A capacity market is a system where compute or usage rights are priced, allocated, and transferred through market mechanisms. For identity teams, it introduces governance questions around entitlement ownership, concentration, and auditability that do not exist in fixed-access models.
Expanded Definition
In NHI governance, a capacity market is a control model where compute, quota, or usage rights are treated as allocable assets that can be priced, transferred, or reassigned across teams and workloads. The concept overlaps with cloud scheduling, internal chargeback, and delegated provisioning, but it is broader because entitlement ownership becomes a first-class governance question rather than an implementation detail. Definitions vary across vendors, and no single standard governs this yet, so practitioners should treat the term as an organisational operating model rather than a fixed product category. Under the NIST Cybersecurity Framework 2.0, this kind of allocation touches asset governance, access control, and auditability, especially when entitlements are portable or pooled. NHI Management Group frames this as a visibility and ownership problem as much as a capacity problem, because the same control plane that allocates rights can also obscure who effectively controls them. The most common misapplication is treating purchased capacity as equivalent to durable entitlement ownership, which occurs when teams assume transferability removes the need for revocation and review.
For broader NHI context, see Ultimate Guide to NHIs — The NHI Market and the NIST Cybersecurity Framework 2.0.
Examples and Use Cases
Implementing a capacity market rigorously often introduces entitlement fragmentation, requiring organisations to weigh faster allocation and better utilisation against stronger audit, billing, and revocation overhead.
- An internal platform team sells burstable build minutes to product squads, with each squad able to reassign quota across CI pipelines, but every transfer must remain attributable for audit.
- A data science group purchases GPU capacity from a shared pool, then temporarily grants workload access to an AI agent; the governance challenge is ensuring the grant expires when the experiment ends.
- A multi-tenant SaaS operator allocates API throughput by business unit, and the capacity token is treated like a time-bound entitlement that must be reconciled with the identity system.
- A procurement-led cloud program uses market-style credits to move capacity between environments, while security teams verify that the transfer did not bypass NHI market controls or the access review process described in NIST CSF 2.0.
- A secrets platform ties reserved usage rights to service accounts so that each right is surrendered during offboarding instead of lingering as a reusable privilege.
Why It Matters in NHI Security
Capacity markets matter because they can turn access into something tradable, and tradable access is difficult to govern unless ownership, expiry, and revocation are explicit. In NHI environments, that creates risk when compute rights are inherited, resold internally, or left attached to dormant service accounts. NHI Management Group reports that 97% of NHIs carry excessive privileges, which means a capacity model can amplify already overbroad access if entitlement controls are weak. The issue is not merely efficiency; it is whether the organisation can answer who can use capacity, who can transfer it, and who is accountable when that capacity is abused. This aligns with the NIST Cybersecurity Framework 2.0 emphasis on governance and access discipline, especially when rights are pooled across environments. It also fits NHI Management Group guidance in the Ultimate Guide to NHIs — The NHI Market, where market mechanisms demand stronger inventory, review, and offboarding controls. Organisations typically encounter the real cost only after an entitlement transfer survives a deprovisioning event, at which point capacity market governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-04 | Marketed capacity can hide ownership and revocation gaps in NHI entitlement management. |
| NIST CSF 2.0 | PR.AC-4 | Capacity markets still require least-privilege access decisions and auditable entitlement assignment. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous validation even when access rights are pooled or transferable. |
Apply least-privilege reviews to pooled capacity and verify each reassignment is authorized.
Related resources from NHI Mgmt Group
- What breaks when enterprise features are deferred until after product-market fit?
- What breaks when access control is still hard-coded after product-market fit?
- What should teams do when security findings keep outpacing remediation capacity?
- How should mid-market teams build a practical change management security stack?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
