Subscribe to the Non-Human & AI Identity Journal

Software inventory

A current, authoritative record of the applications, versions, and dependencies running across an organisation. It is the baseline control for lifecycle management because teams cannot retire, patch, or isolate what they cannot reliably see.

Expanded Definition

Software inventory is the structured record of what software exists, where it runs, which versions are deployed, and what it depends on. In security practice, it is more than a simple asset list because it must stay current enough to support patching, vulnerability management, license control, and safe removal of unsupported tools. NIST treats inventory as a foundation for governance and risk reduction in the NIST Cybersecurity Framework 2.0, where visibility into technology assets supports broader control decisions.

Definitions vary across vendors and internal tooling teams on how deeply the inventory should capture nested libraries, containers, and build-time dependencies. NHIMG recommends treating the term as a living control dataset rather than a one-time discovery output. That distinction matters because modern environments include endpoint software, cloud workloads, packages pulled during CI/CD, and scripts embedded in automation. Without clear scope, organisations confuse software inventory with configuration management or CMDB records, even though the security purpose is narrower and more operational.

The most common misapplication is relying on a quarterly export from endpoint tools, which occurs when teams assume discovery data is complete despite unmanaged devices, ephemeral workloads, and indirect dependencies.

Examples and Use Cases

Implementing software inventory rigorously often introduces continuous reconciliation overhead, requiring organisations to weigh operational accuracy against the cost of keeping discovery, procurement, and engineering data aligned.

  • Security teams use inventory data to identify which systems still run end-of-life versions before a patch campaign begins.
  • Application owners map installed packages and third-party libraries so they can remove vulnerable components when advisories emerge.
  • Cloud teams track software inside images and containers to understand what is actually deployed versus what was approved at build time.
  • Governance teams compare installed software to approved baselines to detect shadow IT and unauthorised tools.
  • Engineering teams maintain a bill of materials for releases so that incident responders can quickly trace exposure during a supply chain event, a practice aligned with guidance in the NIST Cybersecurity Framework 2.0.

In mature environments, software inventory also supports decommissioning decisions, because teams need evidence that a legacy service is unused before they isolate or retire it. It is especially important when software runs on unmanaged laptops, developer workstations, or temporary cloud instances where central reporting may miss what has actually been installed.

Why It Matters for Security Teams

Security teams cannot patch, harden, or remove software they cannot see, so inventory quality directly affects exposure management. Poor inventory leads to blind spots in vulnerability response, delayed remediation, untracked open-source dependencies, and orphaned applications that continue to accept data or credentials long after ownership has changed. The control value is practical: if the organisation cannot answer what is running, it cannot reliably answer whether it is safe.

Software inventory also has a growing identity and automation dimension. Non-human identities, build pipelines, and agentic workflows often install or reference software components automatically, which means inventory must account for toolchains and runtime dependencies, not only user-facing applications. Where software is tied to privileged access, poor visibility can leave secrets embedded in scripts or deployment artefacts long after the owning team has moved on. That makes inventory a dependency for secure shutdown as much as for secure operations.

Teams typically realise the importance of software inventory only after a vulnerability disclosure, a failed audit, or an incident in which an untracked application was the path to compromise, at which point inventory becomes operationally unavoidable to rebuild trust in the environment.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.1, ID.AM The CSF treats asset visibility and governance as core inputs to risk management.
NIST SP 800-53 Rev 5 CM-8 Configuration management includes information system component inventory requirements.
ISO/IEC 27001:2022 A.5.9 Inventory of information and other associated assets supports asset control and accountability.
NIST AI RMF GOV AI RMF governance depends on knowing the software and dependencies supporting AI systems.
OWASP Non-Human Identity Top 10 NHI guidance depends on visibility into software that stores or uses machine identities and secrets.

Maintain an authoritative software inventory to support governance, exposure tracking, and timely remediation.