TL;DR: IT asset management metrics help organisations measure utilisation, compliance, and lifecycle control across hardware and software, while highlighting how shadow IT and unused licences undermine governance, according to Zluri. The real test is whether ITAM data is wired into identity, onboarding, offboarding, and renewal decisions rather than treated as a reporting exercise.
At a glance
What this is: This is an ITAM KPI overview that argues asset tracking should cover utilisation, compliance, and lifecycle control across hardware, software, and SaaS.
Why it matters: It matters because identity, access, and asset governance fail together when licences, devices, and applications are not continuously accounted for across human and non-human programmes.
By the numbers:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
👉 Read Zluri's ITAM KPI guidance for software, hardware, and SaaS lifecycle control
Context
IT asset management is the discipline of accounting for hardware, software, and cloud resources across their lifecycle. In identity programmes, that same lifecycle logic matters because assets, licences, and access entitlements only stay controlled when ownership, usage, and retirement are visible at the same time.
The gap in this kind of programme is usually not a missing dashboard. It is a failure to connect inventory data to governance actions such as onboarding, offboarding, renewal review, and exception handling. That is where SaaS sprawl, shadow IT, and unused licences turn into access risk rather than just cost waste.
Key questions
Q: How should teams use ITAM metrics to improve identity governance?
A: Teams should connect asset utilisation, ownership, and renewal data to access decisions so that dormant software, devices, and cloud resources are challenged before they become control gaps. The useful metric is not total inventory alone, but whether every asset has a current owner, a purpose, and a defined retirement path.
Q: What breaks when software inventory is not tied to lifecycle management?
A: When inventory is disconnected from lifecycle management, organisations lose the ability to reclaim unused licences, remove stale assignments, and prove that offboarding actually closed access. The result is hidden spend, shadow IT, and a control environment that looks complete in reports but remains weak in practice.
Q: How do you know if SaaS compliance reporting is actually working?
A: SaaS compliance reporting is working when it can show active licences, expired licences, unauthorized software, and renewal decisions in one record that owners can act on. If the report cannot drive a reclaim, renewal, or exception decision, it is measurement without governance value.
Q: Who should own decisions about unused assets and licences?
A: Ownership should sit with the business or process owner who can validate the asset’s purpose, while IT and security enforce the control. That split prevents orphaned tools from lingering after role changes and ensures unused assets are challenged during reviews rather than left to accumulate.
Technical breakdown
Asset utilisation metrics and why they matter to identity governance
Asset utilisation measures how much of the available hardware, software, or cloud inventory is actually in active use. In practice, low utilisation often indicates over-procurement, weak assignment discipline, or poor lifecycle ownership. For identity teams, utilisation is a proxy for entitlement hygiene because unused assets often mirror unused accounts, dormant licences, or abandoned access paths. When utilisation is not measured by department, role, or business process, organisations lose the ability to separate genuine demand from inventory drift. That creates both cost inefficiency and access sprawl.
Practical implication: tie utilisation reporting to ownership reviews so inactive assets and inactive access are retired together.
Software license compliance and renewal control
Software license compliance is the point where entitlement data meets contractual and operational reality. A licence can be technically active while still being out of compliance because it is unauthorized, expired, or deployed beyond the permitted scope. Good compliance tracking requires a central record of entitlements, renewal dates, blacklisted applications, and departmental distribution. The governance value is not the report itself but the ability to stop renewals, reclaim unused seats, and evidence control during audits. Without that linkage, SaaS management becomes a spend exercise instead of a control function.
Practical implication: maintain a single entitlement register that links licences, owners, renewal dates, and approval history.
Why lifecycle metrics matter more than point-in-time inventory
Point-in-time inventory tells you what exists now, but lifecycle metrics tell you whether governance is actually functioning. That distinction matters because access, applications, and devices drift as people move roles, teams change tools, and vendors change terms. Lifecycle metrics include onboarding completion, offboarding closure, renewal exceptions, and time-to-reclaim. Those measures are especially useful for SaaS because they expose whether the organisation can remove access as reliably as it grants it. If lifecycle management is weak, the organisation can look controlled on paper while still carrying dormant exposure in practice.
Practical implication: measure lifecycle closure rates and exception ageing, not just asset counts.
Threat narrative
Attacker objective: The objective is to preserve unmanaged access and hidden spend for as long as possible, while weakening visibility over assets, licences, and lifecycle controls.
- Entry occurs when shadow IT, duplicate SaaS, or unmanaged hardware bypass the normal inventory process and enter the environment without clear ownership.
- Escalation follows when unused licences, stale app assignments, or untracked devices persist after role changes or vendor changes, expanding the attack and cost surface.
