IT asset discovery now has an identity problem behind it

At a glance

What this is: This is Zluri’s analysis of IT asset discovery tools, with the key finding that discovery has become an identity visibility problem as SaaS, shadow AI, and non-human identities multiply.

Why it matters: It matters because IAM, NHI, and governance teams need discovery controls that expose access paths and ownership gaps, not just inventory lists.

👉 Read Zluri's analysis of IT asset discovery tools and identity visibility

Context

IT asset discovery now means more than finding devices and applications on a network. In SaaS-heavy environments, the real gap is between the approved tool list and the live identity surface, where human users, service accounts, API tokens, bots, and AI agents can all hold access that no inventory report fully captures.

That gap matters for identity governance because discovery tools that stop at asset presence miss ownership, entitlement drift, and standing access. When procurement is decentralized and shadow AI appears alongside unmanaged non-human identities, teams need visibility into who and what can reach each system, not only what exists in the environment.

Key questions

Q: How should security teams govern SaaS discovery when access is fragmented across identities?

A: Security teams should treat SaaS discovery as an identity governance problem, not only an inventory task. The right output is a live map of applications, entitlements, grant sources, and owners across human and non-human identities. If a tool cannot explain who can access a SaaS app and why, it is not giving enough control evidence for IAM or audit purposes.

Q: Why do non-human identities complicate IT asset discovery?

A: Non-human identities complicate discovery because they create access paths that do not appear in traditional asset inventories. Service accounts, tokens, bots, and AI agents can hold permissions long after the original business owner has moved on. That means teams need lifecycle and ownership data alongside discovery data to understand actual exposure.

Q: What breaks when discovery tools only report assets and not access?

A: When discovery tools only report assets, governance teams lose sight of entitlement risk, delegated access, and dormant identities. That leaves shadow AI, unmanaged integrations, and stale service accounts outside the control loop. The result is a false sense of coverage, because the inventory looks complete while access remains opaque.

Q: How can organisations tell whether discovery is actually improving governance?

A: Organisations should look for shorter time to identify owners, faster detection of stale access, and better visibility into OAuth grants and non-human identities. If discovery does not reduce unknown access paths or improve lifecycle decisions, it is just producing reports. Real governance improvement shows up in fresher identity data and fewer unowned entitlements.

Technical breakdown

Identity visibility in IT asset discovery

Traditional IT asset discovery starts with network scanning, endpoint inventory, or software license tracking. That approach answers what exists, but not who can reach it or how access was granted. In modern SaaS and cloud environments, the identity layer is the control plane: entitlements, grant sources, and activity matter more than a static asset list. Discovery now has to connect assets to human users and non-human identities, including service accounts, tokens, bots, and AI agents, otherwise governance remains incomplete and audit evidence stays fragmented.

Practical implication: require discovery output to include identity-to-asset mappings, not just asset counts.

Shadow AI and OAuth-connected non-human identities

Shadow AI expands the discovery problem because many AI tools are not managed like normal applications. They can be introduced through OAuth consent, linked to SaaS data, and granted permissions without passing through the same approval and review flow as standard software. When discovery tools cannot see those connections, they miss the access path itself. The issue is not only unknown software, but unknown delegated access that persists after the original use case has faded.

Practical implication: inventory OAuth grants and AI app connections alongside standard SaaS discovery.

Continuous activity intelligence versus snapshot reporting

A periodic asset report is a snapshot, not a governance control. It tells teams what was true at one moment, but not whether access changed, whether an identity became dormant, or whether entitlement creep has started to build risk. Continuous activity intelligence closes that timing gap by correlating behaviour, entitlement changes, and exposure. For identity programmes, that shift matters because risk emerges between review cycles, not only at audit time.

Practical implication: move from quarterly inventory review to continuous identity activity monitoring.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Asset discovery has an identity problem before it has a tooling problem. The article is right to separate asset presence from access visibility, because the real governance failure is treating inventory as if it were identity control. In SaaS and cloud environments, the relevant question is not only what is installed, but which identities can act on it and whether those entitlements still make sense. The practitioner conclusion is simple: discovery must be evaluated as an access governance capability, not a catalog feature.

