TL;DR: Agentic identity and machine-to-machine flows now have formal pricing definitions for Monthly Active Consents, Monthly Active Tokens, and M2M Exchanges, clarifying how consent, token retrieval, and token exchange are counted across MCP, downstream apps, and AI agent connections, according to Descope. The real takeaway is that agentic identity is becoming a governed access layer, not just an integration detail.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern consent-based access in MCP and agentic workflows?
A: Security teams should tie consent to named resources, approved scopes, and accountable owners, then log every consent event as part of the access record.
Q: When does token exchange become a higher-risk identity event?
A: Token exchange becomes higher risk when it changes audience, scope, or downstream trust boundary.
Q: What do IAM teams get wrong about active token use?
A: Teams often focus on where tokens are stored and miss when tokens are fetched and used.
Practitioner guidance
- Map consent events to governable resources Inventory every MCP server, inbound app, and protected API that creates a consent event, then tie each one to an owner, scope policy, and review cadence.
- Separate token storage from active token use Log token retrieval and token usage as distinct events so your teams can see when credentials move from passive storage into operational privilege.
- Review every audience-changing exchange as a privilege event Treat client credentials flows, token exchanges, and access-key swaps as privileged actions that require explicit lifecycle ownership and audit coverage.
What's in the full announcement
Descope's full blog post covers the operational detail this post intentionally leaves for the source:
- Worked examples for how Monthly Active Consent, Monthly Active Token, and M2M Exchange are counted in specific product flows.
- The pricing logic behind MCP server, outbound app, and access-key scenarios that implementation teams need to model accurately.
- The tier-by-tier unit definitions and examples that finance, platform, and IAM teams would need for internal chargeback planning.
- Concrete guidance on how Descope applies these metering units across AI agent and machine-to-machine authentication paths.
👉 Read Descope's pricing update for the Agentic Identity Hub and M2M auth →
M2M exchanges and agentic identity pricing: what changes for IAM teams?
Explore further
Agentic identity pricing is really an access-governance model in disguise. Once consent, token use, and token exchange are separate metering units, the organisation is implicitly acknowledging three different control points in the identity flow. That aligns with how NHI governance actually works in production: the interesting question is not whether a credential exists, but when it is authorised, retrieved, and transformed into a new audience. Practitioners should treat the pricing model as a map of the control surface, not just of spend.
A question worth separating out:
Q: How can organisations align human IAM and NHI governance for agentic systems?
A: Organisations should use one governance model for approval, scope, review, and revocation across humans, service accounts, and AI agents. Agentic systems should not sit outside existing identity lifecycle processes. If they do, access decisions, recertification, and offboarding will drift into separate exception handling.
👉 Read our full editorial: Descope's pricing shift for agentic identity changes M2M governance