Software asset management and shadow IT: where are controls failing?

TL;DR: Unchecked software buying creates shadow IT, license waste, and compliance exposure, according to Zluri’s guide to software asset management best practices. The real issue is governance drift, where procurement, usage tracking, and audit discipline fall out of sync with actual application sprawl.

NHIMG editorial — based on content published by Zluri: IT Teams 8 Software Asset Management Best Practices

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams control shadow IT in software asset management?

A: Security teams should combine application discovery with business ownership, approval workflows, and periodic reconciliation across procurement and identity systems.

Q: Why do unused software licences create security and governance risk?

A: Unused licences are not only a cost problem.

Q: What breaks when software audits are not tied to identity and procurement data?

A: Audits lose their value when records do not reconcile across systems.

Practitioner guidance

• Unify software inventory and identity ownership Map every SaaS application to a business owner, a technical owner, and the identities that can access it.
• Tie renewals to actual usage evidence Require usage data before any renewal decision so idle licenses, duplicate tools, and underused subscriptions are visible before contracts auto-renew.
• Reconcile procurement records with identity data Compare finance, procurement, directory, and application data sets on a fixed cadence to identify apps that still have active access but no current business justification.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• A stepwise SAM policy structure covering software consumption, purchasing, implementation, personnel movement, and licence compliance.
• More detail on Zluri's nine discovery methods, including how app discovery is stitched across MDM, SSO, finance, and directory sources.
• Practical examples of usage reporting, underutilised licence detection, and renewal alerts for day-to-day IT operations.
• A fuller walkthrough of centralised dashboards for spend, true-up costs, and software retirement decisions.

👉 Read Zluri's software asset management best practices guide →

Software asset management and shadow IT: where are controls failing?

Explore further

View Full Forum →  |  NHI Foundation Course →