IT asset management and shadow SaaS: the governance gap exposed

At a glance

What this is: This guide defines IT asset management as lifecycle control for hardware, software, cloud, and mobile assets, with emphasis on inventory, licensing, audits, and compliance.

Why it matters: It matters to IAM practitioners because unmanaged assets quickly become unmanaged access, which complicates NHI governance, recertification, and control over who or what can use SaaS and endpoints.

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri's guide to IT asset management, lifecycle control, and SaaS governance

Context

IT asset management is the discipline of keeping a complete, accurate record of hardware, software, cloud subscriptions, and the access tied to them across their lifecycle. In practice, the control problem is not just counting assets. It is making sure every asset has an owner, a purpose, a review point, and a retirement path before it turns into shadow SaaS or orphaned access.

For identity teams, the important question is where ITAM ends and access governance begins. A SaaS app without inventory is also a blind spot for account provisioning, license recertification, and offboarding, especially when employees can adopt tools without central approval. That makes asset visibility part of the identity surface, not a separate procurement exercise.

Key questions

Q: What breaks when IT asset management does not include access governance?

A: The inventory may still look complete, but the organisation loses control over who can use each application, token, or device. That creates blind spots in offboarding, licence recovery, and review cycles, so unmanaged access persists even when the asset itself is known. Identity records and asset records have to be linked to make lifecycle control real.

Q: Why do shadow SaaS apps increase security and compliance risk?

A: Shadow SaaS creates parallel access domains that bypass procurement, review, and offboarding. Those apps often carry their own users, tokens, and data stores, which means the business can fail audits while also widening its attack surface. The risk is not only wasted spend, but ungoverned access that no one is actively monitoring.

Q: How do security teams know if ITAM is actually improving governance?

A: Look for evidence that discovered assets are mapped to owners, active entitlements, and closure actions. If audits reveal fewer unknown applications, fewer stale licences, and faster revocation when apps are retired, the programme is working. If the inventory grows but ownership and access freshness do not improve, governance is still superficial.

Q: Who should be accountable when an unapproved application creates exposure?

A: Accountability should sit with the business owner of the application, the ITAM function that maintains the inventory, and the identity team that controls access. If any one of those is missing, the organisation loses end-to-end lifecycle control. Standards such as ISO/IEC 19770 help define the asset layer, but accountability must also cover access and offboarding.

Technical breakdown

Why IT asset inventory becomes an identity control

An asset inventory is only useful if it connects the object being managed to the identity that can use it. In SaaS-heavy environments, the control boundary shifts from device tracking to entitlement tracking, because users, service accounts, and third-party access can outlive the asset record itself. That is why ITAM and IAM converge around ownership, classification, and lifecycle states. A clean inventory tells you what exists, but identity governance tells you who or what can act on it, when access should be reviewed, and how disposal should remove access as well as data.

Practical implication: require every discovered asset to carry an owner, an access model, and a retirement trigger, not just a procurement record.

How shadow SaaS creates hidden licence and access risk

Shadow SaaS appears when teams adopt applications outside approved intake and procurement flows. The immediate problem is duplicated spend, but the deeper issue is that untracked SaaS often creates untracked identities, tokens, and delegated access paths. Those identities are still subject to lifecycle events such as joiner, mover, and leaver changes, but they are invisible to standard review cycles. Without discovery and entitlement correlation, the organisation may believe it has one application while the business is actually running several access domains with different owners and different blast radii.

Practical implication: correlate app discovery with entitlement and token discovery so shadow SaaS cannot hide behind a clean procurement ledger.

ISO 19770 turns ITAM into a governance system

ISO/IEC 19770 is useful because it frames ITAM as a repeatable management system rather than a one-time inventory project. The standard family covers process, software identification, entitlement data, and resource reporting, which matters when organisations need evidence for audits and internal control testing. From an identity perspective, that evidence should answer three questions: what asset exists, who is entitled to use it, and whether the entitlement still matches current business need. The standard does not replace IAM or NHI governance, but it gives those programmes a structured asset layer to attach to.

Practical implication: align asset records, entitlement records, and audit evidence under one operating model instead of treating them as separate teams.

Threat narrative

Attacker objective: The practical objective is to exploit unmanaged application sprawl and hidden access paths to increase risk, cost, and the likelihood of non-compliance or compromise.

1. Entry occurs when employees or departments adopt unapproved software, creating shadow SaaS outside central control and bypassing normal intake checks.
2. Escalation follows when the organisation loses visibility into who is using the app, which licences are active, and whether credentials or delegated access are still valid.
3. Impact lands as compliance exposure, overspending, and a wider attack surface created by unmanaged applications, stale entitlements, and unknown data locations.

