IT asset management: the 2026 reference guide

Citation capsule

• "The IT asset management software market reached USD 5.04 billion in 2026, up from USD 4.66 billion in 2025 (8.0% CAGR) (Source: Precedence Research, 2026)"
• "ISO/IEC 19770-1:2017 defines four core ITAM processes — inventory, deployment, operations, retirement (Source: ISO, 2017)"
• "CSRD ESRS E1 disclosure is required for ~50,000 EU companies, first filings due in 2026 on FY2025 data (Source: EU Directive 2022/2464)"

IT asset management used to be a back-office discipline owned by IT operations and procurement. In 2026 it sits at the intersection of three boards — the CIO board (NIS2 attack-surface mandate), the CFO board (SaaS spend and depreciation), and the CSO/sustainability board (CSRD ESRS E1 Scope 3 reporting). Anything labeled "ITAM software" without a plan for these three is incomplete.

This guide is the practical reference for a 500-to-5,000-device fleet — the band where most decisions go wrong. The frameworks, the regulations, the lifecycle decisions, the agent count, the math on CSRD reporting — all here, with verified citations.

For deeper dives, see the IT asset management software comparison, the enterprise ITAM list, the GLPI alternative SaaS, the GLPI Agent install guide, and the IT carbon footprint enterprise guide.

What IT asset management actually covers in 2026

IT asset management is the system of record for every hardware and software asset an organization runs. It tracks where each device is, who uses it, what software lives on it, when its warranty expires, and what it cost. Modern ITAM extends to license entitlements, SaaS subscriptions, energy use, and end-of-life disposition.

The discipline sits between three adjacent categories: a CMDB (configuration relationships), an MDM (mobile device control), and an RMM (remote monitoring, mostly for MSPs). ITAM is the financial and lifecycle layer — it answers what do we own, what is it worth, what does it consume, and when must it move?

The international reference is ISO/IEC 19770-1:2017, which formalizes four core processes: inventory (identification and documentation), deployment (acquisition tracking), operations (day-to-day management), and retirement (end-of-life and data sanitization). Any ITAM tool that fails to cover all four is incomplete.

The family ISO/IEC 19770 includes:

• 19770-1:2017 — ITAM processes and tiered framework
• 19770-2:2015 — SWID tags for software identification
• 19770-3:2016 — software entitlement schema
• 19770-5:2015 — overview and vocabulary
• 19770-8:2020 — guidelines for mapping ITAM data

The three regulations driving ITAM adoption in Europe

NIS2 — the asset register mandate

The NIS2 Directive (EU 2022/2555) entered into force in October 2024. It applies to "essential" entities (energy, transport, banking, healthcare, water, digital infrastructure, public administration) and "important" entities (postal, waste, chemical, food, manufacturing of critical products, digital service providers).

NIS2 imposes a managed asset register as a mandatory cybersecurity practice. Article 21 lists ten cybersecurity risk-management measures, all of which presuppose a current asset inventory. The fines for non-compliance: up to €10 million or 2% of global turnover for essential entities, €7 million or 1.4% for important entities.

This is the regulation that turns ITAM into a board-level requirement: a CISO who cannot produce a current asset register before an ANSSI/CERT investigation has just signed up for the fine.

CSRD ESRS E1 — Scope 3 Category 1 and 2 emissions

The Corporate Sustainability Reporting Directive requires ESRS E1 climate disclosure for ~50,000 EU companies. First filings are due in 2026 on FY2025 data. ESRS E1 mandates Scope 1, 2, and 3 emissions reporting. For IT fleets this means:

• Scope 3 Category 1 (purchased goods) — consumable IT (peripherals, accessories)
• Scope 3 Category 2 (capital goods) — laptops, desktops, servers, networking
• Scope 3 Category 5 (waste in operations) — refurbishment and disposal

The recurring assurance findings on early reports were: no measurement traceability, stale emission factors, Cat 1 vs Cat 2 misallocation, and no Scope 3 Cat 5 entry. Tools that produce activity-based, per-device CSVs with timestamped exports cut audit preparation from weeks to hours.

Loi REEN — France's digital environmental footprint reduction

The French Loi REEN (loi 2021-1485) imposes specific obligations on public-sector and large companies — energy efficiency in datacenters, sustainable IT procurement, lifecycle extension targets. For French public sector tenders, ITAM tools must demonstrate measurable CO₂ reduction and lifecycle extension.

