Yes, if they want zero trust to reflect reality. Zero trust depends on accurate asset context, continuous verification, and least privilege. If ITAM cannot tell identity systems what exists, who owns it, and whether it is still active, then access decisions will be made against stale assumptions.
Why This Matters for Security Teams
zero trust only works when the organisation can trust its asset context. IT asset management is not a separate housekeeping function here; it is the inventory layer that tells identity and policy systems what exists, who owns it, and whether it should still be active. Without that signal, access reviews, segmentation, and least-privilege decisions degrade into guesses. NIST’s Zero Trust Architecture makes continuous verification central, but verification depends on current asset data, not static spreadsheets.
NHIMG’s research shows why this matters in practice: only 5.7% of organisations have full visibility into their service accounts, and 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation. That gap is not theoretical. It means unknown assets, stale ownership, and orphaned identities can keep receiving access long after they should have been removed. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives and Top 10 NHI Issues both reinforce that visibility and ownership are foundational, not optional.
In practice, many security teams discover ITAM gaps only after an orphaned asset, stale service account, or untracked integration has already been granted access and started moving laterally.
How It Works in Practice
When ITAM is treated as part of zero trust, it becomes a live source of truth for enforcement. Asset records should feed identity governance, endpoint control, cloud policy, and offboarding workflows so that access decisions reflect current state rather than assumptions. That includes device ownership, environment, business criticality, platform type, lifecycle stage, and whether an asset is approved, retired, or unknown.
In operational terms, this means zero trust teams should not ask only “who is the user?” They should also ask “what is the asset?”, “is it still in service?”, and “does it have an approved owner and purpose?” This is especially important for non-human identities, where assets often map to workloads, CI/CD jobs, API clients, and service accounts. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is a useful reference for connecting inventory, lifecycle, rotation, and revocation into one control plane.
- Synchronise CMDB or asset inventory data with IAM, PAM, and endpoint posture tools.
- Flag unknown, unowned, or retired assets as high-risk until verified.
- Use asset criticality to drive stronger policy decisions and tighter segmentation.
- Trigger offboarding when an asset is decommissioned, not only when a user leaves.
- Reconcile service accounts, API keys, and certificates against active assets on a recurring basis.
For implementation detail on workload identity and cryptographic proof of what an asset is, the Guide to SPIFFE and SPIRE aligns well with the identity side of zero trust, while the NIST Cybersecurity Framework 2.0 helps connect inventory, governance, and continuous monitoring. These controls tend to break down in hybrid estates with shadow IT, ephemeral cloud resources, and unmanaged industrial or third-party systems because ownership and lifecycle state are not reliably captured.
Common Variations and Edge Cases
Tighter asset governance often increases operational overhead, so organisations must balance visibility gains against the cost of maintaining accurate records. That tradeoff is real, especially in fast-changing environments where resources are created and destroyed automatically. Best practice is evolving, but current guidance suggests treating high-change assets differently from stable end-user devices rather than forcing one inventory model onto everything.
There are also edge cases where ITAM data is incomplete but still useful. For example, in cloud-native environments, the authoritative source may be a combination of cloud control planes, CMDB records, and workload identity systems rather than a single inventory platform. For transient jobs and containers, lifecycle events often matter more than traditional hardware tracking. For third-party-managed systems, the key question is whether the organisation can prove ownership, monitoring coverage, and decommissioning authority.
NHIMG’s NHI Lifecycle Management Guide is especially relevant where asset status and secret revocation must stay aligned. In those environments, zero trust should not wait for perfect inventory, but it should refuse to treat unknown assets as trusted. Where business units can create infrastructure without central registration, zero trust degrades fastest because the access decision engine is forced to trust assets that were never formally admitted.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM | Asset management is explicit in the Identify function and anchors zero trust context. |
| NIST Zero Trust (SP 800-207) | Zero trust relies on continuous verification using current asset context. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | NHI visibility and lifecycle control depend on knowing what assets and identities exist. |
Feed live asset state into policy decisions so trust is never based on stale inventories.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
