Rethinking Asset Management in the SaaS Era

Robert Broxup

The shift to cloud computing and Software as a Service (SaaS) hasn’t just changed how we use software, it has redefined how it is licensed, governed, and valued. Traditional models gave way to subscription pricing, consumption-based billing, and dynamic feature access. Perpetual licences and manual true-ups are becoming relics of a bygone era.

Many years ago, I was deeply involved in both software development and the day-to-day realities of Software Asset Management (SAM) and Hardware Asset Management (HAM). At the time, licensing models still largely revolved around local installations, user counts, and processor limits, concepts that made perfect sense when software was installed on physical machines and managed entirely within the organisation’s IT environment. A decade later, the landscape has changed beyond recognition.

In this article, I want to reflect on that transition, not just as a passive observer, but as someone who lived it from both a technical and governance perspective. Whether building systems, maintaining compliance, or navigating the complexity of evolving vendor models, the shift from ownership to access has reshaped every aspect of software management.

The Subscription Era and Usage-Based Pricing

Over the past ten to fifteen years, software licensing has undergone a quiet revolution. What was once a matter of buying perpetual licences for locally installed software has evolved into a complex, usage-driven ecosystem shaped by cloud computing, SaaS delivery models, and on-demand scalability.

In 2015, organisations typically purchased software outright or acquired long-term licences based on devices, users, or installations. These models implied ownership even though legally it was still a licence. Software was purchased once, installed locally, and controlled entirely by the organisation. The move to cloud-native solutions and SaaS changed this dynamic. Instead of owning software, businesses now pay for access, often through subscription or consumption-based models. Even the terminology has changed – when I developed this type of solution, they were typically called Web Applications or Application Service Provisioning. That was many years ago, and the technology has evolved dramatically.

SaaS providers introduced a shift toward monthly or annual subscriptions, bundling maintenance, updates, and support into a recurring fee. This replaced unpredictable upgrade cycles with predictable operating costs. More recently, licensing has become increasingly usage-sensitive.

New Metrics, New Challenges

Organisations are now also charged based on metrics such as:

  • Storage capacity used – charges based on data stored across cloud platforms
  • API calls made – licensing tied to application integrations and external access
  • Per feature with Attribute-Based Access Control
  • Transactions processed
  • AI inference or compute time consumed

This granular licensing aligns better with real-world value delivery, but also introduces new complexities in forecasting, budgeting, and compliance.

The End of Traditional Licensing Models

Cloud platforms make it harder to define clear per-device or per-site boundaries. Software can be accessed from anywhere, by anyone with credentials, across distributed and hybrid environments. The familiar models of per-CPU, per-installation, or per-location licensing have largely become obsolete, replaced by identity- and activity-based access control mechanisms embedded into cloud platforms.

Vendors no longer rely solely on trust or retrospective audits. Instead, they embed telemetry and real-time usage tracking into SaaS platforms, allowing precise billing and dynamic licence enforcement. This shift increases transparency — but also reduces flexibility for internal teams, who must now manage licences in real time rather than periodically.

SAM Must Evolve or Fail

Traditional SAM tools were designed for on-premise environments. As licensing moved to the cloud, organisations had to rethink SAM entirely and new priorities emerged:

  • Integration with cloud cost management software
  • Monitoring shadow IT and SaaS
  • Automating licence optimisation
  • Ensuring compliance across federated identities and multiple cloud tenants

Licensing is no longer just a procurement concern, it’s an operational, financial, and governance issue. As AI services, platform modularity, and API monetisation expand, licensing models will likely become even more dynamic and fine-grained. Organisations must shift from static compliance checks to continuous licence awareness, integrated with broader governance, risk, and cost management strategies.

HAM in the Age of Mobility and BYOD

A decade ago, HAM was often about tracking desktops, laptops, and servers across physical offices. Today, device lifecycles are shorter, mobile and remote hardware dominates, and Bring Your Own Device (BYOD) models blur the lines of asset ownership. Modern HAM must now integrate with endpoint management tools, support remote provisioning, and align with security and data governance policies. Like SAM, it has evolved from an inventory task to a core enabler of operational control.

