IT asset management software and the identity surface gap

At a glance

What this is: This is a vendor-curated ranking of IT asset management tools, with the key finding that modern ITAM has become tightly intertwined with identity governance, visibility, and lifecycle control.

Why it matters: It matters because asset inventories now include human identities, service accounts, and AI-linked access paths, so IAM, NHI, and governance teams need shared visibility rather than separate control planes.

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri's IT asset management software roundup and feature breakdown

Context

IT asset management has shifted from counting hardware and licenses to governing a much broader identity surface. In practice, the same inventories that track laptops, SaaS apps, and cloud services also reveal who and what can access those assets, which is where identity governance becomes part of asset management.

Zluri’s article treats ITAM as an efficiency problem, but the operational reality is that asset sprawl and identity sprawl now overlap. When organisations cannot accurately see assets, entitlements, and activity together, they lose the ability to distinguish legitimate access from stale or risky access across human, NHI, and AI-linked workflows.

Key questions

Q: How should teams connect IT asset management with identity governance?

A: Teams should treat IT asset data as an input to identity governance, not as a separate management island. The useful linkage is between assets, owners, entitlements, and activity. That lets security teams detect stale access, orphaned accounts, and unmanaged integrations before they become audit or breach issues. The critical anchor is the identity relationship, not the asset record alone.

Q: Why do asset inventories fail to reduce access risk on their own?

A: Asset inventories show what exists, but they do not prove who can use it, how long access has existed, or whether the access is still justified. Risk remains when a retired app, device, or contract still has live credentials attached. That is why access lifecycle controls must run alongside asset lifecycle management.

Q: What do organisations get wrong about ITAM and compliance?

A: They often assume accurate inventory is the same as control. In practice, audit readiness depends on whether entitlements, ownership, and offboarding are tied to the asset record. Without that, compliance evidence may look complete while dormant access, shadow integrations, and unrevoked credentials continue to exist.

Q: How can security teams handle shadow AI in asset governance?

A: Security teams should classify shadow AI as part of the identity surface because many AI apps and features carry access to data, files, or workflows. The practical step is to map ownership and permissions, then decide whether the tool belongs in approved inventory or must be removed from use. Discovery without governance is only partial visibility.

Technical breakdown

Why ITAM and identity visibility now overlap

Traditional IT asset management records what an organisation owns, where it sits, and when it should be retired. That model breaks down once access is tied to the asset itself, because the more important question becomes who or what can interact with it. Identity visibility platforms connect asset data to entitlement and activity data, which turns inventory into governance evidence. That matters for SaaS, cloud, endpoint, and application access alike, because the asset list alone does not show whether access is dormant, over-provisioned, or shadowed by unmanaged identities.

Practical implication: treat ITAM data as a source for identity governance, not as a complete control by itself.

Asset lifecycle management does not equal access lifecycle management

IT asset lifecycle management covers procurement, assignment, maintenance, and disposal. Access lifecycle management covers provisioning, review, rotation, and offboarding. Those are related but not interchangeable. An organisation can retire a device or delete an asset record while the associated accounts, keys, or integrations continue to exist. That is the governance gap. The asset is gone, but the identity path remains live, which is how stale access survives long after the operational object it belonged to has changed status.

Practical implication: align asset retirement workflows with entitlement revocation, credential rotation, and offboarding checks.

Shadow AI and hidden identity relationships inside asset inventories

The article’s mention of AI apps points to a broader issue: asset tools increasingly need to surface not just software presence but the identities and permissions attached to it. Shadow AI is often invisible because it appears as an approved application, browser extension, or workflow integration rather than a discrete security event. Once connected to business data, those tools become identity dependencies. The technical problem is not only discovery, but mapping the access paths that make unmanaged tools dangerous.

Practical implication: inventory tools should be paired with controls that continuously map app-to-identity relationships and flag unauthorized integrations.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ITAM is no longer just an operations discipline, it is an identity governance input. The vendor’s framing is useful only if practitioners recognize that asset visibility now feeds access control, lifecycle management, and audit readiness. When organisations treat ITAM as a standalone inventory problem, they miss the identity relationships hidden behind devices, SaaS apps, and integrations. The implication is that governance teams need a shared asset-identity model, not separate registers.

