The company can't manage what it doesn't know it has.

A discovery tool is necessary but it isn't sufficient. It finds what's on the network. It doesn't know what's on corporate mobile plans, what hardware staff are using remotely, what cloud instances have been spun up outside the standard procurement route, or what software is installed on devices that weren't connected when the scan ran. ITAM is the discipline that combines tool data with process, so the register stays complete between scans, not just during them.

Usually more than the IT team expects and less than the Finance team hopes. In the Discovery phase, we assess exactly what's usable: which records are accurate, which can be cleansed, and which need to be rebuilt from scratch. We don't throw away existing data as a default. We validate it first. What we do find, consistently, is that the coverage gaps are larger than the company thought and the data quality issues are concentrated in a predictable set of asset categories.

The opposite is often true. Large companies have dedicated ITAM teams, vendor management functions, and procurement processes that provide some natural controls. Mid-sized companies often have none of those and the asset base has grown faster than the processes managing it. The licence exposure and security gaps we find in mid-market companies are frequently larger relative to company size than what we find in enterprises. The risk is proportionally greater, not smaller.

CIS Controls, especially 1 and 2, the two highest-priority controls in the CIS Critical Security Controls framework, require complete and current hardware and software inventories. NIS2 Article 21 requires implemented security controls across the full operational environment, which is only possible if the company knows what's in it. In practice, the single most common root cause in post-incident security reviews is an asset that wasn't in the register and therefore wasn't being patched or monitored. ITAM is the foundation that makes cybersecurity programmes work in the real environment rather than just the known one.

Yes, and it's a part that most ITAM programmes handle badly. Devices that are decommissioned but not properly removed from the register create phantom entries that distort the company's asset position and security picture. Devices that leave the building without certified data sanitisation create a data breach risk that stays open long after the hardware is gone. Our IT Asset Disposal service handles the retirement end of the lifecycle, so the register closes cleanly and the risk closes with it.