Lessons from 2015 – Revisited with 2025 Clarity

Back in 2015, I explored various aspects of HAM and SAM through a series of articles, following the completion of several different asset management related projects over several years. While the landscape has evolved dramatically, many of the core themes still hold true, particularly for organisations at earlier stages of maturity. Here is a look at what I wrote then, and how it still applies today:

  • HAM and SAM project considerations (8th January 2015) – This article highlights important considerations for selecting appropriate Hardware Asset Management (HAM) and Software Asset Management (SAM) solutions. It emphasizes that the most popular vendor offerings aren’t always the best fit for every organisation, particularly if integration becomes costly or difficult. Ultimately, aligning chosen solutions with organisational requirements, capabilities, and strategic objectives helps ensure successful, efficient, and cost-effective asset management implementation.
  • The Complexity of Software Licensing (12th January 2015) – this article explores the ongoing confusion surrounding software licensing and the risks it poses to organisations and their leadership. Despite years of discussion, many still fail to grasp that software is licensed, not owned. Licensing models vary widely between vendors and products, making compliance complex. Poor oversight can lead to legal penalties, reputational harm, and even personal liability for directors. Effective licensing governance is positioned not merely as an IT task but as a strategic, executive-level responsibility.
  • Understanding Software Licensing Models (19th January 2015) – this article provides an overview of common software licensing models used by vendors, including per-user, per-installation, concurrent, site-based, processor-based, freeware, shareware, and open-source licences. It also explores emerging cloud-era models such as per-feature, per-space, per-bandwidth, and usage-based pricing.
  • Inside the Chaos of Licence Mismanagement (26th January 2015>) – this article explores how unlicensed software often becomes embedded in organisations due to a mix of chaos, ignorance, and weak controls. It outlines common causes, including unrestricted administrator access, lack of defined processes, and ineffective vendor enforcement. The piece argues that without proactive Software Asset Management (SAM), unlicensed software can accumulate unnoticed, creating compliance and legal risks. It recommends a dual approach: tactical clean-up of existing issues and strategic implementation of long-term controls.
  • Eliminating Unnecessary Software Licence Costs (2nd February 2015) – this article explores how organisations can reduce unnecessary software licensing costs by identifying and eliminating inefficiencies. It highlights common issues such as maintaining licences for former employees, renewing support contracts without reviewing actual usage, and over-deployment of software that may trigger costly vendor audits.
  • IT Asset Accuracy (10th February 2015) – this article highlights the frequent inaccuracy of SAM and HAM data in organisations and the risks of accepting 90% accuracy as sufficient. It draws a parallel with financial systems, where precision is mandatory, and argues the same standard should apply to IT asset data. The consequences of poor asset data include undetected software misuse, missing hardware, unpatched vulnerabilities, unnecessary support costs, and licence compliance issues, making accuracy critical for effective risk management and security.
  • Strategic Drivers for SAM and HAM (24th February 2015) – this article outlines key reasons why organisations implement SAM and HAM, including security assurance, licence compliance, asset valuation, audit readiness, and cost allocation. It emphasises the need for accurate inventories to support patching and governance activities.
  • SAM and HAM depend on your data (1st March 2015) – this article explores why SAM and HAM initiatives often fail: not because of the tools chosen, but due to poor or missing data. It explains that the effectiveness of any asset management solution relies on the availability and quality of data already within the organisation. Drawing on real-world project recovery experiences, it lists common data sources and emphasises the need to access and analyse this information early. The article closes by discouraging premature software purchases.
  • Stakeholder Engagement with HAM and SAM (15th March 2015) – this article addresses the problem of data silos in organisations where different teams manage assets independently. It explains that disconnected systems and assumptions of data completeness often lead to fragmentation and errors. To succeed, SAM and HAM systems must become the central source of truth. Stakeholder involvement, communication, and alignment of local requirements are crucial to prevent the new system from becoming just another unused tool.
  • Improving Software Purchasing Decisions (18th March 2015) – this article focuses on avoiding costly mistakes in software procurement. It warns against solutions that require unexpected consultancy or custom development to meet basic expectations. Buyers are encouraged to evaluate whether a product functions effectively out of the box, whether integration with existing systems is included, and how much customisation is really needed.
  • Inadequate SAM during Mergers & Acquisitions (27th March 2015) – this article explains the risks of neglecting SAM in mergers and acquisitions. While financial and legal due diligence is common, software licence management is often overlooked, leading to compliance gaps, unexpected costs, and integration problems. The article outlines key questions to ask before finalising a deal and encourages proactive vendor dialogue. It argues that IT due diligence must become a standard practice in M&A to protect business value, especially as licensing models and software landscapes evolve.
  • Application Whitelisting (9th September 2017) – application whitelisting is a proactive security control that enforces a deny-by-default approach. Only approved software can run, everything else is blocked. This article explains how whitelisting significantly reduces risk from malware and unauthorised software usage. With proper planning and ongoing oversight, application whitelisting becomes a powerful tool for improving control, visibility, and resilience across the enterprise.
  • Practical Steps to Improve Software Management (16th September 2017) – effective Software Asset Management (SAM) is essential for maintaining control, ensuring compliance, and maximising value from software investments. This article outlines practical steps organisations can take to manage software more effectively, from maintaining an accurate inventory and enforcing licensing controls to reducing support costs and avoiding unnecessary project spend.
  • Mixed Enthusiasm for Cost Avoidance (23rd September 2017) – this article explores the often-overlooked value of cost avoidance, using a software licence audit as an example. By identifying unused installations and reducing the need for additional licences, the business avoided £250,000 in future expenditure. However, the immediate £50,000 cost to achieve compliance overshadowed the invisible savings, drawing more attention and scrutiny. The piece highlights how visible costs often provoke stronger reactions than hidden savings – an insight that applies beyond software licensing to many areas of business decision-making.
  • Governing Hardware Assets (17th December 2019) – This article outlines the essential principles of effective hardware asset management. It explains how maintaining an accurate inventory, tracking new and portable devices, and ensuring proper ownership records are fundamental to both operational security and business efficiency. By choosing the right management tools and maintaining up-to-date asset valuations, organisations can support troubleshooting, streamline refresh projects, and strengthen governance.

