ITSM tool governance: what should identity and security teams check?

TL;DR: ITSM tool selection hinges on asset discovery, self-service, integrations, customisation, and automation, because those capabilities determine how well service desks, CMDB data, and incident workflows hold up across changing environments, according to Zluri. The governance question is not feature count but whether the tool can support security, process discipline, and future operational scale.

NHIMG editorial — based on content published by Zluri: IT Teams 4 Key Points To Consider While Buying An ITSM Tool

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should teams choose an ITSM tool that will not create governance debt?

A: Teams should start with mandatory requirements for asset visibility, integration coverage, workflow traceability, and upgrade-safe configuration.

Q: Why do ITSM integrations matter for identity and access governance?

A: Integrations matter because ITSM often sits between service ownership, support workflows, and systems that track configuration or access state.

Q: What breaks when an ITSM platform is heavily customised?

A: Heavy customisation breaks upgradeability, supportability, and long-term consistency.

Practitioner guidance

• Define mandatory governance requirements before scoring features Separate non-negotiable controls from nice-to-have functions, then score each ITSM candidate against requirements for asset traceability, workflow accountability, and integration support.
• Test discovery and CMDB freshness against real operational scenarios Run a live test where assets change state, tickets route, and dependencies shift, then verify that the CMDB reflects the change without manual intervention.
• Prefer configuration over code-level customisation Use supported parameters and workflow settings first, and reserve code changes for exceptional cases with explicit upgrade-risk acceptance.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• A practical breakdown of ITSM feature groups for buyers who need a more complete checklist.
• Expanded discussion of self-service portal, knowledge base, and KCS capabilities.
• More detail on configuration versus customisation trade-offs across tool implementations.
• Additional examples of how automation, CMDB, and incident workflows affect day-to-day IT operations.

👉 Read Zluri's guide to choosing an ITSM tool →

ITSM tool governance: what should identity and security teams check?

Explore further

View Full Forum →  |  NHI Foundation Course →