You Can’t Bill What You Can’t Authenticate
Guardrails are an authorization problem. That’s also where the meter is being built.
Start with the smallest possible fact, because the whole argument sits on top of it.
An AI agent that does not exist in your directory cannot be governed. It cannot be scoped, throttled, revoked, or audited, because there is nothing to attach a policy to. And here is the part the industry has been slow to say out loud: that same agent also cannot be billed. No identity, no line item. The condition for control and the condition for revenue turn out to be the same condition.
We have spent two years arguing about the wrong layer. The debate has been about models — whose is smartest, whose hallucinates least, whose context window is longest. Meanwhile the layer that actually decides what an agent is allowed to do has quietly become the one worth owning. Not because it is the most intelligent part of the stack. Because it is the part everything else has to pass through.
Guardrails are not a model problem
The reassuring version of AI safety is that we solve it inside the model: better training, tighter filters, cleaner evals. That version is incomplete in a way that matters commercially.
A model’s output is probabilistic. The action that output triggers, deleting a record, wiring funds, revoking a colleague’s access, is deterministic and irreversible. You cannot make a probabilistic system the final trust boundary for a deterministic act. Something has to sit between the intent and the execution and answer a harder question than “is this a good response?” The question is: who is this agent acting for, under whose delegation, through which tool path, for how long, and can I prove all of it afterward?
That is not a model question. It is an identity and authorization question. Which means guardrails, correctly understood, are an IAM problem wearing a safety costume. And once you see it that way, you notice who has been quietly building the tollbooth.
The gate has an owner
Every serious agent platform now agrees on the primitive: an agent must be a first-class identity before it can be trusted with anything.
Microsoft made this literal. Entra Agent ID issues agents a directory identity with a sponsor — a named human accountable for the agent’s behavior — and Agent 365 wraps that identity in registry, lifecycle, Purview data controls, and Defender monitoring. Okta’s pitch is the same shape from the neutral side: register the agent, assign an owner, trace its delegation chain, authorize its actions at runtime, and stream every event into the systems your auditors already read. Forrester’s framing is the cleanest — an agent is neither fully human nor fully machine, so it needs its own identity type and its own protection surface.
Strip the vendor language away and the strategic claim is singular: whoever owns the authorization layer owns the durable position. Models will keep leapfrogging each other on a quarterly cadence. The registry that knows every agent in your enterprise, who sponsors it, what it may touch, and what it did last Tuesday — that does not leapfrog. It compounds. It is a platform bet, not a feature bet, and platform bets are usually decided before most people notice a decision was being made.
The old meter is breaking
Here is where identity stops being a security story and becomes a revenue story.
For two decades, software priced the seat because the seat was a decent proxy for value. More users, more work done, more to pay for. Agents sever that link. One agent can do the work of ten people, or it can spin up forty sub-agents overnight — either way the human headcount and the work performed have divorced. Satya Nadella said the quiet part plainly: seats are becoming “just entitlement to some consumption.”
The market has noticed. Analysts now write about AI seat risk — the compression that hits a vendor’s net revenue retention when customers replace seats with agents instead of adding them. The seat is not dead; the honest read is that it is being re-based onto something that scales with machines instead of hiring. And the most natural thing to re-base it onto is the one artifact every agent must have anyway: an identity.
The tension nobody has resolved yet
This is where the interesting fight is, because the players are pulling in opposite directions and both directions are visible in today’s pricing sheets.
The incumbents are re-basing the seat. Agent 365 shipped at fifteen dollars per user per month — not per agent, not per action. One licensed human can govern an unlimited fleet of agents, and Microsoft has explicitly stated there are no consumption charges on the governance layer yet. Read that as strategy, not timidity. Microsoft is bundling the guardrail into the seat to protect the seat, and pushing the real consumption meter one layer down into execution — Copilot Studio credits, Foundry runtime, Cloud PC hours. The control plane stays flat and predictable. The volatility, and the upside, gets exiled to the invoice line finance wasn’t watching.
The insurgents are metering the event. Go down to the infrastructure and the picture inverts. AWS meters agent identity by the request — roughly a penny per thousand identity and token operations. That is the pure form of the thing: the authorization decision itself as a billable unit, priced at near-zero to stay invisible. Okta, for its part, has signaled that agent pricing will land on either a multiplier over the human license or the number of agent connections to systems — an identity-count meter waiting to be switched on. The SAMexpert crowd has even coined the metric this all points toward: ARPAA, average revenue per AI agent. When an industry invents a per-agent revenue metric, it is telling you where it intends to go.
So the strategic question is not whether identity becomes a meter. It is which cut wins: the flat per-sponsor seat the incumbents are defending, the per-agent-identity or per-connection model the challengers are circling, or the near-zero per-decision meter buried in the cloud bill. Whoever sets that precedent — and gets a buyer to accept it — writes the pricing grammar for the category.
Why the winner gets to keep winning
Whichever meter prevails, the layer underneath it is unusually sticky, and the stickiness is the real prize.
A seat churns cleanly — delete the user, the bill drops. An identity graph does not. Once your agents, their sponsors, their entitlements, and their signed delegation chains live in one directory, that graph is your operational map of the autonomous workforce. Migrating it is not a data export; it is re-establishing every trust relationship from zero, on a competitor’s schema, while your auditors watch. Add the compliance gravity — SOC 2, ISO 27001, PCI-DSS, and the regulators who are done treating non-human identities as out of scope — and the identity layer becomes the system of record you cannot rip out without becoming, briefly, ungoverned. The switching cost is not a contract term. It is a governance risk. That is the most durable kind of lock-in there is.
The way I’d know I’m wrong
I try to write down the falsifier before I fall in love with the thesis, so here it is.
If, eighteen to twenty-four months from now, the dominant way to pay for agent identity is still a flat per-seat or per-sponsor line — if nobody successfully charges for the authorization event or the agent itself — then this was never a new meter. It was the old seat wearing an identity badge, and the “agent economy” repriced nothing. Right now the evidence tilts that way: the largest vendor is deliberately holding the guardrail layer flat. The insurgents are circling, but circling is not landing.
Which leaves the question I can’t yet answer, and neither can the market: when the dust settles, does the rent get collected at the identity gate everything must pass through — or one layer down, at the execution meter where the tokens actually burn?
The company that answers that first doesn’t just win a pricing debate. It decides where the value in the entire agent stack accumulates. And it will have decided it, as these things always are, before most of the room realized a decision was on the table.