ISO 19770 in practice — the 4 processes mapped to ITAM tools

Most ITAM RFPs misuse ISO 19770 as a feature checklist. The right reading is: each of the four processes corresponds to a distinct buying criterion.

ISO 19770-1 process	What ITAM tools need to ship
Inventory	Agent + agentless discovery, every OS, every form factor (laptop, desktop, server, mobile, IoT)
Deployment	Procurement integration, warranty + asset tag tracking, deployment workflow
Operations	License reconciliation, patch + config, energy + performance telemetry, DEX
Retirement	End-of-life decisions, data sanitization audit trail, refurb/recycle workflow

A tool that excels at one process and ignores three is single-purpose — usable as a component, not as the platform of record.

The 4-decision lifecycle no one else computes

sobrii adds a 4th lifecycle decision: reallocate. Where GLPI, Lansweeper, Snipe-IT, ServiceNow, and Flexera offer 3 paths on an aging device (keep / repair / replace), sobrii computes 4 options per device — upgrade, repair, reallocate (to the next employee), replace — with cost and CO₂ for each. The reallocate branch extends average service life by 12-18 months and halves per-device embodied carbon.

For an IT team that has been running a 4-year refresh cycle by default, the reallocate option compresses CapEx without sacrificing user experience — a 2-year-old device for a developer becomes a strong machine for a sales hire who lives in a browser. The math:

• Average laptop unit cost (2026): $1,400 — $1,800
• Embodied carbon at manufacturing: 250-350 kg CO₂e per laptop
• Operational carbon over 4 years: 100-200 kg CO₂e (depending on grid mix)
• 60-80% of lifetime CO₂ is embodied — extending service life is the strongest carbon lever

Reallocate is the difference between estimating CSRD numbers and reducing them.

Per-employee carbon footprint via direct telemetry

sobrii measures kWh per employee, not per site. The Rust agent captures real consumption (CPU/GPU/screen/battery) second-by-second, then applies the regional grid emission factor (Ember/EPA eGRID; ADEME and RTE for France) to produce kg-CO₂/employee/month — exportable directly to CSRD ESRS E1. No category-average proxies: measurement is per device, aggregated per employee.

The reason this matters for CSRD: ESRS E1 assurance reviewers reject category-average estimations when the source data is per-device measurable. The argument "we used the supplier-published carbon profile of a Dell Latitude 5420" fails when the regulator asks "how many hours per day was it actually on, at what CPU load, on which grid mix?" sobrii's measurement pipeline is the answer.

Per-app energy in kWh — actionable data for SAM + sustainability

sobrii attributes kWh per application. For each process (Chrome, Teams, Photoshop, Slack), sobrii measures CPU + GPU time and reconstructs real power draw. You learn that Teams consumes 3.2 kWh/yr/device and Chrome 5.1 — a measurement GLPI, Lansweeper, ServiceNow, and Flexera don't expose.

The use cases:

1. CSRD allocation — split Scope 3 Cat 1 + 2 by application to identify carbon-driving software
2. Procurement — exclude high-consumption apps from refresh-driven license expansions
3. Architecture — flag CPU/GPU-heavy desktop apps that would be cheaper as cloud-native services

Zombie apps + per-app crash rate — DEX without a separate tool

sobrii surfaces zombie apps and per-app crash rate. A 'zombie app' = installed on ≥ 30% of the fleet, used by < 5% of employees. sobrii lists them with annual license waste. Same for crash rate: sobrii knows app X crashes 2.4×/day on Dell Latitude 5420s, 0.1× on M2 MacBook Pros — actionable DEX, not a Net Promoter score.

Concrete example from a customer's first quarterly review: Adobe Acrobat Pro at 312 unused seats × $23.99/month = $89,790/year recovered. That single insight covered the ITAM contract.

One Rust agent vs the typical stack of 5

One Rust agent, < 1% CPU. The ITAM industry average stacks an inventory agent (GLPI or Lansweeper), an MDM (Intune), an EDR (CrowdStrike), an RMM (Atera), and a DEX tool (ControlUp). sobrii ships one signed, sandboxed Rust binary with a measured footprint < 1% CPU on Windows and macOS. Fewer agents = smaller attack surface, less battery drain, less support overhead.

