Agentic IAM TCO at the 2,000-employee scale: a structural cost model for the 3-year horizon

The CFO question at the 2,000-employee scope is “what is the 3-year envelope to absorb the agent-runtime identity class into the existing IAM stack?”. The AM-176 Okta-vs-NHI-specialists vendor matrix answered the architecture question; this piece is the cost-side companion that prices the architecture against the typical mid-large enterprise scope.

The 2,000-employee point is the modelling unit because at this scale the customer’s IAM stack typically already includes Okta or Microsoft Entra at the workforce layer, an existing PAM tool at the privileged layer, and a fragmented landscape of service-account governance. The agentic AI adoption drives an order-of-magnitude increase in non-human identity count from this baseline, surfacing the integration and operations cost the smaller-scale customer has not yet hit and the larger-scale customer has already absorbed into a dedicated identity-operations function.

The Okta enterprise pricing reference for a 2,000-employee Workforce Identity Cloud deployment with the Adaptive MFA, Universal Directory, Lifecycle Management, and SSO baseline lands in the USD 200K to 350K range annually before adding ITDR, Privileged Access, or the specialist NHI tier. The specialist tier (one of Astrix Security, Apono, Britive, Aembit, Andesite, P0 Security per the AM-176 matrix) typically adds USD 75K to 200K annually at the 2,000-employee scope. The 3-year combined license envelope before integration, operations, migration, and exit costs is roughly USD 800K to USD 1.5M; the integration plus operations costs typically add 1.0x to 1.5x against the license envelope across the 3 years, bringing the realistic 3-year envelope to USD 1.5M to USD 3.05M.

The three identity classes the cost decomposes across

The TCO model breaks the cost into three identity classes with different growth dynamics and different operations characteristics.

Class one, the human workforce. A 2,000-employee customer carries a 2,000-identity directory with Adaptive MFA, SSO, and Lifecycle Management at the Okta or Entra subscription baseline. The license cost here is the most predictable and least growing line. The annual cost is roughly USD 100K to USD 175K at the Okta or Entra workforce-baseline tier; the cost scales linearly with headcount and depends predictably on the Adaptive MFA-and-Lifecycle bundle the customer subscribes to.

Class two, the managed service accounts. The 45:1 NHI-to-human baseline from the CyberArk 2024 State of Non-Human Identity Security report implies roughly 90,000 service accounts at the 2,000-employee scale in the pre-agentic baseline. The bulk are CI/CD service principals, RPA bots, SaaS integration tokens, IoT device credentials, and Kubernetes workload identities. The license tier covering these depends on the customer’s directory and PAM combination; CyberArk and BeyondTrust dominate the PAM tier; the Okta or Entra subscription typically covers a subset at no incremental per-identity cost; the long tail (the OAuth third-party app tokens that the AM-176 matrix covers under the Astrix-Security purpose-build) requires the specialist tier. This is the line item growing at 15-25% year-over-year in the agentic AI adoption cycle.

Class three, the agent-runtime. Each agentic AI platform issues per-agent, per-session, sometimes per-tool credentials. A 2,000-employee customer with three agentic AI platforms deployed at moderate scale can plausibly carry 50,000 to 200,000 agent-runtime credentials in flight at peak. The growth rate is 100-300% year-over-year; the line item is the one most often unpriced in the year-one budget; the operations characteristic is fundamentally different from the other two classes because the credential lifetimes are typically sub-hour rather than 90-day or annual.

The five cost components

The 3-year envelope decomposes into five cost components against the three identity classes.

Component one, license cost. The Okta or Entra workforce subscription, the specialist NHI tier subscription (Astrix, Apono, Britive, Aembit, Andesite, P0 Security depending on the customer’s specific gap from AM-176), and any incremental PAM additions for the privileged-access function. The annual envelope at the 2,000-employee scope is roughly USD 275K to USD 550K; the per-vendor split depends on which specialist the customer picked.

Component two, integration cost. The federation seam build-out from AM-176 plus the SCIM provisioning across each in-scope source system plus the OIDC or SAML configuration for each downstream application plus the audit-event format alignment to the customer’s SIEM. The first-year integration cost is the largest single line item; USD 200K-400K is the typical 2,000-employee envelope. Subsequent years carry incremental integration cost as additional agentic platforms are onboarded and as the customer’s existing systems federate to the new identity layer.

Component three, operations cost. The identity-governance team additions or fractional FTE allocations needed to operate the agentic-augmented identity stack. The typical 2,000-employee operations cost is USD 200K-400K annually for the combination of access-review execution, certification-cycle work, incident response staffing for the agent-runtime class, and the periodic-review cadence redesign for sub-hour credentials. The fractional FTE allocation is typically 1.0 to 2.5 FTE depending on the customer’s existing identity-team maturity.