Shadow access is the real blind spot inside modern asset inventories. A complete asset list still does not tell you whether the linked identities are dormant, over-privileged, or unmanaged. That matters because the control failure is usually not the absence of an asset record, but the presence of access that outlives the asset’s intended use. Practitioners should treat unresolved access paths as a first-class governance defect.

Identity surface management is a better named concept than ITAM alone. ITAM describes the catalog; identity surface management describes the combined space where assets, entitlements, and activity intersect. That concept is increasingly useful because it captures how human users, service accounts, and AI-linked access all converge on the same operational assets. Practitioners should design governance around that combined surface.

Lifecycle governance has become the deciding control plane for both assets and identities. Procurement without deprovisioning, inventory without entitlement review, and disposal without offboarding all create the same failure pattern: access persists after business need ends. The governance question is no longer whether assets are tracked, but whether their associated identities are retired with them. Practitioners should align ITAM and IAM lifecycle checkpoints.

Zero Trust only becomes credible when asset truth and identity truth match. The article’s focus on audit preparation and centralized records points to a deeper control requirement: continuous verification depends on knowing what exists and who can use it. That is why the NHI and IAM conversation cannot be separated from ITAM. Practitioners should use asset programs to strengthen trust decisions, not just reporting.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• That is why the NHI Lifecycle Management Guide is relevant when ITAM and identity governance start to overlap.

What this signals

Identity surface management: ITAM programmes are becoming useful to security only when they map assets to identities, entitlements, and activity, not when they simply count devices or software. That is the governance shift practitioners should expect as inventory tools are pulled into IAM, NHI, and audit workflows.

The operational signal is that disconnected lifecycle processes will keep producing hidden access. When inventory, provisioning, rotation, and offboarding are managed separately, organisations create blind spots that neither ITAM nor IAM can resolve alone. The practical response is to align asset review cycles with identity review cycles and use the NIST Cybersecurity Framework 2.0 as a common governance language.

For practitioners

• Map asset records to identity relationships Join ITAM data with entitlement, activity, and ownership data so every critical asset also shows the humans, service accounts, and integrations attached to it.
• Tie disposal workflows to offboarding checks Require confirmation that linked accounts, API keys, tokens, and SaaS integrations are revoked before an asset is retired or reassigned.
• Flag orphaned and dormant access during inventory reviews Use inventory refresh cycles to surface access paths that remain active after a device, application, or contract changes state.
• Add shadow AI to asset governance scope Treat unmanaged AI apps and embedded AI features as identity-bearing assets that need discovery, ownership, and access review.

Key takeaways

• IT asset management is now part of the identity governance problem because assets, entitlements, and activity are increasingly inseparable.
• A complete inventory does not equal secure access, because dormant, orphaned, and over-privileged identities can survive asset changes.
• Practitioners should align ITAM with lifecycle governance so disposal, deprovisioning, and review happen as one control motion.

Key terms

• Identity Surface Management: Identity surface management is the practice of treating assets, entitlements, activity, and ownership as one connected control area. It goes beyond counting hardware or software and asks who or what can reach each asset, how that access is justified, and when it should be removed.
• Shadow AI: Shadow AI is the use of AI applications, embedded AI features, or AI-linked workflows that exist outside formal governance. In identity terms, it matters because these tools often carry access to data, files, and services, which makes them part of the organisation’s identity surface.
• Access Lifecycle Management: Access lifecycle management is the set of controls that governs how access is created, reviewed, rotated, and removed over time. It applies to humans, service accounts, tokens, and other non-human identities, and it becomes critical when assets are reassigned, retired, or repurposed.

Deepen your knowledge

IT asset visibility, identity relationships, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending asset management into identity control, it is a strong fit for that operating model.

This post draws on content published by Zluri: IT Teams Top 20 IT Asset Management Software for 2026. Read the original.