Shadow AI turns delegated access into an unmanaged governance surface. OAuth-connected AI tools can appear through normal business adoption but still bypass the ownership, review, and offboarding discipline that IAM programmes rely on. That creates a control gap across both human and non-human identity processes, because the access may be granted by a person but used by a machine. Practitioners should treat delegated AI access as part of the identity perimeter, not as an app-sprawl side issue.

Continuous visibility is the difference between finding assets and governing exposure. Static reports cannot show dormant accounts, unused service identities, or entitlement drift that accumulates after the initial rollout. The field needs a model where discovery, entitlement mapping, and behavioural signals are joined together, because the risk is not just hidden software but hidden access paths. The practitioner takeaway is to make freshness and ownership part of the control definition.

Non-human identity governance now belongs inside asset discovery programmes. Service accounts, API tokens, bots, workloads, and AI agents no longer sit at the edge of the problem. They are now central to whether an organisation can explain who has access, why it was granted, and whether it is still appropriate. The practitioner implication is that identity visibility tooling must be measured on non-human coverage, not just endpoint or SaaS coverage.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• For a broader governance lens, review Ultimate Guide to NHIs , Key Challenges and Risks for the access and visibility problems that discovery tools often expose only partially.

What this signals

Identity visibility is becoming the real control boundary for SaaS-heavy environments. Discovery programmes that cannot join assets to identities will keep missing the governance failures that matter most, especially dormant accounts, shadow AI, and unmanaged delegated access. The practical shift is toward continuous visibility, not periodic inventory, because access drift moves faster than review cycles.

Non-human identity coverage will become a selection criterion for discovery tools. Teams will increasingly ask whether a platform can surface service accounts, API tokens, bots, and AI agent permissions alongside standard software inventory. That expectation aligns with broader identity guidance in the Ultimate Guide to NHIs and with the NIST Cybersecurity Framework 2.0 emphasis on governance and visibility.

Shadow AI will keep expanding the unmanaged access surface. As more tools arrive through OAuth and self-service adoption, the boundary between sanctioned software and unsanctioned delegated access will keep blurring. Practitioners should prepare for discovery, entitlement review, and offboarding to operate as one connected control loop rather than separate processes.

For practitioners

• Map identity to asset coverage Require every discovery workflow to show which human and non-human identities can access each SaaS app, cloud service, and on-prem system, including the grant source and ownership record.
• Inventory OAuth and AI app connections Track OAuth-consented applications, AI tools, and delegated integrations as first-class inventory objects so shadow AI does not sit outside review, offboarding, or risk scoring.
• Tie discovery to entitlement freshness Use continuous activity signals to flag dormant accounts, stale service identities, and privilege drift between review cycles instead of waiting for the next snapshot report.
• Extend governance to non-human identities Apply ownership, lifecycle state, and decommissioning checks to service accounts, API tokens, bots, workloads, and AI agents so identity governance covers the full access surface.
• Measure tool value by access visibility Evaluate discovery tools on whether they expose who has access, how it was granted, and whether it is still appropriate, not only on how many assets they find.

Key takeaways

• IT asset discovery is no longer sufficient unless it also reveals who and what has access to the environment.
• Non-human identities and shadow AI create access paths that static inventory reports cannot reliably capture.
• Practitioners should measure discovery by freshness, ownership, and entitlement visibility rather than asset count alone.

Key terms

• Identity Visibility: Identity visibility is the ability to see which human and non-human identities can access systems, how that access was granted, and whether it still belongs there. In practice, it joins entitlement data, ownership, and activity so governance teams can move beyond static inventory and understand actual exposure.
• Shadow AI: Shadow AI is the use of AI tools, integrations, or agents that are not fully discovered, approved, or governed by the organisation. It often enters through self-service adoption or delegated access, which makes it a governance problem as much as a discovery problem.
• Non-Human Identity: A non-human identity is a machine or software identity such as a service account, API token, bot, workload, certificate, or AI agent. These identities need lifecycle control because they can accumulate permissions, persist after projects end, and create access risk without any human user logging in.
• Identity Graph: An identity graph is a connected model that links identities to roles, entitlements, grant sources, and activity. It helps teams understand how access is distributed and where escalation or dormant privilege is building, which is more useful than a flat permission list when environments are decentralized.

Deepen your knowledge

IT asset discovery that includes non-human identities and access visibility is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to move from inventory to governance, that course is a practical next step.

This post draws on content published by Zluri: SaaS Management Top 9 IT Asset Discovery Tools in 2026. Read the original.