Software asset management best practices expose shadow IT risks

At a glance

What this is: This is a guide to software asset management best practices, focused on controlling software sprawl, shadow IT, licensing, budgeting, and audit readiness.

Why it matters: It matters because software sprawl is also an identity governance problem when untracked apps, vendors, and renewals create unmanaged access paths, compliance gaps, and security blind spots across IAM, NHI, and lifecycle processes.

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read Zluri's software asset management best practices guide

Context

Software asset management is the discipline of knowing what software exists, who uses it, what it costs, and whether it is authorised. In identity programmes, that same inventory problem shows up as shadow IT, unmanaged SaaS, and forgotten access paths that no review cycle can reliably clean up later.

The article frames SAM as a control problem, not just a cost problem. Once software usage, procurement, renewals, and audits drift apart, organisations lose the ability to prove governance, enforce least privilege, or tie application access back to ownership and lifecycle accountability.

Key questions

Q: How should security teams control shadow IT in software asset management?

A: Security teams should combine application discovery with business ownership, approval workflows, and periodic reconciliation across procurement and identity systems. Shadow IT becomes manageable only when unapproved apps are visible quickly enough to assign accountability, validate risk, or remove access before the software estate fragments further.

Q: Why do unused software licences create security and governance risk?

A: Unused licences are not only a cost problem. They signal weak inventory discipline, which often means dormant access, stale integrations, and unclear ownership are present too. When governance cannot prove who is using an application and why, renewal and access decisions become guesswork instead of control.

Q: What breaks when software audits are not tied to identity and procurement data?

A: Audits lose their value when records do not reconcile across systems. Teams cannot confidently say what software is approved, who owns it, or whether access should still exist. The result is delayed remediation, inaccurate budgeting, and compliance evidence that is hard to defend under scrutiny.

Q: Who should be accountable for software renewal and retirement decisions?

A: Accountability should sit with the business owner and the technical owner together, with procurement and security providing evidence. That structure prevents renewals from happening by default and ensures that software retirement also includes access cleanup, integration removal, and contract closure.

Technical breakdown

Software sprawl and shadow IT create an unauthorised access surface

Software sprawl happens when organisations accumulate overlapping apps, subscriptions, and plugins without a reliable inventory. Shadow IT is the behavioural outcome: employees adopt software outside formal approval channels, often to solve immediate workflow problems. The security issue is not only cost waste. Each unmanaged application expands the number of accounts, permissions, integrations, and third-party data paths that IAM and security teams must govern. When the inventory is incomplete, access reviews and vendor reviews become retrospective guesses rather than control points.

Practical implication: connect app discovery to identity governance so unapproved applications cannot remain outside review, ownership, and offboarding workflows.

License usage analytics are the control layer behind renewal decisions

License categorisation only works when usage data is reliable enough to distinguish active, inactive, redundant, and over-assigned entitlements. Without that evidence, procurement decisions rely on vendor contracts rather than actual consumption. In practice, usage analytics should inform renewal timing, seat reduction, reassignment, and retirement decisions. This is where SAM becomes a governance mechanism rather than a spreadsheet exercise. The same logic applies to identity access: if usage is not visible, entitlement is not measurable, and risk cannot be right-sized.

Practical implication: require usage evidence before renewals so licence decisions reflect real consumption, not contractual inertia.

Regular audits turn software inventory into governance evidence

Audits are the mechanism that tests whether software inventory, licensing, and procurement records still match reality. In a mature SAM model, audits are not just compliance events. They reveal duplicated tools, dormant subscriptions, expired approvals, and contract terms that no longer reflect business use. The technical value is in reconciliation across systems of record: finance, procurement, directory data, endpoint discovery, and application logs. That same reconciliation principle is foundational in identity governance, because what cannot be reconciled cannot be certified with confidence.

Practical implication: run recurring reconciliation across procurement, endpoint, and identity data before external audits force the issue.

Threat narrative

Attacker objective: The objective is to exploit unmanaged software and hidden access paths to create cost waste, compliance exposure, and security blind spots.

1. Entry begins when employees adopt unapproved software or SaaS tools outside IT and procurement review, creating an unseen application layer.
2. Escalation occurs when those apps retain dormant licenses, stale integrations, or unreviewed vendor access that broadens exposure beyond intended use.
3. Impact follows as wasted spend, compliance gaps, and security blind spots accumulate across the software estate, making governance and audit readiness harder to prove.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Software asset management is now an identity governance problem, not just a procurement discipline. Once software sprawl creates untracked applications, the organisation no longer has a clean inventory of where access exists or who owns it. That breaks the assumptions behind reviews, renewals, and offboarding because the control plane starts with incomplete data. The practical conclusion is that SAM and identity governance have to be aligned as one lifecycle discipline.

