TL;DR: IT asset management is framed as a lifecycle discipline for hardware, software, cloud apps, mobile devices, and licenses, with Zluri arguing that central inventory, audits, and policy controls reduce compliance, cost, and security risk. The real governance issue is that unmanaged SaaS and shadow IT blur asset ownership, lifecycle visibility, and access control, making identity-linked inventory the operational baseline.
NHIMG editorial — based on content published by Zluri: IT asset management for hardware, software, cloud, and mobile lifecycle control
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when IT asset management does not include access governance?
A: The inventory may still look complete, but the organisation loses control over who can use each application, token, or device.
Q: Why do shadow SaaS apps increase security and compliance risk?
A: Shadow SaaS creates parallel access domains that bypass procurement, review, and offboarding.
Q: How do security teams know if ITAM is actually improving governance?
A: Look for evidence that discovered assets are mapped to owners, active entitlements, and closure actions.
Practitioner guidance
- Bind each asset to an owner and access model Require every hardware, software, SaaS, and mobile asset to have a named business owner, an identity owner, and a retirement trigger so the record supports access decisions, not just procurement reporting.
- Correlate asset discovery with entitlement discovery Link discovered applications to active users, tokens, and service accounts so shadow SaaS cannot hide behind a complete-looking inventory or a low software spend figure.
- Make offboarding remove access, not only dispose hardware When an asset leaves service, ensure licences are reclaimed, API keys are revoked, and delegated access is removed before the asset record is closed.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step ITAM lifecycle process guidance from registration through retirement
- Specific feature descriptions for asset discovery, licence oversight, and CMDB-driven inventory management
- Practical software selection considerations for teams comparing ITAM tooling
- Examples of how ITAM workflows support SaaS governance and internal controls
👉 Read Zluri's guide to IT asset management, lifecycle control, and SaaS governance →
IT asset management and shadow SaaS - what IAM teams miss?
Explore further
IT asset management is now an identity governance problem, not a procurement back office function. Once SaaS, mobile, and cloud assets can be adopted without central approval, the asset inventory becomes the front line of access control. That means lifecycle visibility, entitlement review, and offboarding have to be designed together, because a discovered application without access ownership is only half governed. The practitioner conclusion is simple: if it can be used, it must be governed.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should be accountable when an unapproved application creates exposure?
A: Accountability should sit with the business owner of the application, the ITAM function that maintains the inventory, and the identity team that controls access. If any one of those is missing, the organisation loses end-to-end lifecycle control. Standards such as ISO/IEC 19770 help define the asset layer, but accountability must also cover access and offboarding.
👉 Read our full editorial: IT asset management and shadow SaaS: the governance gap exposed