Use gateway measurement when you need centralised visibility, consistent authentication context, and low-friction instrumentation. Use application measurement when the billable unit depends on business logic, such as tokens processed or images transformed. Most mature systems need both, then reconcile them through a common event pipeline.
Why This Matters for Security Teams
Gateway measurement and application measurement solve different governance problems, and treating them as interchangeable creates blind spots in both cost control and security. Gateways are best when teams need centralised telemetry, a stable enforcement point, and a consistent authentication context across many services. Application measurement is better when the chargeable event is created inside the workload, such as tokens generated, documents transformed, or images processed. The NIST Cybersecurity Framework 2.0 is useful here because it emphasises repeatable governance and measurable outcomes, not just tooling. For NHI-heavy environments, the scale of the problem is easy to underestimate: NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs.
That visibility gap matters because billing, authorisation, and abuse detection all depend on trustworthy identity context. If measurement is only done in the application layer, teams may miss cross-service usage patterns. If it is only done at the gateway, the organisation may fail to capture the true business unit of work. In practice, many security teams encounter billing disputes, quota confusion, and abuse investigations only after usage has already spread across multiple services, rather than through intentional design.
How It Works in Practice
Gateway measurement places the counting and attribution logic at an ingress or service edge, where requests can be normalised before they reach downstream systems. This approach is valuable when the organisation wants consistent access control signals, shared logging, and one place to apply policy. It also reduces implementation friction because teams instrument one control point instead of many. By contrast, application measurement records events where the business logic actually knows what happened, which is critical when the billable unit is not a request but an outcome.
Common examples include:
- Gateway measurement for API calls, tenant quotas, or per-request rate limits.
- Application measurement for tokens processed, media conversions, search indexing, or workflow completions.
- Dual measurement when the gateway tracks request volume and the app tracks actual compute or content units.
For organisations managing NHIs, gateway telemetry should be tied to workload identity, not just IP address or API key presence. Current guidance suggests combining this with policy evaluation at request time, especially in architectures shaped by NIST Cybersecurity Framework 2.0 principles and the operational patterns described in the Ultimate Guide to NHIs. That allows teams to reconcile gateway records with application events in a common pipeline, so finance, security, and engineering can agree on what was used and by whom. These controls tend to break down when workloads are highly asynchronous, because a gateway can see the request but not the true unit of work completed inside queued or fan-out processing.
Common Variations and Edge Cases
Tighter gateway control often increases implementation consistency, but it also adds abstraction, which can obscure the real unit of consumption and create reconciliation overhead. Organisations need to balance the simplicity of centralised measurement against the accuracy of workload-specific accounting. That tradeoff is especially visible in multi-tenant SaaS, AI inference platforms, and event-driven systems where the first request is not the same as the final billable action.
Current guidance suggests using gateway measurement as the default for shared services, then adding application measurement when any of the following are true:
- The request fan-outs into multiple internal operations.
- The cost depends on business logic, not request count.
- The workload runs asynchronously or across queues.
- The application must prove usage for audit, customer billing, or dispute resolution.
Where the environment includes many NHIs, gateway-only measurement can also hide privilege misuse if an identity is reused across services. NHI Mgmt Group’s Ultimate Guide to NHIs is clear that visibility gaps remain common, so measurement should be paired with identity-centric logging rather than network-only telemetry. The practical rule is simple: use the gateway for control and consistency, but move measurement into the application whenever the business event lives there.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Measurement choice should support governance, oversight, and measurable outcomes. |
| OWASP Non-Human Identity Top 10 | NHI-06 | Gateway measurement depends on trustworthy service identity and visibility. |
| NIST AI RMF | AI systems often need usage measurement aligned to business outcomes and risk. |
Bind gateway events to workload identities and review logs for NHI attribution gaps.
Related resources from NHI Mgmt Group
- When should organisations use regional caches instead of a global cache?
- How should organisations decide whether to use secondary DNS?
- How should organisations decide between VPNs and application-level access controls?
- What breaks when organisations use one IAM model for humans and non-human identities?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