Breaches seen in the wild

• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IT asset management is now an identity governance problem, not a procurement back office function. Once SaaS, mobile, and cloud assets can be adopted without central approval, the asset inventory becomes the front line of access control. That means lifecycle visibility, entitlement review, and offboarding have to be designed together, because a discovered application without access ownership is only half governed. The practitioner conclusion is simple: if it can be used, it must be governed.

Shadow SaaS is a control failure, not just a spend issue. Unapproved applications create parallel identity domains with their own tokens, permissions, and data paths, which makes recertification incomplete and offboarding unreliable. This is where ITAM and NHI governance overlap most sharply, because the risk is not merely duplicate licences but unmanaged machine and user access persisting outside policy. Practitioners should treat every unapproved app as a potential identity boundary breach.

Identity surface drift is the right concept for modern ITAM. The organisation no longer manages a fixed asset estate, it manages a shifting surface of devices, subscriptions, APIs, and delegated access. That drift widens whenever discovery lags procurement or when ownership changes are not reflected in access records. The implication is that ITAM metrics must include entitlement freshness, not only asset count and spend.

ISO 19770 is most valuable when it is paired with IAM and NHI controls. Asset standards can structure evidence, but they do not by themselves revoke access, rotate credentials, or retire stale entitlements. The governance lesson is that ITAM should supply the authoritative asset record while IAM and NHI processes enforce the access lifecycle. Practitioners should not confuse reporting completeness with control effectiveness.

Mobile and cloud asset sprawl widens the unmanaged access window. When employees can install apps or provision cloud tools quickly, the business accumulates access paths faster than governance teams can review them. That pace mismatch is why periodic audits alone are insufficient. Practitioners need continuous discovery tied to access review so the inventory reflects reality before the risk becomes visible through an incident.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That is why NHI Lifecycle Management Guide is the right next resource for teams linking asset lifecycle to access lifecycle.

What this signals

Identity surface drift: ITAM teams should stop measuring success only by inventory completeness and start tracking whether every asset has an access owner and a retirement path. That shift matters because unmanaged applications do not just waste money, they create parallel identity domains that bypass review and offboarding.

With 91.6% of secrets still valid five days after notification, according to Ultimate Guide to NHIs, lifecycle lag is the real governance issue behind many asset-management failures. The practical response is to tighten closure workflows so asset retirement triggers access revocation, not just record deletion.

Practitioners should align ITAM with identity programmes that already govern zero trust and workload access, including NIST Cybersecurity Framework 2.0. The programme signal to watch is whether unknown apps, stale licences, and orphaned accounts are trending down together.

For practitioners

• Bind each asset to an owner and access model Require every hardware, software, SaaS, and mobile asset to have a named business owner, an identity owner, and a retirement trigger so the record supports access decisions, not just procurement reporting.
• Correlate asset discovery with entitlement discovery Link discovered applications to active users, tokens, and service accounts so shadow SaaS cannot hide behind a complete-looking inventory or a low software spend figure.
• Make offboarding remove access, not only dispose hardware When an asset leaves service, ensure licences are reclaimed, API keys are revoked, and delegated access is removed before the asset record is closed.
• Use audits to validate identity-linked inventory Test whether the inventory matches actual usage, then sample whether orphaned apps still have active accounts, stale licences, or unresolved ownership after mover and leaver events.
• Treat shadow SaaS as an access review input Feed unknown or unmanaged applications into recertification and risk review so the programme can decide whether to approve, contain, or retire them.

Key takeaways

• IT asset management fails when it stops at inventory and never reaches access ownership, entitlement review, and offboarding.
• Shadow SaaS is an identity problem as much as a spend problem, because every unmanaged app can carry users, tokens, and data paths.
• The control that matters most is lifecycle linkage: if an asset is retired, its licences, keys, and delegated access must be removed with it.

Key terms

• Asset Inventory: A structured record of the organisation’s technology assets, including hardware, software, cloud subscriptions, and related ownership data. In practice, the inventory is only useful when it stays current and is tied to lifecycle, access, and retirement decisions rather than treated as a static list.
• Shadow SaaS: Software adopted or used outside approved procurement and governance channels. It creates blind spots because the application, its users, and its data paths may exist without central ownership, making access review, licence control, and offboarding incomplete.
• Identity Surface: The combined set of identities, entitlements, applications, devices, and access paths that must be governed to reduce risk. For NHI and ITAM programmes, the identity surface expands whenever a new application, token, or delegated connection appears without being incorporated into governance.
• Lifecycle Governance: The discipline of managing an asset or identity from creation through use, review, and retirement. It matters because an item that is visible at onboarding can still become risky later if ownership, access, or decommissioning are not maintained end to end.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: IT asset management for hardware, software, cloud, and mobile lifecycle control. Read the original.