and review them as part of both access design and lifecycle governance.
NHI Mgmt Group analysis
Agentic identity pricing is really an access-governance model in disguise. Once consent, token use, and token exchange are separate metering units, the organisation is implicitly acknowledging three different control points in the identity flow. That aligns with how NHI governance actually works in production: the interesting question is not whether a credential exists, but when it is authorised, retrieved, and transformed into a new audience. Practitioners should treat the pricing model as a map of the control surface, not just of spend.
Monthly active token use exposes the difference between stored credentials and active privilege. A token sitting in a vault is not the same governance problem as a token retrieved to perform work. That distinction matters for secrets management, workload identity, and AI agent connections because active use is where auditability, approval, and blast-radius concerns become real. The practical conclusion is that metering models increasingly mirror the control boundaries IAM teams need to enforce.
Audience-changing token exchange is the point where delegation becomes identity risk. Client credentials, token exchange, and access-key swapping all create a new trust context, which means the original identity decision is no longer the whole story. In NHI and agentic AI programmes, this is where least privilege can erode even when the original credential was well governed. Practitioners should recognise that each new audience is a new policy question, not just a technical relay.
Monthly active consent creates a useful boundary for MCP governance, but it does not solve authorisation drift. Consent tells you that a user approved a scope once in a month, not that the downstream use stayed aligned with the original intent. That is the same failure mode IAM teams already see in over-broad delegated access and service-to-service privilege creep. The key conclusion is that consent counting can support governance, but it cannot replace continuous entitlement review.
Descope's model shows how agentic identity is converging with standard NHI lifecycle governance. The same lifecycle questions apply across humans, service accounts, and AI agents: who approved access, who used it, what audience received it, and when it should end. That convergence is where identity programmes need to stop treating agentic flows as a separate side case. Practitioners should unify governance logic across all non-human access paths rather than building a parallel exception process.
What this signals
Agentic identity is moving into the same governance category as service account and workload identity, which means teams should expect consent, token exchange, and downstream access to be reviewed as one lifecycle rather than three separate problems. The organisations that succeed will be the ones that make those events observable before they become billing, audit, or incident-response blind spots.
Identity exchange debt: when a system creates repeated audience-changing token exchanges without a clear lifecycle owner, governance cost accumulates faster than the security team can classify it. That is the hidden risk in agentic workflows that look simple at the interface layer but multiply trust relationships underneath.
For practitioners, the near-term signal is not whether agentic identity is mainstream, but whether access models can absorb it without creating a separate policy island. Teams that already struggle with service account sprawl should assume the same failure patterns will reappear faster when AI agents start driving credential use.
For practitioners
- Map consent events to governable resources Inventory every MCP server, inbound app, and protected API that creates a consent event, then tie each one to an owner, scope policy, and review cadence.
- Separate token storage from active token use Log token retrieval and token usage as distinct events so your teams can see when credentials move from passive storage into operational privilege.
- Review every audience-changing exchange as a privilege event Treat client credentials flows, token exchanges, and access-key swaps as privileged actions that require explicit lifecycle ownership and audit coverage.
- Unify governance across human, machine, and agent flows Use one access model for consent, token exchange, and recertification so agentic workflows do not become an exception path outside existing IAM and NHI controls.
Key takeaways
- Descope's update is best read as an identity governance signal, because it defines separate control points for consent, token use, and token exchange.
- Agentic workflows expand the number of moments where access becomes active privilege, which makes auditability and lifecycle ownership more important than simple credential storage.
- IAM and NHI teams should govern agentic identity in the same lifecycle model they already use for other non-human access paths, or risk building a parallel exception process.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Covers agentic identity risks and token-driven delegation patterns in AI workflows. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Token exchange and credential use are core non-human identity governance concerns. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | The post hinges on access decisions, least privilege, and continuous verification at runtime. |
Treat token retrieval and audience changes as NHI events and enforce lifecycle ownership for each credential.
Key terms
- Monthly Active Consent: A Monthly Active Consent is a count of how many unique users approve access to a specific resource and scope during a month. In agentic identity, it marks the approval event that allows an MCP client or protected API to act on behalf of a user.
- Monthly Active Token: A Monthly Active Token is a token that is retrieved and used to perform an action during a month. It represents active credential use, not passive storage, so it is a better indicator of operational access than a vault inventory alone.
- Machine-to-Machine Exchange: A machine-to-machine exchange is a credential swap that produces a new audience or different scopes, such as client credentials or token exchange. It is the point where delegated access becomes a new authorization context and therefore a governance concern.
- Agentic Identity: Agentic identity is the set of identity and access patterns used by AI agents when they request, exchange, and use credentials during runtime. It sits between classic machine identity and autonomous behaviour, and it requires governance over consent, delegation, and downstream scope.
What's in the full announcement
Descope's full blog post covers the operational detail this post intentionally leaves for the source:
- Worked examples for how Monthly Active Consent, Monthly Active Token, and M2M Exchange are counted in specific product flows.
- The pricing logic behind MCP server, outbound app, and access-key scenarios that implementation teams need to model accurately.
- The tier-by-tier unit definitions and examples that finance, platform, and IAM teams would need for internal chargeback planning.
- Concrete guidance on how Descope applies these metering units across AI agent and machine-to-machine authentication paths.
👉 Descope's full post breaks down the MAC, MATK, and M2M exchange examples in implementation detail.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org