Component four, migration cost. Any in-flight transition between identity vendors compounds with the agentic adoption rather than running independently. The most common 2026 patterns are Active Directory consolidation, Okta-to-Entra migration (or vice versa), ADFS retirement, and legacy LDAP-to-modern-protocol migrations. The migration cost compounds at USD 100K-300K in year one and tails into year two; the customer that is mid-migration during the agentic adoption pays for both transitions simultaneously, which is the year-one budget surprise the model is calibrated against.

Component five, exit cost. The 3-year position-out for vendor change. The data-export work for the identity directory, the connector-mesh rebuild for the federation seam, the analyst-retraining for the operations team. The exit-cost provisioning typically appears in year three as the customer prepares for the renewal-cycle negotiation; budgeting USD 50K-150K in year three is the procurement-mature pattern.

The year-by-year envelope

Year one is dominated by integration cost. The license is full-year, the integration is first-year-heavy, the operations team is ramping. USD 200K-400K in federation seam build-out and SCIM provisioning, USD 150K-300K in Okta-plus-specialist license, USD 100K-200K in identity-operations team additions or fractional FTE allocation, USD 50K-150K in any in-flight workforce-IAM migration that compounds with the agentic adoption. Year one total typically lands USD 500K to USD 1.05M.

Year two is dominated by operations. USD 200K-400K in renewed license (with the year-one negotiation discount carrying), USD 200K-350K in identity-operations team (now fully staffed), USD 50K-150K in tuning and recertification cycles, USD 50K-100K in incremental integration as additional agentic platforms are onboarded. Year two total typically lands USD 500K to USD 1.0M.

Year three is dominated by license renewal plus the exit-cost provision. USD 250K-450K in license (renewal-cycle increase, typically 10-20% above year one), USD 200K-400K in operations (stable but with periodic-review tooling upgrades), USD 50K-150K in exit-cost provisioning (data export, migration runbook, dual-running setup if vendor change is anticipated). Year three total typically lands USD 500K to USD 1.0M.

The 3-year combined envelope is roughly USD 1.5M to USD 3.05M at the 2,000-employee scope. The platform-fee headline (Okta enterprise pricing list per okta.com/pricing/) accounts for roughly 25-35% of the envelope; the integration plus operations cost is the larger share.

Where the year-one budget most often misses

Three line items reliably go unpriced in the year-one IAM budget for an agentic AI adoption.

The first is the agent-runtime credential issuance integration. The customer typically prices the Okta workforce subscription and the specialist tier license but does not separately price the engineering work to wire workload-issued runtime credentials against the customer’s existing audit, SIEM, and policy infrastructure. The miss is USD 100K-250K of first-year engineering cost the customer recovers as overage in year two.

The second is the identity-operations team capacity for the new identity class. The customer’s existing identity team is sized for a 45:1 NHI ratio; the agentic adoption pushes the ratio toward 80:1 or higher, which requires either headcount addition (0.5 to 1.5 FTE typically) or a managed-service contract addition. The miss is USD 100K-200K of annual operations cost.

The third is the periodic access review cadence for the agent-runtime class. The customer’s existing quarterly access-review process was built around the assumption of human-mediated entitlement and does not scale to per-session credential auditing. The redesign requires either tooling investment (typically USD 50K-150K) or process redesign (typically 0.25 to 0.5 FTE of identity-governance team time annually).

All three are predictable in advance. The year-one budget that misses them is the year-one budget that recovers them as overage in year two; the procurement-mature pattern prices all three at the budget approval rather than discovers them at the year-one operational review.

What this means for the Q3 2026 CFO conversation

The CFO conversation at this scope translates the architecture decision from AM-176 into a 3-year line in the IT budget. The procurement-mature pattern is to present the CFO with the 3-component envelope (license, integration, operations) per year, with the migration and exit-cost provisions named explicitly, and the agent-runtime class growth rate documented as a separate sensitivity analysis.

The 2,000-employee customer that approves this envelope at procurement is approving roughly USD 500K-1.05M for year one, USD 500K-1.0M for years two and three. The customer that approves only the license tier headline is approving roughly 25-35% of the actual envelope and will revisit the conversation at year-one operational review.

The sibling AM-174 security-platform TCO/ROI piece covers the security-platform analog at the same modelling scale (with security-platform-specific cost components like SOC analyst retraining and detection-engineering tuning). The AM-176 Okta-vs-specialist matrix is the architecture decision this cost model prices. The AM-167 NHI procurement clause work covers the MSA-layer instruments that make the operational cost story enforceable against the vendor.