Skip to content
AM-180
← Back to ledger
Holding·last review27 May 2026

The 3-year IAM TCO envelope for a 2,000-employee mid-enterprise absorbing the agent-runtime identity class lands at roughly USD 1.5M to USD 3.05M, decomposed across five cost components (license, integration, operations, migration, exit) and three identity classes (human workforce, managed service accounts, agent-runtime); the platform-fee headline (Okta enterprise pricing per okta.com/pricing/) accounts for roughly 25-35% of the envelope, the remainder distributing across federation seam build-out, SCIM provisioning, OIDC/SAML configuration, audit-event format alignment, identity-operations team additions (typically 0.5 to 2.5 FTE), and the periodic-review cadence redesign for sub-hour credentials; three line items reliably unpriced in the year-one budget are the agent-runtime credential issuance integration (USD 100K-250K of first-year engineering recovered as year-two overage), the identity-operations team capacity uplift (USD 100K-200K annual), and the access-review redesign tooling or process work (USD 50K-150K).

Anchored on (a) Okta enterprise pricing reference at okta.com/pricing/ for the Workforce Identity Cloud baseline with Adaptive MFA, Universal Directory, Lifecycle Management, SSO; (b) CyberArk 2024 State of Non-Human Identity Security 45:1 NHI-to-human baseline and projected 80:1 at agent-heavy 2026 deployments; (c) specialist NHI vendor pricing tier observations from 2025-2026 procurement-team interactions (Astrix Security, Apono, Britive, Aembit, Andesite, P0 Security typically adding USD 75K-200K annually at the 2,000-employee scope); (d) integration cost calibrated from federation seam build-out experience across 2,000-employee enterprise deployments (typical USD 200K-400K first year). The line item ranges presented are buying-committee planning bands rather than measured industry averages; published independent (non-vendor-funded) audit data at this granularity is not available, so the model is the procurement-team observation rather than survey output. 60-day review cadence (26 Jul 2026). Trigger conditions: (1) Okta or Microsoft Entra announcing structural pricing-model change (per-user to consumption, bundling change for workforce-plus-NHI tier) materially shifts license envelope and moves toward Partial; (2) specialist NHI vendor achieving workforce-tier integration parity closing AM-176 federation-seam costs reduces integration cost line; (3) NIST AI RMF, ISO 42001, or sector-specific guidance prescribing periodic-review cadence for agent-runtime identities changes operations cost line; (4) CyberArk 2026 State of NHI Security report (anticipated) refreshing 45:1 baseline calibrates class-two cost line. Sibling AM-176 covers Okta-vs-specialist vendor matrix this model is the cost-side companion to; AM-167 covers contract-side procurement clauses; AM-174 covers security-platform TCO sharing asymmetric-cost framing.

Published
27 May 2026
Last reviewed
27 May 2026
Next review
+59d· 26 Jul 2026
Source piece
Agentic IAM TCO at the 2,000-employee scale: a structural cost model for the 3-year horizonRead piece →
Permalink/holding/AM-180/
Embed this claimiframe + oEmbed
HTML iframe
Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.

Watch this claim

Email-me when AM-180's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.

The claim: The 3-year IAM TCO envelope for a 2,000-employee mid-enterprise absorbing the agent-runtime identity class lands at roughly USD 1.5M to USD 3.05M, decomposed across five cost components (license, integration, operations, migration, exit) and three identity classes (human workforce, managed service accounts, agent-runtime); the platform-fee headline (Okta enterprise pricing per okta.com/pricing/) accounts for roughly 25-35% of the envelope, the remainder distributing across federation seam build-out, SCIM provisioning, OIDC/SAML configuration, audit-event format alignment, identity-operations team additions (typically 0.5 to 2.5 FTE), and the periodic-review cadence redesign for sub-hour credentials; three line items reliably unpriced in the year-one budget are the agent-runtime credential issuance integration (USD 100K-250K of first-year engineering recovered as year-two overage), the identity-operations team capacity uplift (USD 100K-200K annual), and the access-review redesign tooling or process work (USD 50K-150K).

About this register

The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.

Recent corrections in Reporting

  • AM-002 · Not holding · 06 May 2026

    URL state changed. The /the-agentic-ai-revolution-real-world-success-stories-and-strategic-insights-from-2024-2025/ slug now serves a deliberately rewritten retrospective (claimId AM-130, "Agentic AI 2024-2025 retrospective", published 04 May 2026) against audited primary sources. The 28 Apr 2026 redirect to /retractions/ has been lifted to allow that. AM-002 the claim remains Not holding — the original $3.50/dollar + 70% failure-rate framing was withdrawn and is not restored. AM-130 is a separate claim with its own evidence chain. Readers arriving at /holding/AM-002 see the withdrawal here; the article link surfaces the new piece at the URL the original lived at, with this entry as the audit trail.

  • AM-121 · Holding · 2 May 2026

    Klarna walk-back primary-source upgrade — added Siemiatkowski verbatim quotes via Bloomberg-cited-by-Fortune (9 May 2025) and the Uber-style freelance hiring detail via Entrepreneur. Closes the highest-priority evidence gap from the source dossier.

  • AM-115 · Holding · 29 Apr 2026

    Initial publication 29 Apr 2026 — the first Quarterly Claim Review Bulletin. The claim itself is recursive: it asserts that the bulletin will ship quarterly, and the next review (30 Jul 2026) tests whether the Q3 bulletin actually appeared. Status starts as 'up' because the claim is currently true (the Q2 bulletin shipped). The verdict at end of July 2026 will move to Holding, Partial (bulletin shipped but on a delayed cadence), or Not holding (no bulletin shipped).

Reviews coming up in Reporting

  • AM-003 · Holding · next -9d (19 May 2026)

    GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…

  • AM-136 · Holding · next +7d (4 Jun 2026)

    Across the 24-month window May 2024 to April 2026, every major foundation-model provider (Anthropic, OpenAI, Google, AW…

  • AM-020 · Holding · next +21d (18 Jun 2026)

    The 40-60% TCO underestimate on enterprise agentic-AI deployments is not a cost-visibility failure — it is a cross-depa…