Subscribe to the Non-Human & AI Identity Journal
Home Glossary Architecture & Implementation Patterns Client-Based Billing
Architecture & Implementation Patterns

Client-Based Billing

← Back to Glossary
By NHI Mgmt Group Updated July 8, 2026 Domain: Architecture & Implementation Patterns

Client-based billing charges according to each authenticating identity rather than only by infrastructure capacity. In secrets platforms, this pricing model can make ephemeral workloads, autoscaling, and dense microservice estates materially more expensive and harder to forecast.

Expanded Definition

Client-based billing is a pricing model in which the unit of charge is the authenticating identity itself, not the compute instance, network tier, or storage footprint behind it. In NHI and secrets management, that means every service account, API key, certificate, workload identity, or agent that connects may become a billable client.

This matters because the number of identities in modern estates is already far beyond human scale. NHIs outnumber human identities by 25x to 50x in modern enterprises, so client-based billing can turn routine architecture choices into cost events, especially in ephemeral or autoscaled environments. For that reason, the economics of this model intersect with governance guidance in the Ultimate Guide to NHIs and broader control thinking in the NIST Cybersecurity Framework 2.0.

Usage across vendors is still evolving. Some platforms bill strictly per active identity, while others count provisioned identities, authenticated agents, or connected workloads, so the same estate can be priced differently depending on how the vendor defines a “client.” The most common misapplication is assuming client-based billing is equivalent to infrastructure-based pricing, which occurs when teams predict cost from server counts instead of identity counts.

Examples and Use Cases

Implementing client-based billing rigorously often introduces forecasting friction, requiring organisations to weigh identity-level visibility against billing simplicity.

  • A Kubernetes cluster with short-lived pods creates thousands of distinct workload identities, causing costs to rise even when infrastructure spend stays flat.
  • A microservice estate with per-service certificates triggers higher charges as teams break monoliths into finer-grained service identities.
  • An AI agent fleet that spins up tool-using agents per request is billed on each authenticated agent rather than the underlying container layer.
  • A CI/CD pipeline that creates temporary secrets for every build becomes expensive if each ephemeral identity is counted as a separate client.
  • Teams comparing price models should pair vendor billing rules with operational guidance from the Ultimate Guide to NHIs and identity governance concepts used in NIST Cybersecurity Framework 2.0.

Because the term is often used differently across products, organisations should confirm whether the vendor counts dormant identities, rotated credentials, federated workloads, or only active authentications before forecasting spend.

Why It Matters in NHI Security

Client-based billing can subtly shape security design. If every identity carries a cost, teams may delay proper segmentation, overuse shared credentials, or avoid necessary workload separation just to control spend. That is a governance problem, not just a finance issue, because poor identity hygiene becomes easier to justify when the billing model punishes scale.

The NHI risk profile makes this especially important. NHI Mgmt Group reports that 96% of organisations store secrets outside of secrets managers in vulnerable locations, and 73% of vaults are misconfigured, which means billing decisions can interact with already fragile secret handling practices. If a platform charges per client, organisations need to know whether leaked, stale, or duplicated identities are still being counted, because remediation delays can preserve both exposure and cost.

Practitioners should treat billing telemetry as an NHI inventory signal and compare it with lifecycle controls, rotation cadence, and access review data. The most common operational surprise is not the invoice itself but the discovery that a post-incident cleanup exposed many more authenticating identities than the team believed existed. Organisations typically encounter the cost impact only after a workload sprawl or incident review, at which point client-based billing becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Identity sprawl and lifecycle control are core concerns when pricing scales per authenticating client.
NIST CSF 2.0ID.AM-1Asset management requires knowing identities and dependencies, which is necessary to forecast client-based charges.
NIST Zero Trust (SP 800-207)PLP-2Zero Trust assumes per-identity policy enforcement, aligning with client-level measurement and accountability.

Inventory every authenticating identity so billing, ownership, and removal decisions are based on real NHI counts.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org