Gartner’s SAM guidance exposes a data quality problem in licensing

At a glance

What this is: This is a vendor post about Gartner’s 2026 Market Guide for SAM Tools and the finding that poor data quality is undermining software asset management decisions.

Why it matters: It matters to IAM practitioners because software entitlement, access governance, and compliance reporting all depend on accurate identity-linked asset data, especially in complex enterprise application estates.

By the numbers:

• 61% of procurement leaders say their data is disorganized, inaccurate or needs other major quality improvements.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Pathlock’s analysis of Gartner’s 2026 SAM Tools Market Guide

Context

Software asset management depends on accurate data about what is deployed, what is used, and what each entitlement actually costs. When those records are fragmented or inconsistent, license optimisation becomes guesswork and compliance risk increases. That problem is especially familiar to IAM and governance teams because the same data-quality failure often shows up in entitlement reviews, role design, and audit evidence.

Pathlock’s inclusion in Gartner’s 2026 Market Guide for Software Asset Management Tools is best read as a signal about the state of enterprise governance, not as a product endorsement. The practical issue is whether organisations can connect software usage, role assignments, and cost models into a reliable control system. For teams running IAM, IGA, or SAM-adjacent governance, that is a data integrity problem first and a tooling problem second.

Key questions

Q: How should organisations govern software licence data when records are inconsistent?

A: Start by treating licence data as a governed control input, not an administrative output. Define ownership, normalise entitlement records, and reconcile usage against contract terms on a recurring cadence. If the data cannot support an audit trail, optimisation claims should be treated as provisional rather than reliable.

Q: Why do role-based licence models fail in complex enterprise applications?

A: They fail when role definitions, user ownership, and usage evidence are not kept in sync. In that situation, the organisation may assign licences based on stale access patterns or incomplete business context, which distorts cost forecasts and can create compliance exposure at renewal or audit time.

Q: How can security teams tell whether licence optimisation is actually working?

A: Look for fewer unexplained entitlement exceptions, cleaner ownership records, and a measurable reduction in licence disputes at renewal. If optimisation depends on manual reconciliation every cycle, the programme is not yet controlled. Strong programmes can explain why each entitlement exists and who approved it.

Q: Who should be accountable for software asset governance in large enterprises?

A: Accountability should sit across procurement, application ownership, and identity governance rather than in a single team. Procurement manages commercial terms, identity teams manage entitlement accuracy, and application owners validate usage context. Without shared accountability, the evidence base fragments and control outcomes become inconsistent.

Technical breakdown

Why software asset data quality breaks licence governance

Software asset management only works when inventory, usage, contract, and entitlement data line up cleanly. In practice, those data sets are often fragmented across procurement systems, ITSM records, discovery tools, and application admin consoles. If role-based licensing depends on incomplete usage data, the organisation cannot reliably tell whether it is over-licensed, under-licensed, or out of compliance. The governance failure is not merely lack of reporting. It is a broken decision substrate, where the numbers look precise but the underlying records are not trustworthy.

Practical implication: establish a single governed data model for licence entitlements, usage, and ownership before attempting optimisation.

Role-based and activity-based licensing need different evidence

Role-based licence management ties cost and entitlement to the access role, while activity-based management ties it to actual system use. Those models are not interchangeable because they depend on different evidence. Role-based approaches need strong joiner-mover-leaver alignment, role engineering discipline, and clean ownership data. Activity-based approaches need high-quality telemetry and consistent interpretation of usage events. If either side is weak, the organisation can optimise the wrong thing, producing savings that do not survive audit or renewal negotiations.

Practical implication: separate role-based and activity-based controls in governance design, rather than collapsing both into one optimisation workflow.

Why SAP licensing governance overlaps with identity governance

SAP environments often expose the link between identity and asset governance more clearly than other systems because access roles, business functions, and licence consumption are tightly coupled. When identity data is incomplete, role expansion and licensing growth can happen together without clear accountability. That is why access governance teams, not only procurement teams, need visibility into licensing logic. The technical challenge is to make entitlement, usage, and compliance evidence intelligible to both commercial and security stakeholders without duplicating sources of truth.

Practical implication: align SAM reporting with identity governance controls so access changes and licence impact are reviewed together.

