diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go
index 31f85265..a5df9809 100644
--- a/pkg/handler/handler.go
+++ b/pkg/handler/handler.go
@@ -503,6 +503,7 @@ func (m *Modifier) MutatePod(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResp
 
 	patchConfig := m.buildPodPatchConfig(&pod)
 	if patchConfig == nil {
+		missingSACounter.WithLabelValues().Inc()
 		klog.V(4).Infof("Pod was not mutated. Reason: "+
 			"Service account did not have the right annotations or was not found in the cache. %s", logContext(pod.Name, pod.GenerateName, pod.Spec.ServiceAccountName, pod.Namespace))
 		return &v1beta1.AdmissionResponse{
diff --git a/pkg/handler/middleware.go b/pkg/handler/middleware.go
index 1147dd95..07b19bd4 100644
--- a/pkg/handler/middleware.go
+++ b/pkg/handler/middleware.go
@@ -56,6 +56,13 @@ var (
 			Help: "Indicator to how many pods are using sts web identity or container credentials",
 		}, []string{"method"},
 	)
+	missingSACounter = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "pod_identity_webhook_missing_sa_count",
+			Help: "Service account did not have the right annotations or was not found in the cache.",
+		},
+		[]string{},
+	)
 )
 
 func register() {
@@ -63,6 +70,7 @@ func register() {
 	prometheus.MustRegister(requestLatencies)
 	prometheus.MustRegister(requestLatenciesSummary)
 	prometheus.MustRegister(webhookPodCount)
+	prometheus.MustRegister(missingSACounter)
 }
 
 func monitor(verb, path string, httpCode int, reqStart time.Time) {