A clear signal is when onboarding, offboarding, and audit preparation all depend on searching multiple files, emails, and notes to reconstruct the current state. If teams cannot answer who approved access or whether revocation happened without manual reconciliation, the control has already failed operationally.
Why This Matters for Security Teams
Spreadsheet-based asset tracking often looks adequate until the first real audit, incident, or access review forces teams to prove what exists, who owns it, and whether it is still in use. The problem is not the spreadsheet format itself, but the false sense of control that emerges when records drift away from operational reality. NIST’s NIST Cybersecurity Framework 2.0 treats asset visibility and governance as continuous activities, not periodic cleanups.
For NHI-heavy environments, the risk compounds quickly because secrets, service accounts, API keys, and machine credentials change faster than a file can be maintained. NHIMG research on the State of Secrets in AppSec shows how fragmented secrets management undermines centralized control, and the same pattern appears in asset inventories that depend on manual updates. Once multiple owners maintain separate copies, the inventory stops being a control and becomes documentation of past intent.
In practice, many security teams discover the failure only after they cannot reconcile an asset list against production access or post-incident forensics, rather than through intentional control testing.
How It Works in Practice
Teams usually know the tracking process is failing when the spreadsheet no longer supports the decisions it is supposed to inform. A healthy inventory should answer three questions quickly: what exists, who is responsible, and what changed since last review. When those answers require email archaeology, side conversations, and manual cross-checking, the process has become dependent on human memory instead of authoritative data.
Operationally, failure shows up in predictable ways:
- New assets are added late or not at all because onboarding depends on reminders instead of system triggers.
- Retired assets remain listed because offboarding is not tied to deletion, revocation, or decommissioning evidence.
- Audit requests require reconciling multiple versions of the same file, which means there is no single source of truth.
- Ownership fields are stale, so nobody can approve changes or confirm compensating controls.
Security teams should compare the spreadsheet against authoritative sources such as cloud inventories, identity systems, CMDB data, or secrets platforms. That comparison should be automated where possible, because manual sampling only proves the sheet is incomplete at a point in time. The DeepSeek breach is a useful reminder that exposed or unmanaged records often reveal far more than intended, including credentials and backend access paths. When asset records cannot be validated against operational systems, the tracking control is already lagging behind reality. These controls tend to break down when asset creation and deletion are distributed across multiple teams because no single workflow enforces timely reconciliation.
Common Variations and Edge Cases
Tighter inventory control often increases administrative overhead, requiring organisations to balance visibility against the friction of keeping records current. That tradeoff is especially visible in fast-moving cloud, DevOps, and M&A environments, where new services appear faster than governance processes can absorb them. Best practice is evolving, but current guidance suggests that spreadsheets may remain useful as a temporary reporting layer, not as the primary control for live assets.
Some teams also confuse completeness with accuracy. A spreadsheet can have every expected column filled out and still be wrong if ownership, environment, or secret status is stale. Another common edge case is low-volume environments, where manual tracking can work for a time, but only if updates are enforced through change management and verified against source systems. Once the inventory must cover service accounts, API keys, certificates, and ephemeral cloud resources together, the effort required to keep a spreadsheet current usually exceeds its value.
In practice, the strongest warning sign is not simply a messy file. It is when the organization cannot demonstrate that the sheet reflects operational truth without a human reconstruction exercise. At that point, the inventory should be treated as evidence of effort, not evidence of control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Asset management fails when inventory is not authoritative or current. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Untracked secrets and NHI assets create unknown exposure and ownership gaps. |
| NIST AI RMF | Operational monitoring and governance apply when AI-era assets outpace spreadsheets. |
Inventory all NHI assets and secrets, then validate ownership and lifecycle status on a fixed cadence.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
