Notifications
Clear all
Topic starter
09/06/2026 11:05 pm
TL;DR: Access governance is increasingly measured across mixed identity populations, not just named users, according to Cerbos. It settled on monthly active principles as a pricing metric because it better captures the unique identities interacting with authorization, including humans and machines, while preserving predictability for enterprise buyers.
NHIMG editorial — based on content published by Cerbos: an episode of The Business of Open Source on pricing authorization for mixed identity populations
Questions worth separating out
Q: How should teams count identities when both users and machines access the same system?
A: Count by identity type, not by headcount alone.
Q: Why do non-human identities change the economics of access control?
A: Non-human identities change the economics because they increase the number of policies, reviews, logs, and lifecycle events without increasing headcount in the usual way.
Q: What do security teams get wrong about usage-based authorization pricing?
A: They often assume API calls or data volume will be easy to forecast and easy to tie back to business value.
Practitioner guidance
- Count identities by actor type, not only by users Break reporting into human users, service accounts, workload identities, and automated principals so access demand reflects the real control surface.
- Map governance overhead to the identities that consume it Track audit events, entitlement reviews, and support tickets against each identity category to see where complexity is actually accumulating.
- Use forecastable identity metrics in procurement and budgeting Choose a unit of measure that finance, security, and platform teams can all calculate without a trial deployment or a custom estimate.
What's in the full article
Cerbos' full podcast discussion covers the pricing and product decisions this post intentionally leaves for the source:
- How the commercial layer was separated from the open source authorization core
- Why the team chose monthly active principles over API calls or data volume
- The enterprise feedback that shaped audit logs, visibility, and support features
- The pricing trade-offs behind predictable billing for larger customers
👉 Read Cerbos' podcast discussion on pricing authorization for human and machine identities →
Monthly active principles for access control pricing: what IAM teams should note?
Explore further
10/06/2026 1:17 am
Monthly active principles is a more honest identity metric than monthly active users. Once machine identities enter the access model, user-only counting stops describing the real governance surface. Service accounts, workloads, and automated actors all create policy decisions, audit burden, and lifecycle overhead, so the relevant unit is the identity that consumes control, not the person who owns the account. Practitioners should treat identity populations as mixed by default.
A few things that frame the scale:
- Organizations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How do organisations know if their identity metrics are actually useful?
A: A useful metric is one that a security lead, platform owner, and finance team can all calculate the same way without guessing. If it cannot forecast audit load, entitlement growth, or support effort, it is probably too abstract to guide governance or pricing decisions.
👉 Read our full editorial: Cerbos pricing shows why monthly active principles fit identity governance