For a 5,000-device fleet, that's roughly 25,000 endpoint agents removed from the security review. The NIS2 asset register is generated from sobrii's own data — no cross-tool reconciliation needed.

See how the single sobrii Rust agent replaces five point tools.

WebRTC remote control bundled — no separate TeamViewer

Remote control is in the plan, not an add-on. No need to buy TeamViewer or AnyDesk on top: sobrii ships a built-in WebRTC remote-desktop module (peer-to-peer, no external relay, multi-screen, auto-reconnect). 200-device benchmark: TeamViewer Business fully-loaded median spend ≈ $1,020/month → sobrii: $0/month (bundled).

The structural win for ITAM: one less vendor contract, one less attack-surface tool (TeamViewer's 2024 SVR intrusion remains in many CISO memos), one less line on the IT budget.

100% bilingual FR/EN — public-sector tender form factor

sobrii is 100% bilingual FR/EN at the product core. Every label, every CSRD/ISO 27001 report, every export is rendered in the user's language — not a 70%-translated glossary. Reference customer: Métropole de Montpellier (3M residents, multi-site fleet) — 7,000+ PCs monitored, −10% CO₂, ~€1.5M in avoided purchases. sobrii is one of the rare ITAM SaaS designed in France with FR/EN parity from v1.

For EU public-sector tenders (and the French Loi REEN compliance), bilingual parity is a tender-mandatory criterion that most US-built ITAM products fail on documentation alone.

Building the ITAM business case for 2026

The case for ITAM is no longer "we need to know what we own." The case is:

1. NIS2 compliance — without a current asset register, fines apply on day one of an incident
2. CSRD ESRS E1 evidence — auditors want per-device measurement, not category averages
3. License waste recovery — zombie apps at 5-15% of SaaS spend on average (Flexera State of ITAM)
4. Refresh-cycle extension — adding a 4th decision (reallocate) compresses CapEx 20-40%
5. Agent consolidation — every redundant endpoint agent is attack surface + battery cost + support tickets

A typical 1,500-device deployment recovers its ITAM investment in 4-8 months from license waste alone, before CSRD savings.

Common ITAM mistakes to avoid

• Treating ITAM as inventory only. Inventory is one of four ISO 19770 processes; the missing three (deployment, operations, retirement) carry most of the cost.
• Buying license tools without CSRD alignment. Flexera reconciles Microsoft and Oracle but doesn't measure CO₂. Plan the carbon stack separately.
• Over-indexing on agentless. Agentless scans miss the operational and energy data CSRD now demands. Agentless is fine for the IoT/OT edges; agents are required where ESRS E1 evidence lives.
• Counting laptops as Cat 2 (capital goods) when finance treats them as Cat 1. ESRS reviewers flag this. Align with finance asset register from day one.
• Skipping the retirement workflow. Scope 3 Cat 5 disclosure forces this — refurbishment and disposal partners must produce evidence.

ITAM pricing models — what to expect in 2026

Model	Typical vendors	When it fits
Per device per year	sobrii, Action1 (paid), ManageEngine	Mid-market, transparent budgeting
Per fulfiller user per month	ServiceNow ITAM, Ivanti Neurons	Enterprise, ITSM-bundled
License-value-based	Flexera, Snow Atlas	Large SAM, Oracle/SAP heavy
Tiered by asset count	Lansweeper, Snipe-IT	Discovery-first, mid-large
Free + paid support	GLPI Network, Snipe-IT self-hosted	Public sector, open-source preference

The 2026 mid-market band (500-5,000 devices) increasingly converges on per-device-per-year pricing because it's the only model that aligns budget owners (procurement + IT + sustainability) on the same unit.

FAQ

What is IT asset management

IT asset management (ITAM) is the discipline of tracking every hardware, software, and SaaS asset an organization owns across its full lifecycle — from procurement through deployment, operation, and retirement. ITAM tools centralize the inventory, automate license reconciliation, and increasingly produce CSRD-grade carbon evidence. ISO/IEC 19770-1:2017 is the reference standard.

What's the difference between ITAM, CMDB, MDM, and RMM

ITAM is the financial + lifecycle layer (what we own, what it's worth, when it moves). A CMDB tracks configuration relationships (what depends on what). MDM controls mobile devices (corporate policies on phones/tablets). RMM is remote monitoring for MSPs serving SMB clients. The categories overlap, but ITAM is the one that produces the CSRD and NIS2 evidence.