The Strategic Future of HAM and SAM

A decade ago, asset management was often viewed as a supporting task. Today, it is at the heart of digital governance, security, and operational efficiency. Whether you’re revisiting these topics or addressing them for the first time, HAM and SAM are no longer optional disciplines, they are strategic enablers in a world where technology is both everywhere and always on.

Reflecting on a decade of transformation, it’s clear that SAM and HAM have matured into essential governance tools. As AI and platform modularity introduce further complexity, success will depend on continuous awareness, collaboration across teams, and strategic alignment. The journey continues – but the foundations are stronger than ever.

Stay safe and avoid Black Friday scams

Robert Broxup

Black Friday is approaching again, and while it promises incredible deals, it’s also a time to exercise caution. Cybercriminals see this as an opportunity to prey on unsuspecting shoppers who may let their guard down in pursuit of huge discounts.

  • Stick to trusted retailers – it can be tempting to explore unfamiliar websites offering huge discounts, but this is where the risk of scams is highest.
    • Stick with the businesses you know and trust, especially those you have successfully shopped with before.
    • If you are curious about a new retailer, search for reviews and verify their legitimacy before purchasing.
  • Avoid clicking links in emails – phishing scams are rampant during shopping seasons, with fraudulent emails disguised as offers from popular brands.
    • Go directly to the retailer’s official website through your browser.
    • Scammers often use addresses that look similar to legitimate companies but include subtle differences.
  • Beware of unnecessary software and apps – installing unfamiliar software or apps to access discounts is a significant red flag.
    • Avoid downloading new apps unless they are from familiar and trusted retailers and official app stores.
    • Avoid apps that request excessive access to your device or personal data.
  • Watch out for hidden memberships – special deals may sometimes come with strings attached, such as hidden memberships that require regular full-price purchases.
    • Before completing a transaction, ensure you’re not unwittingly subscribing to a recurring service.
    • Avoid deals that feel overly complicated.
    • Genuine bargains don’t require convoluted commitments.
    • Avoid paying for access to discounts.
  • Use secure payment methods – protect your financial information by choosing safer payment options when shopping online.
    • Use credit cards or payment services such as PayPal or Apple Pay, which often provide buyer protection in case of fraud.
    • Avoid direct bank transfers.
    • Avoid payment methods that don’t offer recourse if something goes wrong.
  • Look for HTTPS and Security Indicators – before entering any personal or payment information online, ensure the website is secure.
    • A secure website address will have “https://” at the beginning of the URL, along with a padlock icon in the address bar.
    • Be cautious and avoid unsecured websites.
  • Monitor your bank statements – fraudulent transactions can go unnoticed if you don’t keep an eye on your bank accounts.
    • Check your bank statements regularly to spot any unauthorised transactions.
    • Report suspicious activity immediately to your bank or card provider.
  • Avoid public Wi-Fi for online shopping – shopping on public Wi-Fi networks can leave you vulnerable to hackers.
    • Make purchases using private, password-protected Wi-Fi connections.
    • Virtual Private Networks (VPNs) add an extra layer of security, making your online activity harder to intercept.
  • Think before you buy – impulse purchases often lead to regret, especially for items you wouldn’t normally consider buying.
    • Be realistic about the product’s value.
    • Pause before purchasing. If something seems worthless or unnecessary at the recommended retail price, it’s likely not worth buying with a 90% discount.

Although this article is about Black Friday, adopting these practices all year round is wise to ensure safe and secure online shopping. Generally speaking, it is good practice to avoid buying in a way that doesn’t align with societal norms; being asked to do so should be considered a huge red flag.

Concerns among professionals in the AI space

Robert Broxup

I am pleased to report that I completed the next stage of my journey to become an AI subject matter expert. I passed the ISO 42001 Lead Auditor exam. Although I currently qualify only as a PECB Certified ISO 42001 Provisional Auditor, I can upgrade this from Provisional Auditor to Auditor later this year.

This journey has included attending seminars, reading news articles, conversations with other professionals, and generally trying to stay informed and remain current in a rapidly evolving field. This article summarises professional concerns and forms a core part of delivering governance of artificial intelligence. The extent to which these risks and concerns already exist and unfold daily is open to debate and not part of this article. I leave this with you to consider.

Misinformation and disinformation

AI can create and amplify false or misleading information at an unprecedented scale, threatening trust in media and democratic institutions.

  • AI models can generate thousands of fake articles, social media posts, or reviews in seconds, tailored to spread specific narratives, making manipulating public opinion easier for bad actors.
  • AI can create realistic videos or audio clips of individuals saying or doing things they never actually did for purposes such as blackmail, propaganda, or to discredit public figures.
  • AI-powered automated bots can hijack social media platforms, amplifying false narratives or silencing dissenting voices.
  • As AI-generated content becomes more challenging to distinguish from genuine material, people may lose trust in legitimate sources of information, leading to societal instability.
  • State-sponsored actors could leverage AI to influence elections, destabilise economies, or create population discord.

Bias and discrimination

AI systems are only as unbiased as the training data. Without careful oversight, they can perpetuate or even exacerbate discrimination.

  • AI learns from historical data, which often reflects societal inequalities. Recruitment algorithms, for example, trained on biased data might favour specific demographics over others.
  • Without transparency in AI decision-making processes, it is challenging to identify and address discriminatory outcomes.
  • AI tools and solutions developed by teams with limited diversity can lead to blind spots in understanding and addressing diverse needs.
  • Companies deploying biased AI systems can face reputational damage, lawsuits, and regulatory scrutiny.

Job displacement and economic impact

AI is transforming the job market, raising concerns about unemployment and economic inequality.

  • Routine manufacturing, logistics, customer service, and transportation jobs are highly susceptible to automation. Self-driving vehicles could replace millions of drivers, for example.
  • Transitioning displaced workers into new roles requires significant training programs and education investment. The lag between technological advancement and workforce adaptation is an important concern.
  • AI may disproportionately benefit those who own and develop the technology, widening the gap between low and high-income groups.
  • While AI boosts productivity, the economic benefits may not translate into job creation, potentially leaving millions without viable employment.

Privacy

AI systems thrive on data, but this dependency raises concerns about privacy violations, unethical data usage, and mass surveillance.

  • Companies and governments could collect vast amounts of personal data to train AI models without explicit consent.
  • AI-powered surveillance tools like facial recognition cameras can track movements and activities, often infringing on civil liberties.
  • The centralisation of data for AI training can increase the risk of breaches, exposing sensitive information to hackers.
  • Using AI to analyse and link disparate data sources can make it nearly impossible for individuals to remain anonymous.

Loss of control

As AI systems grow more sophisticated, there is increasing concern about their autonomy and the potential for catastrophic misuse.

  • Advanced AI systems may act in ways their creators did not anticipate, potentially causing harm in critical areas such as healthcare or transportation.
  • AI-driven weapons could operate without human intervention, raising ethical and strategic dilemmas, including the potential for accidental escalation of conflicts.
  • When AI surpasses human intelligence, it might prioritise itself over the well-being of humanity, leading to existential threats.
  • Many AI algorithms are complex and opaque, making it challenging to understand decision-making processes. This lack of transparency can lead to dangerous or harmful outcomes.
  • Governments and organisations struggle to keep up with the pace of AI development, creating a gap in oversight that could allow harmful applications to flourish.

With international cooperation, proactive regulation, ethical development, and public awareness, we can collectively address these risks and shape a safer, more trustworthy AI future.

Ethical considerations of AI

Robert Broxup

Ethical development, deployment, and use of artificial intelligence is essential to ensure responsible innovation, fairness, trustworthiness, and societal benefit.

  • When developing AI systems, it is crucial to prioritise human well-being, autonomy, and dignity.
    • AI should enhance user capabilities and decision-making processes.
    • Design systems to accommodate people of all abilities and demographics.
    • Provide clear, understandable explanations of AI functionality and outcomes.
    • Incorporate mechanisms to prevent harm, misuse, or unintended negative consequences.
    • Regularly incorporate user feedback to improve AI systems and address potential concerns.
  • Transparency builds trust and understanding between users and AI systems, making it essential to communicate AI processes.
    • Users should always be aware of when they interact with AI technologies.
    • Provide detailed yet understandable explanations of how the AI operates and makes decisions.
    • Share potential risks, limitations, and intended uses of AI systems openly with stakeholders.
    • Be transparent about how AI models collect, use, and safeguard data.
    • Maintain an open dialogue with users, researchers, and regulators to ensure ongoing alignment with ethical standards.
  • Develop and maintain AI systems to promote equitable outcomes and avoid discrimination.
    • Conduct regular audits to identify and mitigate biases in data and algorithms.
    • Use diverse datasets to prevent systemic inequalities from being embedded into AI systems.
    • Test and validate systems to guarantee fair treatment for all users.
    • Build AI solutions that actively address and reduce societal inequities.
    • Ensure compliance with laws and ethical norms to safeguard fairness and equality.
  • Protecting user data and respecting privacy rights is critical when designing and implementing AI systems.
    • Only collect the data necessary for the intended purpose.
    • Ensure sensitive data is anonymised to protect user identities.
    • Employ appropriate security measures to protect data from breaches or misuse.
    • Obtain explicit, informed consent for data collection and usage.
    • Align all practices with relevant privacy laws and regulations such as GDPR.
  • Accountability mechanisms ensure the responsible use of AI and the ability to address ethical challenges effectively.
    • Establish specialised teams or committees to oversee ethical compliance.
    • Conduct periodic reviews to verify adherence to ethical policies.
    • Define transparent processes to identify, address, and resolve issues related to AI systems.
    • Provide ongoing education for teams to remain informed on best practices and emerging ethical challenges.
    • Maintain accessible avenues for reporting concerns or suggesting improvements.
  • As technology and societal expectations evolve, so should the ethical frameworks surrounding AI.
    • Regularly review and update policies to address new challenges and opportunities in AI ethics.
    • Partner with global AI ethics communities to exchange insights and best practices.
    • Stay informed of advancements and risks to refine ethical approaches proactively.

I recently looked at Certified Ethical Emerging Technologist (CEET), a certification from CertNexus. The certification marketplace is expanding as more professional bodies offer qualifications in AI. CertNexus also offer the Certified AI Practitioner (CAIP) certification.

I chose to focus on the Artificial Intelligence Governance Professional (AIGP) from the International Association of Privacy Professionals (IAPP) and both Certified ISO/IEC 42001 Lead Auditor and Certified ISO/IEC 42001 Lead Implementer from the Professional Evaluation and Certification Board (PECB).

In a rapidly evolving field, embedding ethics into AI development is not a constraint, it is a critical enabler of long-term trust and value.