A Monthly Active Consent is a count of how many unique users approve access to a specific resource and scope during a month. In agentic identity, it marks the approval event that allows an MCP client or protected API to act on behalf of a user.
Expanded Definition
Monthly Active Consent is a usage metric that counts unique users who approve access to a specific resource and scope during a month. In agentic identity, it captures the user’s authorisation event that lets an MCP client or protected API act on the user’s behalf, often for a bounded time and purpose.
Definitions vary across vendors because some teams treat consent as a one-time grant, while others treat it as a recurring approval tied to renewal, revocation, or scope changes. For NHI governance, the useful distinction is not whether consent exists, but whether it is attributable, time-bound, and traceable to the exact resource scope. That makes it different from general login counts, token issuance, or privilege assignments. It also aligns with broader control thinking in the NIST Cybersecurity Framework 2.0, where identity, access, and governance must be demonstrable rather than assumed.
The most common misapplication is counting any API token refresh as consent, which occurs when teams confuse technical session continuity with a fresh, user-approved authorisation decision.
Examples and Use Cases
Implementing Monthly Active Consent rigorously often introduces user-friction and data-model complexity, requiring organisations to weigh precise governance against lower approval throughput.
- A finance assistant agent requests read-only access to invoices, and each unique employee who approves that scope is counted once for the month.
- A developer uses an MCP-enabled coding tool to reach a source-control API, and consent is measured per distinct user, resource, and approved scope.
- A customer support copilot needs case notes access, and the monthly metric helps show whether broad delegation is increasing or staying tightly bounded.
- An organisation compares active consent volume against the lifecycle controls described in the Ultimate Guide to NHIs to spot whether approvals are drifting beyond intended use.
- A security team maps consent patterns to API authorisation rules, then validates that approvals match the application’s declared scopes rather than hidden background actions.
Where the concept is still evolving, especially in agentic workflows, teams should document whether the metric resets on renewal, scope expansion, or user revocation so reports stay comparable across products and quarters.
Why It Matters in NHI Security
Monthly Active Consent matters because it reveals how often human approval is still required in an otherwise machine-mediated access path. When consent data is missing or overstated, organisations can lose visibility into which users are authorising which NHI actions, making it harder to prove least privilege, justify access, or investigate misuse. That risk compounds in environments where NHIs already outnumber human identities by 25x to 50x and where only 5.7% of organisations report full visibility into service accounts, according to the Ultimate Guide to NHIs.
For governance, consent metrics help distinguish legitimate delegated access from silent automation that bypasses review. They also support access recertification, scope hygiene, and policy tuning around MCP clients, API gateways, and agent approvals. In practice, the metric becomes most valuable after an incident review, when investigators need to know whether a risky action was explicitly approved or merely inherited through an old grant. Organisations typically encounter consent drift only after an access dispute, at which point Monthly Active Consent becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic systems rely on explicit user approval before tool or API execution. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Consent metrics support governance over NHI authorization and delegated access paths. |
| NIST CSF 2.0 | PR.AA-05 | Identity and access governance depends on demonstrable approval and authorization records. |
Record who approved each NHI scope and review approvals for drift or overbroad delegation.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org