TL;DR: Software asset management service providers are being positioned as lifecycle, compliance, and cost-control layers for sprawling software estates, with the source article emphasizing discovery, license optimization, monitoring, procurement, and retirement across 10 vendors. The identity lesson is that software lifecycle governance is increasingly inseparable from NHI, access, and shadow IT control, especially where software usage and contractual ownership diverge.
At a glance
What this is: This is a 2026 roundup of software asset management service providers, with a clear emphasis on lifecycle control, license optimisation, compliance, and software stack visibility.
Why it matters: It matters because software asset governance increasingly overlaps with NHI, access reviews, and privilege sprawl, so IAM teams need to treat software inventory as part of identity control.
👉 Read Zluri's roundup of the top software asset management service providers in 2026
Context
Software asset management is the discipline of discovering, tracking, optimising, and retiring software across its lifecycle. In practice, that means visibility into what is installed, who uses it, what it costs, and whether it is still aligned to business need, procurement terms, and security expectations.
For IAM and governance teams, the overlap is obvious: unmanaged software often brings unmanaged access, shadow IT, and stale entitlements. That makes software estate governance a practical extension of NHI lifecycle control, especially where service accounts, integrations, and SaaS sprawl sit outside normal review cadence.
Key questions
Q: How should teams govern software assets that create non-human access paths?
A: Treat the software inventory as part of identity governance. If an application uses service accounts, API keys, tokens, or delegated integrations, then software retirement, renewal, and ownership changes must trigger access review and offboarding steps as well as financial review.
Q: Why do software asset management gaps create identity risk?
A: Because software estates often hold the systems that create or depend on non-human access. If visibility is incomplete, organisations cannot know which credentials, integrations, or entitlements are still active, and that creates both cost leakage and unresolved access exposure.
Q: What breaks when software retirement is not tied to access offboarding?
A: The application may disappear while its credentials, integrations, or delegated access remain live. That leaves dormant identity paths in place after the asset is supposedly gone, which is a common governance failure in both SaaS and NHI environments.
Q: How do teams know whether SAM is actually reducing risk?
A: Look for three signals: a complete software inventory, a lower share of unused entitlements at renewal, and evidence that retired applications no longer have active service credentials or connectors. If those signals are missing, the programme is optimising spend without closing identity exposure.
Technical breakdown
Software discovery and inventory across the estate
Software discovery is the control foundation for SAM because you cannot govern assets you cannot see. In mature environments, discovery combines SSO logs, finance data, API integrations, endpoint agents, and browser telemetry to build a current inventory. That inventory then becomes the basis for license allocation, compliance checks, and retirement decisions. The governance issue is not just count accuracy. It is whether the organisation can distinguish sanctioned software from shadow IT and tie each application back to a business owner, contract, and access pathway.
Practical implication: centralise discovery inputs so software inventory can support both asset governance and identity review.
License optimisation and software usage monitoring
License optimisation is the process of matching purchased entitlements to actual usage so organisations do not pay for dormant or redundant software. Usage monitoring matters because it reveals which applications are heavily used, underused, or no longer needed, which in turn informs renewal decisions and consolidation. This is also where identity signals matter. If usage data says an application is idle but access remains active, the organisation may be carrying cost and exposure at the same time. SAM becomes a governance discipline, not only a procurement exercise.
Practical implication: use usage telemetry and entitlement data together before renewals and recertifications.
Software lifecycle management from procurement to retirement
Lifecycle management in SAM covers onboarding software, renewing contracts, tracking compliance, and retiring applications when they are no longer needed. That lifecycle is often fragmented across procurement, IT, security, and finance, which creates a governance gap when no single team owns end-to-end accountability. The deeper identity issue is that software retirement should also trigger access retirement for integrated accounts, API connections, and delegated credentials. Without that linkage, software can be removed while identity paths remain live, which preserves hidden exposure even after the asset is formally gone.
Practical implication: tie software retirement to access offboarding for any account, token, or integration the application used.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Software asset management is now identity governance by another name. The article describes SAM as a way to control usage, cost, compliance, and retirement, but those same processes now determine whether software-connected identities remain visible and reviewable. When software estates include SaaS apps, APIs, and embedded integrations, asset management becomes part of the identity control plane. Practitioners should treat the software inventory as an identity inventory adjunct, not a finance-only record.
Lifecycle governance fails when procurement and offboarding are not linked. The article repeatedly frames SAM around procurement, renewal, and retirement, which is exactly where governance breaks if access and contracts are managed separately. A retired application with active integrations still leaves a live identity path behind. That is the same failure mode seen in many NHI programmes: ownership ends in one system while access persists in another. Practitioners should align software retirement with credential and entitlement closure.
