Most enterprises can’t answer a simple question: how many applications do you actually have?
In a recent webinar co-hosted with KuppingerCole Analysts AG, Simeio Chief Product Officer Asif Savvas and KuppingerCole Lead Advisor Dr. Phillip Messerschmidt unpacked why Application Inventory Management (AIM) is one of the most underestimated foundations of a mature IAM program. The session made a clear case: identity controls degrade when organizations lack observability into the applications those controls are designed to protect.
Here are the critical insights from the conversation.
The Knowledge Gap Is Bigger Than You Think
Dr. Messerschmidt opened with a challenge to the audience. Can you name every application in your environment? Do you know who owns each one, how it’s deployed, who has access to it, what integrations it depends on, or what would break if you decommissioned it?
The typical answers he encounters in the field range from “that would be good to know” to “we have an Excel list, somewhere.” That disconnect between what security teams believe they manage and what actually exists in production represents unquantified risk at scale.
Savvas reinforced the point from Simeio’s operational experience. “Truly understanding what to protect has been one of the biggest gaps when we start on these initiatives,” he said. “After large investments, when enterprises start rolling the projects out, they find that they do not have a really good handle of who their application owners are.” He estimated that across the engagements Simeio has run, roughly half the effort in early-stage IAM programs goes toward chasing basic application information rather than executing identity controls
The webinar framed this using a matrix of four knowledge states:
- known knowns
- known unknowns
- unknown knowns
- unknown unknowns
Known knowns are the applications teams actively manage. Known unknowns are applications they’re aware of but lack specifics on. Unknown knowns are applications managed by other teams or departments outside the line of sight of IT and security teams. And unknown unknowns are applications that exist in the environment without anyone’s awareness. That last category is where the most dangerous exposure lives, because security teams can’t apply controls to assets they don’t know about.
AIM Is an Operational Capability, Not a Documentation Exercise
One of the strongest points in the session was the reframing of what AIM should be. It’s common for organizations to treat an application inventory as a compliance artifact, something static and maintained before audits. Dr. Messerschmidt pushed back on that model directly.
A well-maintained application inventory tracks ownership, criticality, deployment method, version, vendor, license type, dependencies, integration points, user counts, and security posture. When that data stays current, it accelerates IAM execution across multiple use cases: application onboarding, access lifecycle management, criticality assessments, authorization design, audit preparation, integration planning, and provisioning decisions.
The relationship between AIM and IAM runs in both directions. AIM accelerates IAM by providing the context teams need to onboard applications, assign controls, and prepare for audits. IAM exposes gaps that improve AIM, because identity operations reveal missing owners, undocumented integrations, and applications that were never properly cataloged. The two disciplines reinforce each other when treated as continuous operational functions rather than separate projects.
Without a current inventory, IAM teams are forced to reconstruct context for every project, every audit, and every integration request. That reconstruction is slow, error-prone, and expensive. Governance teams spend their limited time chasing basic information instead of analyzing risk and improving controls.
Savvas framed the cost of this directly during the session. Funds are limited, he noted, and there’s only so much an IAM program can accomplish in a given period. If you don’t prioritize by criticality, you end up spending the same effort on low-value applications as on the crown jewels. The inventory is what makes that prioritization possible.
The Real Challenges: Data Accuracy, Standardization, and Time for Analysis
The webinar didn’t shy away from the operational difficulty of maintaining AIM. Five challenges stood out.
Gathering enough data across organizational boundaries. Building a useful inventory list requires input from teams that have competing priorities and limited incentive to contribute. Inventory owners end up chasing information instead of improving it.
Ensuring accuracy as applications evolve faster than documentation. Daily operational changes, shifting workloads, and new deployments create constant drift between the inventory and reality. Small updates rarely get communicated back to the central record.
Standardizing how different departments track their tools. Without clear rules, each team catalogs applications differently, fragmenting the inventory and making cross-functional analysis unreliable.
Protecting enough time for actual analysis. Collecting, verifying, and normalizing data consumes so much effort that little capacity remains for the insight-generation that makes the inventory worth maintaining.
Keeping the inventory model viable as complexity scales. As application landscapes grow, dependency maps multiply, and models that weren’t designed for scale become either too shallow to be useful or too complex to sustain.
These are real barriers. But the session framed them as solvable when AIM is treated as a living operational process rather than a periodic documentation task.
Where Simeio Identity Orchestrator (IO) Fits
Asif Savvas walked through how Simeio Identity Orchestrator (IO) addresses the application inventory challenge with a methodology designed for enterprise scale. IO ingests application data from multiple sources, including IAM systems like SailPoint and Saviynt, identity providers like Okta and Ping, CMDBs such as ServiceNow, and a browser plugin that surfaces shadow IT by tracking which applications users actually access.
That last piece matters significantly. Industry estimates suggest 10 to 15 percent of enterprise assets remain unknown unknowns at any given time. Those unclassified assets represent risk that traditional inventory approaches miss entirely, because they rely on teams to self-report applications rather than detecting them through actual usage patterns.
Once applications are cataloged in IO, they’re assigned criticality scores on a 1-to-10 scale through automated risk assessment questionnaires. These questionnaires evaluate whether the application stores sensitive information (PII, financial data, PHI, intellectual property), whether it’s internet-facing, and whether it performs a security function. Application owners and lines of business can then review and enrich that data, creating a dynamic inventory that stays relevant as the environment changes.
The Application Dashboard in IO tracks each application’s status across identity governance, access management, and privileged access management. IAM teams get a single view of onboarding progress, control health, and where gaps remain. The Shadow IT view surfaces newly detected applications and lets administrators classify them as approved, new, or ignored, closing the loop on unknown unknowns.
The practical outcome: unified observability across the application landscape, clear prioritization of what to protect first, and a scalable foundation for every IAM initiative that follows.
Savvas also raised a point that rarely gets attention: the lifecycle problem. “Often IAM products are implemented, apps are onboarded, and then they are forgotten for years,” he said. Applications change. Security models evolve. Enterprise policies shift. IO is designed to detect those changes and push updated controls back down to application owners, closing the gap between initial onboarding and ongoing governance.
Why This Matters Now
Application sprawl is accelerating. Digital transformation and cloud migration continue to push new tools into enterprise environments faster than governance teams can absorb them. Business units adopt SaaS applications without waiting for IT review, creating shadow IT that grows silently between audits. Delayed deprovisioning means former employees and contractors retain access to applications long after their engagement ends.
Compliance auditors are increasingly asking about ungoverned applications. Regulators and insurance carriers want to see evidence of application governance coverage, and they’re asking specifically whether organizations can demonstrate control over the full scope of their application landscape. The cost of a breach traced to an unmanaged application carries reputational and financial damage that outlasts the incident itself.
The webinar’s core message holds: you cannot govern access to applications you don’t know exist. Application Inventory Management is the operational foundation that makes every other IAM investment more effective. Without it, identity programs operate on assumptions. With it, they operate on evidence.
Watch the full webinar recording here and explore how Simeio IO delivers application inventory at enterprise scale.