Usage-based pricing exposes the real identity workload in agentic enterprises

At a glance

What this is: This post argues that per-seat pricing no longer matches how identity platforms are used, because non-human identities and agentic workloads now drive most meaningful access activity.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes are increasingly being asked to govern machine and agent activity that seat-based commercial models do not represent well.

👉 Read ConductorOne's blog on why per-seat pricing breaks for agentic identity workloads

Context

Per-seat pricing assumes the primary unit of value is a human user, but modern identity environments are shaped by service accounts, bots, API keys, and AI agents. Once those non-human actors become the main consumers of policy enforcement, access requests, and tool calls, the billing model starts to describe the wrong thing.

For IAM and IGA teams, this is not just a commercial packaging issue. It is a signal that identity governance has become infrastructure-like, where the real workload is measured in actions, entitlements, and delegation events rather than named users.

Key questions

Q: How should security teams price identity platforms when non-human identities drive most activity?

A: They should stop treating named users as the primary pricing unit and instead model consumption by access event, policy action, and tool invocation. That approach fits service accounts, bots, and agents better than seat counts, and it gives security and finance a common view of what the platform is doing.

Q: Why do non-human identities change how identity governance should be measured?

A: Because governance load is created by runtime actions, not only by human logins. When non-human identities outnumber humans and operate continuously, the programme needs metrics for requests, entitlements, and delegated actions so it can see the real workload, not just the user base.

Q: What do teams get wrong about per-seat licensing in agentic environments?

A: They assume cost should follow people even when the value is produced by machines. That misses the operational reality of agentic systems, where access is consumed at machine speed and the governance burden sits in policy enforcement, auditability, and repeated tool use.

Q: How can organisations decide whether to move from seat-based to usage-based identity pricing?

A: Look for evidence that non-human activity is driving access volume, entitlement churn, and policy checks. If those events are more representative of workload than named users, usage-based pricing will usually align better with how the platform is actually consumed.

Technical breakdown

Why seat-based identity pricing breaks for non-human identities

Seat-based pricing is built on a one-to-one assumption between user and value. That breaks when access is consumed by service accounts, bots, and AI agents that do not map cleanly to human licences. In identity systems, the actual unit of work is often a request, entitlement change, policy evaluation, or tool invocation. When those events dominate, pricing by named user understates machine activity and distorts governance decisions.

Practical implication: Practitioners should measure platform consumption by identity event type, not only by licensed headcount.

Why agentic enterprise workloads behave like infrastructure

Agentic identity workloads behave more like infrastructure than classic SaaS usage because they operate continuously, at machine speed, and across many small decisions. That means access governance, policy enforcement, and audit trails are all tied to throughput, not login counts. The important design question becomes how identity platforms account for repeated runtime actions rather than whether a person holds a seat.

Practical implication: Teams should map licence design to runtime actions such as access requests, policy checks, and tool calls.

How usage-based pricing changes governance signals

Usage-based pricing creates a direct signal between actual identity activity and commercial cost. That can expose shelfware, underused modules, and hidden automation patterns that seat-based models obscure. It also makes it easier to align spend with the growth of NHI and agent populations, which is increasingly the true demand driver in enterprise identity estates.

Practical implication: Use consumption data as a governance input when planning NHI and agentic identity adoption.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Per-seat identity pricing is a legacy assumption that fails once non-human identities become the dominant workload. Seat models were designed for human login behaviour, not for service accounts, bots, and agents that generate continuous machine-led access activity. Once those actors outnumber humans, the commercial model stops reflecting governance reality. Practitioners should treat pricing design as a proxy indicator of whether a platform still thinks in human-only terms.

Identity is infrastructure: the meaningful unit is consumption, not headcount. Identity platforms enforce policy in real time, broker delegation, and mediate machine actions, so the operational pattern matches infrastructure billing more than user licensing. That framing matters because it aligns cost with throughput, which is how NHI and agentic estates actually scale. Teams should evaluate whether their identity stack reports and bills in the same units it governs.