Does NIS2 require an asset register

Yes. NIS2 Article 21 lists ten cybersecurity risk-management measures, all of which presuppose a current asset inventory. Without an asset register, an essential entity faces fines up to €10M or 2% of global turnover after a cyber incident. The deadline for member-state transposition was October 17, 2024.

What does CSRD ESRS E1 ask for from IT fleets

ESRS E1 requires Scope 1, 2, and 3 emissions disclosure. For IT fleets, the binding categories are Scope 3 Category 1 (consumables), Category 2 (capital goods like laptops/desktops/servers), and Category 5 (waste from refurbishment/disposal). Per-device measured data is preferred over category-average estimates by assurance reviewers.

How big is the IT asset management market in 2026

The IT asset management software market reached USD 5.04 billion in 2026, growing from USD 4.66 billion in 2025 at 8.0% CAGR per Precedence Research. The broader enterprise asset management (EAM) market is USD 6.26-6.6 billion. Growth drivers: CSRD reporting, NIS2 asset register mandates, SaaS spend management, FinOps convergence.

What is the 4-decision IT asset lifecycle

The traditional lifecycle has 3 decision points on an aging device — keep, repair, or replace. sobrii adds a 4th — reallocate to a different employee — and computes cost + CO₂ for all four. Reallocation typically extends service life 12-18 months and halves per-device embodied carbon by avoiding manufacturing emissions.

Which ITAM tool has the smallest agent footprint

sobrii ships one Rust agent measured at < 1% CPU continuously on Windows and macOS, replacing 4-5 point tools (inventory + MDM + EDR + RMM + DEX). The market average for enterprise ITAM stacks 3-5 agents per device. Smaller agent count = smaller attack surface, less battery drain, less support coordination.

How do French public-sector tenders evaluate ITAM tools

French public-sector tenders weight Loi REEN compliance (digital environmental footprint reduction), bilingual FR/EN documentation, sovereign or EU hosting, and demonstrable CO₂ reduction. ANSSI-compliant security posture is implicit. Reference deployments at Métropole de Montpellier (7,000+ PCs, −10% CO₂) set the form-factor expectation.

Six implementation steps for a 1,500-device fleet

A typical mid-market deployment follows six phases. The naive approach buys a tool first; the correct approach defines the data model first.

1. Asset register baseline. Cross-reference the finance asset register (CapEx records) with the AD/Entra ID device list. Resolve the deltas before the agent rollout. The gap is typically 15-25% — shadow IT, BYOD, recently archived users with assigned hardware.
2. Agent rollout phase 1 — pilot 50 devices. Pick a representative slice (one team per OS, one heavy-software role, one minimal-spec laptop). Validate measurement traceability before scaling.
3. License reconciliation baseline. Pull entitlement records from Microsoft, Adobe, Atlassian, Slack, Zoom. Match to active install + last-use telemetry. The first pass typically reveals 10-30% zombie apps.
4. CSRD measurement window. Define which 6 weeks of data underpin the ESRS E1 figure. Auditors will ask. Document the grid factor source (ADEME, RTE, EPA eGRID) and the refresh cadence.
5. Lifecycle decision review. For each device over 30 months old, run the 4-decision calculator — upgrade, repair, reallocate, replace. Reallocation candidates: target the next hiring wave.
6. NIS2 evidence pack. Export the asset register, the patch + config status, and the access logs into the cybersecurity dossier. This is what an ANSSI/CERT investigation asks for in the first 48 hours of an incident.

How ITAM data flows into the three boards

Board	What they consume	What they decide
CIO	Asset register, agent inventory, NIS2 evidence	Refresh budget, security posture, vendor consolidation
CFO	Per-device TCO, license waste, depreciation	CapEx vs OpEx mix, SaaS spend cap, software contract renewals
CSO/CSRD	Per-employee CO₂, embodied vs operational split, Scope 3 Cat 1/2/5	ESRS E1 disclosure, Loi REEN compliance, refurb partner contracts

The ITAM tool that doesn't produce output usable by all three boards is incomplete. Three separate tools doing one board each is the legacy approach — it produces reconciliation overhead instead of decisions.