NHI Mgmt Group analysis

Data quality is now a governance control, not just a reporting problem. Gartner’s finding that 61% of procurement leaders see material data quality issues shows that software asset management is limited by the same evidence problems that weaken identity governance programmes. When the organisation cannot trust asset records, licence optimisation becomes a negotiation exercise instead of a control function. The implication is that governance teams must treat data integrity as part of control design, not as downstream administration.

Role-based licensing exposes the same lifecycle weaknesses seen in identity programmes. If role assignments, usage data, and contract terms do not move together, licence governance drifts in the same way access governance drifts when joiner, mover, and leaver processes are incomplete. This is why SAM and IGA should not be managed as separate silos in mature environments. Practitioner implication: connect licence models to lifecycle controls, not just procurement workflows.

Identity governance teams should read this as a signal about evidence quality across complex application estates. SAP and similarly complex platforms often require role logic, business ownership, and contract interpretation to stay aligned over time. That alignment is difficult to maintain without disciplined access review and ownership mapping. The practitioner conclusion is straightforward: if the evidence cannot survive audit, the governance model is already fragile.

Licence optimisation now depends on an identity-like operating model for entitlements. The same discipline used to control privileged access, recertify entitlements, and prove accountability is increasingly necessary for software asset governance. That does not mean SAM becomes IAM, but it does mean the control patterns are converging. Practitioner implication: build cross-functional governance for entitlements, usage, and accountability instead of leaving them in separate programmes.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• That lifecycle gap is why NHI Lifecycle Management Guide is the right next resource for teams building offboarding, rotation, and review discipline.

What this signals

Licence governance is converging with identity governance. When entitlement records, usage telemetry, and ownership data do not align, the same control failures that weaken access reviews begin to affect software asset decisions. Teams that already rely on the NIST Cybersecurity Framework 2.0 will recognise the pattern: govern the data first, then optimise the control outcome.

Evidence quality is the real operating constraint. The strongest programmes will be those that can connect procurement terms, role assignments, and application usage into one reviewable record. For identity teams, that means expanding the scope of lifecycle thinking beyond accounts and entitlements to include licence accountability, renewal evidence, and exception handling.

Identity programmes can borrow a useful lesson from software asset governance: optimise only after visibility stabilises. The same discipline that underpins OWASP Non-Human Identity Top 10 applies here, because unmanaged entitlements and unmanaged credentials both create decision risk when the records behind them are incomplete.

For practitioners

• Map software entitlements to accountable owners Create a governed ownership model for applications, licence classes, and business roles so every entitlement can be traced to a named control owner and reviewed on a defined cadence.
• Separate usage evidence from entitlement evidence Keep discovery, usage telemetry, and contract terms distinct in reporting so licence optimisation does not rely on a single unverified data source.
• Align role reviews with licence renewal cycles Time access recertification, role engineering, and renewal planning together so access drift and licence drift are corrected in the same governance window.
• Standardise evidence for SAP and other complex platforms Define what counts as acceptable proof for installed, used, and entitled software so procurement, security, and audit teams are working from the same records.

Key takeaways

• Poor data quality is the central governance issue in software asset management, because optimisation fails when records are incomplete or inconsistent.
• Role-based and activity-based licence models require different evidence, and collapsing them into one workflow produces weak decisions and audit friction.
• Identity and procurement teams need a shared ownership model for entitlements, usage, and compliance evidence before they can trust optimisation results.

Key terms

• Software Asset Management: Software asset management is the discipline of tracking software usage, entitlement, and commercial terms so organisations can control cost and compliance. In mature environments it depends on reliable evidence, not just procurement records, because licensing decisions fail when data is fragmented or stale.
• Role-based Licensing: Role-based licensing assigns cost or entitlement logic according to the access role a user holds. It works only when roles are cleanly governed and reflect current business need, otherwise the organisation can overpay for access that no longer matches actual use.
• Activity-based Licensing: Activity-based licensing ties entitlement or cost to actual use events rather than static role assignment. It can improve fairness and precision, but only if usage telemetry is complete, consistent, and interpretable across applications and business units.
• Entitlement Governance: Entitlement governance is the control process that determines who or what should have access, why that access exists, and how it is reviewed over time. It connects identity, ownership, and accountability, which makes it essential for both access security and licence control.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pathlock: Gartner’s 2026 Market Guide for Software Asset Management Tools and Pathlock’s inclusion as a representative vendor. Read the original.