Agentic workload growth exposes a named concept: identity workload mispricing. The problem is not just shelfware or bad packaging. It is a structural mismatch between how identity work is produced and how vendors monetise it. When access requests, entitlement changes, MCP tool calls, and AI client connections become the primary activity, pricing by seat obscures both risk and value. Practitioners should expect commercial models to follow workload patterns, or the programme will misread demand.

Usage-based models validate the rise of machine identity governance without waiting for human adoption to catch up. That is the important market signal here. Identity programmes that still centre named users will keep undercounting the systems that create the most operational load. The practitioner takeaway is to govern the estate by actor type and runtime behaviour, then let pricing follow the same logic.

Commercial models are becoming part of the identity control plane. When pricing changes track access events, organisations get a clearer read on how often identity infrastructure is actually exercised. That does not remove governance complexity, but it does make the mismatch between human-centred licensing and machine-centred operations visible. Teams should use that visibility to re-baseline their NHI and agent governance assumptions.

From our research:

• Non-human identities already outnumber humans anywhere from twenty-five to fifty times in the average enterprise, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how easily machine identity demand can be undercounted.
• For the governance side of that problem, read Guide to the Secret Sprawl Challenge for the operational patterns that seat-based models miss.

What this signals

Identity commercial models are becoming governance signals. When pricing follows actual runtime actions, organisations can see where machine identities and agentic workflows are concentrated, which makes hidden demand harder to ignore. That is especially relevant in estates where non-human identity populations already outnumber humans by 25x to 50x, according to the Ultimate Guide to NHIs.

Identity workload mispricing is the right way to describe the gap this post surfaces. The issue is not simply that seat licensing feels old-fashioned. It is that the unit of charge no longer matches the unit of control, which means procurement, IAM, and finance can all end up reading the same environment differently.

As agentic use grows, practitioners should expect cost reporting, access reporting, and audit reporting to converge around actor type. That shift will make service-account sprawl, delegated automation, and AI client consumption much easier to see, but only if teams stop treating named users as the baseline.

For practitioners

• Map identity spend to runtime activity Track access requests processed, entitlements changed, tool calls, and policy enforcements separately from named-user counts so you can see where non-human workloads dominate.
• Separate human licences from machine consumption Build reporting that isolates service accounts, bots, and AI agents so procurement and governance teams can see which identity populations drive actual platform usage.
• Review usage dashboards for hidden automation Use consumption reporting to find shelfware, repetitive approvals, and unmanaged agent activity that would be invisible in a seat-based model.
• Align chargeback with actor type Tag cost and access events by human, NHI, and agentic actor so finance and security teams share the same operational view of identity demand.

Key takeaways

• Per-seat pricing no longer matches identity reality when non-human actors do most of the work.
• The scale problem is already visible because machine identities outnumber human identities by a wide margin in modern enterprises.
• Practitioners should align governance, reporting, and commercial models to runtime identity consumption, not headcount.

Key terms

• Non-Human Identity: A non-human identity is any machine or software identity that requests, holds, or uses access on behalf of a workload. In practice this includes service accounts, API keys, tokens, certificates, bots, and AI agents. Governance fails when these identities are counted like people instead of managed as runtime actors.
• Usage-based Pricing: Usage-based pricing ties commercial cost to measured activity rather than to a fixed number of named users. In identity programmes, that usually means charging by requests, policy actions, tool calls, or other runtime events. It is a better fit when machine identities generate most of the workload.
• Identity Workload: Identity workload is the total amount of access-related activity a platform must process, including authentication, authorisation, entitlement changes, policy checks, and audit events. It matters because machine and agent populations can create far more demand than seat counts suggest, especially in automated environments.

Deepen your knowledge

Usage-based pricing, machine identity consumption, and agentic governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning identity controls to runtime workload rather than seat counts, it is worth exploring.

This post draws on content published by ConductorOne: Why We Stopped Charging Per Seat. Read the original.