- Impact appears as audit failure, licence waste, access sprawl, and weaker control over who can use which systems and when.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Asset governance without lifecycle closure is just inventory management. Zluri’s framing is useful because it shows how utilisation, compliance, and renewals only matter when they are tied to real lifecycle action. The governance failure is not knowing that assets exist, but failing to retire, reassign, or reconcile them when business conditions change. Practitioners should treat lifecycle closure as the control objective, not the spreadsheet.
SaaS sprawl is an identity problem before it is a procurement problem. Duplicate applications, unmanaged renewals, and department-level tool drift all create fragmented access paths that look like efficiency issues until they become control failures. The same pattern that creates wasted spend also creates shadow IT and orphaned permissions. Security teams should read SaaS inventory through an access lens, not only a finance lens.
Hidden app spend is a named concept for hidden access debt. When organisations cannot see what is installed, subscribed to, or actively used, they also cannot prove who should still have access. That makes inactive licences and stale assignments structurally hard to govern. The practical conclusion is that asset management and identity governance need a shared operating model, not separate reporting streams.
Lifecycle metrics are the only reliable bridge between operational efficiency and control assurance. Utilisation alone can tell you where waste exists, but it cannot prove whether offboarding, renewal review, and reallocation are working. Organisations that only report counts miss the control story hidden inside the numbers. The programme question is whether each lifecycle stage closes cleanly, not whether the asset list looks complete.
In mature programmes, ITAM becomes an evidence source for IAM, IGA, and PAM. Device, software, and cloud inventories should feed access decisions, entitlement reviews, and privileged assignment checks. That cross-domain linkage is what turns asset data into governance evidence. Practitioners should stop treating ITAM as a separate operational silo and start using it to validate access decisions across the identity stack.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, a gap that maps directly to shadow access and unmanaged lifecycle risk.
- For lifecycle and offboarding guidance, see NHI Lifecycle Management Guide for the control patterns that help close exposure windows.
What this signals
Hidden app spend is usually hidden access debt. When organisations can see licences but not the identity lifecycle behind them, they miss the point of governance. A mature programme should treat utilisation, ownership, and renewal data as one control loop, not separate reporting streams.
As SaaS ecosystems expand, the control question shifts from whether an application is approved to whether it can be retired cleanly when the business no longer needs it. That is why inventory quality, offboarding closure, and exception ageing should be tracked together.
Teams that already align ITAM with identity reviews will be better placed to absorb AI-enabled buying, faster tool adoption, and more fragmented software estates without losing control of who has access to what.
For practitioners
- Link asset records to identity ownership Require every software, device, and cloud asset to carry a business owner, technical owner, and review date so inactive items can be challenged during access and renewal cycles.
- Measure lifecycle closure, not just inventory size Track onboarding completion, offboarding closure, renewal exceptions, and reclaim time as control metrics, then review them alongside utilisation and compliance reports.
- Consolidate SaaS and access data into one governance view Use a single control set to compare licences in use, duplicate applications, and active user assignments so finance, IT, and IAM teams act from the same record.
- Challenge dormant assets during recertification Use access reviews to identify software seats, devices, and cloud resources that no longer map to an active role or project, then reclaim them before the next renewal.
- Separate utilisation reporting from control assurance Report usage metrics for cost management, but maintain a separate control view for entitlement validity, policy exceptions, and evidence of offboarding.
Key takeaways
- ITAM becomes a governance control only when utilisation, ownership, and lifecycle closure are measured together.
- SaaS sprawl and duplicate licences are access risks as well as cost risks because they create stale entitlements and weak accountability.
- Practitioners should tie inventory reporting to offboarding, renewal, and recertification so asset data produces action, not just visibility.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Asset ownership and access assignment both depend on known, reviewed relationships. |
| NIST CSF 2.0 | ID.AM-1 | Asset inventories are central to identifying what must be governed and protected. |
| NIST Zero Trust (SP 800-207) | Continuous verification depends on accurate asset and access visibility across the environment. |
Use asset visibility to support continuous access review and reduce untracked trust relationships.
Key terms
- Asset Utilisation: Asset utilisation is the share of tracked hardware, software, or cloud resources that are actively being used for a business purpose. In governance terms, it helps distinguish useful capacity from dormant inventory, but it only becomes meaningful when paired with ownership and lifecycle data.
- Software License Compliance: Software license compliance is the state in which deployed software matches contractual entitlements, usage limits, and policy requirements. It is not just a legal check. It is an operational control that shows whether renewals, removals, and exceptions are being managed with evidence.
- Lifecycle Closure: Lifecycle closure is the successful retirement, reassignment, or formal exception handling of an asset or entitlement when it is no longer needed. It matters because organisations often measure how things are acquired far better than how they are removed, which leaves stale exposure behind.
- Shadow IT: Shadow IT is the use of software, cloud services, or devices outside approved governance and visibility. In practice it creates both cost leakage and identity risk because the organisation cannot reliably map who owns the asset, who uses it, or when it should be removed.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: IT Teams Key Metrics Every IT Asset Manager Should Track (ITAM KPIs). Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