Shadow IT is a discovery problem before it is a policy problem. Several providers in the article emphasise visibility gaps and unapproved software, which shows the real control issue is incomplete discovery rather than absent rules. If an organisation cannot see the application, it cannot assess licence waste, access exposure, or contractual drift. That makes estate-wide discovery the precondition for both security and cost control. Practitioners should first establish complete inventory coverage, then enforce policy.
Software usage data is a governance signal, not just an optimisation metric. The article presents usage monitoring as a route to cost savings, but the same data also identifies dormant applications, over-provisioned access, and renewal risk. In identity terms, low usage often means the access review process has lost touch with reality. That is especially relevant where software ownership is diffuse and approvals are stale. Practitioners should use usage telemetry to drive recertification and deprovisioning decisions.
Lifecycle Processes for Managing NHIs remain relevant wherever software systems create non-human access paths. When a SaaS application, connector, or automated workflow depends on service credentials, the lifecycle problem extends beyond the application itself. The programme must know which non-human identities were created, why they exist, and when they should be retired. That is the practical boundary between SAM and NHI governance. Practitioners should connect software asset retirement to NHI lifecycle controls.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, showing how quickly one unmanaged identity issue can become repeat exposure.
- For the broader lifecycle angle, see NHI Lifecycle Management Guide for the offboarding and rotation controls that keep software-connected identities from lingering after retirement.
What this signals
Software asset management is moving closer to identity governance because software visibility, entitlement control, and retirement discipline now determine whether non-human access remains cleanly bounded. With 72% of organisations having experienced or suspected an NHI breach according to the 2024 ESG Report: Managing Non-Human Identities, the programme risk is no longer theoretical.
Identity blast radius: when software retirement does not also retire the identities behind it, exposure survives the application lifecycle. Teams should assume that every unmanaged SaaS record may hide one or more active access paths until proven otherwise.
For practitioners
- Build a unified software and identity inventory Combine SaaS discovery, finance records, SSO logs, and API integrations into one inventory so software ownership and access ownership can be reviewed together. This reduces blind spots where an application is visible to procurement but invisible to security.
- Tie renewal reviews to access reviews Before every renewal, compare actual usage, contracted licenses, and active entitlements. If usage is low or ownership is unclear, force a recertification step before the contract renews.
- Offboard credentials when software is retired When an application is removed or replaced, close any service accounts, API keys, tokens, or integrations that supported it. Retiring the application without retiring its non-human access leaves dormant exposure behind.
- Separate sanctioned software from unmanaged shadow IT Create a control process that distinguishes approved applications from unapproved installs or self-provisioned SaaS. Discovery should feed both enforcement and exception handling so hidden software does not become hidden identity risk.
Key takeaways
- Software asset management is increasingly an identity control problem because software ownership, usage, and access now intersect in the same lifecycle.
- The main governance gap is incomplete discovery, which makes shadow software, stale entitlements, and hidden integrations harder to eliminate.
- Teams should connect renewal, recertification, and retirement so software exits cleanly and its non-human access exits with it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle and credential retirement in SAM map to non-human identity rotation and offboarding. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be reviewed alongside software lifecycle changes and renewals. |
| NIST Zero Trust (SP 800-207) | AC-4 | Software estate governance supports least-privilege access decisions across connected systems. |
Tie software retirement to NHI retirement so credentials, tokens, and integrations do not outlive the application.
Key terms
- Software Asset Management: Software asset management is the discipline of discovering, controlling, and retiring software across its lifecycle. It combines inventory, licensing, usage, compliance, and procurement oversight so organisations can reduce waste, limit exposure, and keep software ownership aligned to business need.
- Shadow IT: Shadow IT is software or services adopted outside formal approval and governance channels. In practice, it creates blind spots for security, finance, and identity teams because the organisation may not know what is running, who owns it, or which access paths it depends on.
- Software Lifecycle Governance: Software lifecycle governance is the management of software from procurement through active use to retirement. It becomes an identity issue when the software creates accounts, tokens, API connections, or delegated access that must be tracked and removed when the software itself is no longer needed.
- Non-Human Access Path: A non-human access path is any credentialed connection used by software, automation, or integrations rather than a person. It includes service accounts, API keys, tokens, and certificates, and it must be governed as part of both software operations and identity security.
Deepen your knowledge
Software lifecycle governance and non-human access control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your organisation is trying to connect software retirement with identity offboarding, it is worth exploring.
This post draws on content published by Zluri: SaaS Management Top 10 Software Asset Management Service Providers in 2026. Read the original.
Published by the NHIMG editorial team on 2026-03-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
