IT asset management and shadow SaaS - what IAM teams miss

TL;DR: IT asset management is framed as a lifecycle discipline for hardware, software, cloud apps, mobile devices, and licenses, with Zluri arguing that central inventory, audits, and policy controls reduce compliance, cost, and security risk. The real governance issue is that unmanaged SaaS and shadow IT blur asset ownership, lifecycle visibility, and access control, making identity-linked inventory the operational baseline.

NHIMG editorial — based on content published by Zluri: IT asset management for hardware, software, cloud, and mobile lifecycle control

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: What breaks when IT asset management does not include access governance?

A: The inventory may still look complete, but the organisation loses control over who can use each application, token, or device.

Q: Why do shadow SaaS apps increase security and compliance risk?

A: Shadow SaaS creates parallel access domains that bypass procurement, review, and offboarding.

Q: How do security teams know if ITAM is actually improving governance?

A: Look for evidence that discovered assets are mapped to owners, active entitlements, and closure actions.

Practitioner guidance

• Bind each asset to an owner and access model Require every hardware, software, SaaS, and mobile asset to have a named business owner, an identity owner, and a retirement trigger so the record supports access decisions, not just procurement reporting.
• Correlate asset discovery with entitlement discovery Link discovered applications to active users, tokens, and service accounts so shadow SaaS cannot hide behind a complete-looking inventory or a low software spend figure.
• Make offboarding remove access, not only dispose hardware When an asset leaves service, ensure licences are reclaimed, API keys are revoked, and delegated access is removed before the asset record is closed.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step ITAM lifecycle process guidance from registration through retirement
• Specific feature descriptions for asset discovery, licence oversight, and CMDB-driven inventory management
• Practical software selection considerations for teams comparing ITAM tooling
• Examples of how ITAM workflows support SaaS governance and internal controls

👉 Read Zluri's guide to IT asset management, lifecycle control, and SaaS governance →

IT asset management and shadow SaaS - what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →