The Compass: CIS updated its asset inventory controls, Ivanti got breached again, and the PC refresh wave is real

Weekly Roundup · May 11, 2026 · 6 min read

One trend, a few category moves, three reads, one thing to do before the end of the week. That's the Compass, weekly.

This week: the CIS tightened its asset-inventory controls in a way that makes ITAM a security requirement (not just an operations one), another Ivanti vulnerability reminded everyone what happens when you can't enumerate your attack surface, and IDC confirmed what procurement teams already feel — the PC refresh wave is real and it's happening now. Let's get into it.

The trend: asset inventory is officially a security control

We've said it before: you can't secure what you can't see. This week, that principle got an institutional endorsement. CIS Controls v8.1 elevated the asset-inventory requirements in Controls 1 and 2 (Inventory and Control of Enterprise Assets, and Inventory and Control of Software Assets) with tighter implementation guidance and explicit callouts for SaaS and AI tool discovery.

The practical shift: previous versions treated hardware inventory and software inventory as foundational but somewhat abstract. The updated guidance is specific. It calls for automated discovery where possible, reconciliation on at least a weekly cadence, and explicit inclusion of cloud-hosted services and AI tools in the software inventory. If you're subject to any framework that references CIS Controls — and most compliance regimes do, directly or indirectly — your asset register just became auditable against tighter criteria.

This dovetails with the shadow AI audit we outlined last week. CIS Control 2 now makes the case explicitly: AI subscriptions that employees sign up for individually are software assets, and they belong in your inventory. The compliance argument has caught up with the operational one.

In the ITAM category this week

A few moves worth noting:

Three reads worth your time this week

Pieces that crossed our desk this week and earned a bookmark:

• CIS — CIS Controls v8.1 — Implementation Guide for Controls 1 & 2. The updated implementation guidance is the most practical version CIS has published. Control 1 (Enterprise Assets) now includes explicit guidance on tracking BYOD devices, IoT endpoints, and cloud-managed infrastructure. Control 2 (Software Assets) adds SaaS and AI tools. The implementation groups (IG1 through IG3) give you a clear progression path based on org size. Most teams reading this blog are IG1 — start there.
• Forrester — "The State of IT Asset Management, 2026." Behind the paywall, but the key finding has been discussed publicly: Forrester found that 67% of organizations still rely on spreadsheets as a primary or supplementary asset tracking tool, and that organizations with automated asset discovery have 40% fewer security incidents. The correlation isn't causation, but the direction is clear — visibility reduces risk. The report also notes that ITAM tool adoption among companies under 500 employees has doubled since 2024, driven by compliance and cyber-insurance requirements. That's the tailwind we're riding.
• Krebs on Security — Coverage of the latest Ivanti exploitation campaign. Brian Krebs's coverage of the active exploitation of Ivanti vulnerabilities is worth reading for the operational detail. The attack chain starts with internet-facing Ivanti appliances that organizations didn't know were exposed. That's the asset-inventory problem in a nutshell: the most dangerous devices are the ones that aren't in your register. If you're running any Ivanti products, this is required reading.

A thing to watch: the PC refresh wave and what it means for your budget

We've been tracking hardware pricing pressure since our April 13 issue (DRAM) and last week (tariffs). This week, IDC put a number on the demand side: PC shipments are up 8.2% YoY, and the commercial segment is leading the growth. Here's what's driving it:

• Windows 10 ESU costs are biting. The first year of Extended Security Updates is $61/device for commercial customers. Year two doubles to $122. For a 100-device fleet, that's $6,100 in Year 1 and $12,200 in Year 2 — for security patches on an OS that's functionally end-of-life. At some point, replacement is cheaper. Many teams hit that crossover in 2026.
• The "AI PC" is a real marketing force. Intel, AMD, and Qualcomm are all pushing NPU-equipped chips as the upgrade reason. The practical benefit for most business users is modest today — local AI inference for Copilot features, faster video calls, better battery life. But the OEMs are using it to segment their lineups, and the non-AI SKUs are getting harder to find at attractive prices.
• Tariff-driven price uncertainty persists. As we covered last week, OEM pricing is less predictable than it was a year ago. The teams who can move fastest are the ones who know exactly which devices need replacing. That means current fleet data — age, condition, OS version, warranty status — available on demand, not assembled over a week from multiple spreadsheets.

Field test: the security-posture inventory check

If the CIS Controls update resonated, here's a 30-minute exercise that maps your current asset inventory against the new baseline. You'll know exactly where your gaps are.

• List every device type in your environment. Laptops, desktops, servers, network gear, printers, mobile devices, IoT (smart TVs, conference-room hardware, security cameras). Control 1 requires all of them. Most teams discover they're only tracking laptops and desktops. Everything else is a gap.
• Check your reconciliation cadence. When was your asset register last updated? CIS now calls for at least weekly reconciliation for IG2 and above. If you're IG1 (most small teams), monthly is the floor. If the answer is "last quarter," you have a compliance gap.
• Count your unassigned devices. Devices that exist in your inventory but aren't assigned to a person or location are a red flag. They're either ghost assets (departed employees, disposed hardware still in the register) or untracked devices in a closet somewhere. Either way, they're a finding waiting to happen.
• Check your software inventory against Control 2. Do you track SaaS subscriptions? AI tools? Browser extensions? Control 2 now explicitly includes these. If your software inventory is limited to on-prem licenses, you're missing the fastest-growing category. Refer to last week's shadow AI audit for the discovery method.

The output is a gap list. For each gap, the fix is usually one of: add the asset type to your register, assign unassigned devices, or increase your update cadence. None of this requires new tooling — it requires discipline. The tooling just makes the discipline sustainable.

Housekeeping

Last week's piece on shadow AI spend hit a nerve. The most common response: "We ran the audit and found $15K–$25K in annual AI subscriptions we didn't know about." A few teams also discovered data-flow issues — employees feeding customer data into consumer-tier AI tools without BAAs or DPAs in place. If you haven't run that audit yet, it's still timely.

For context on the broader trends we've been tracking: the FinOps-ITAM convergence continues to generate discussion, and our Windows 10 EOL retrospective remains the most-read piece this month — unsurprisingly, given the refresh wave we're covering above. The thread connecting all of these: small IT teams are being held to enterprise standards on security and compliance, but they don't have enterprise tooling or headcount. That's the gap we're building for.

The Compass goes out weekly. If this was useful and you want next week's in your inbox, the easiest way to subscribe right now is to start a free trial — we'll add you automatically. No pitch deck, no sales call.