Shadow IT is the named concept that best explains why software sprawl becomes security debt. Shadow IT is not only about unsanctioned apps. It is about unsanctioned access paths, where business users create new operational dependencies faster than IT can assign ownership, policy, or oversight. Once that happens, licence management and access governance are solving different versions of the same inventory problem. Practitioners need to treat discovery as a governance prerequisite, not a reporting feature.

License visibility and entitlement visibility are converging control requirements. The article’s core message is that organisations cannot manage what they cannot see, whether the asset is an application licence or an access entitlement. That is why software asset management, NHI discovery, and access certification increasingly depend on the same reconciliation model. The practitioner takeaway is that inventory quality now determines both financial control and identity control.

Vendor lifecycle management is the hidden hinge between software sprawl and access risk. When procurement, renewal, and retirement are not tied to account revocation and integration cleanup, software continues to exist after the business need has ended. That means the real failure is not just overspending but access persistence after value has expired. The conclusion for teams is to unify vendor offboarding with application and entitlement deprovisioning.

Audit readiness depends on proving that software and identity records reconcile to the same reality. Software asset management only becomes defensible when licence records, inventory data, and access data agree. If those records diverge, the organisation cannot reliably show who has access, what is approved, or what should be removed. Practitioners should treat reconciliation as the core governance output, not a back-office cleanup task.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slowly identity and access cleanup can lag behind discovery.
• That lifecycle gap is explored further in NHI Lifecycle Management Guide, which is the better next resource for teams aligning retirement, rotation, and offboarding.

What this signals

Shadow IT becomes a lifecycle problem as soon as software ownership is unclear. The practical signal for practitioners is not the number of apps alone, but whether every application can be tied to an owner, a renewal decision, and an access revocation path. Without that chain, application sprawl turns into entitlement sprawl and audit friction.

The organisations that will struggle most are the ones that treat SAM as a finance workflow instead of an identity control. When procurement, directory data, and app discovery are not reconciled together, teams can neither prove governance nor remove access with confidence. That is where software waste becomes security debt.

The broader pattern is that inventory quality now sets the ceiling for governance maturity. If your programme cannot maintain a current view of software, it will also struggle to maintain a current view of who or what can still use it.

For practitioners

• Unify software inventory and identity ownership Map every SaaS application to a business owner, a technical owner, and the identities that can access it. Remove applications from the approved estate if no accountable owner can be assigned.
• Tie renewals to actual usage evidence Require usage data before any renewal decision so idle licenses, duplicate tools, and underused subscriptions are visible before contracts auto-renew.
• Reconcile procurement records with identity data Compare finance, procurement, directory, and application data sets on a fixed cadence to identify apps that still have active access but no current business justification.
• Extend offboarding to software and access cleanup When a tool is retired, revoke accounts, remove integrations, and close vendor relationships in the same workflow so software does not outlive its authorised purpose.

Key takeaways

• Software asset management fails when inventory, ownership, and access data are managed separately.
• Shadow IT is not only a software procurement issue. It is an identity governance blind spot that expands risk and weakens auditability.
• The fastest governance gains come from reconciling discovery, renewal, and offboarding into one lifecycle workflow.

Key terms

• Software Asset Management: Software asset management is the process of tracking software from purchase through use, renewal, and retirement. In practice it combines inventory, licensing, ownership, and audit evidence so organisations can control cost, compliance, and access risk across the software estate.
• Shadow IT: Shadow IT is software or SaaS adopted outside formal IT approval and oversight. It creates governance blind spots because the organisation may not know who owns the app, what data it handles, or which identities and integrations still have access to it.
• Software Sprawl: Software sprawl is the accumulation of overlapping, redundant, or underused applications across an organisation. It becomes a governance problem when the volume of apps outpaces the ability to assign ownership, review access, and retire software cleanly.
• Renewal Governance: Renewal governance is the decision process that determines whether a software subscription should be renewed, reduced, or retired. It depends on reliable usage evidence, business ownership, and access cleanup so contracts do not renew by default.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: IT Teams 8 Software Asset Management Best Practices. Read the original.