// Blog
The Compass: ghost assets just became a compliance problem, the HIPAA Security Rule finalizes, and the memory crisis keeps getting worse
Published
Weekly Roundup · May 25, 2026 · 7 min read
One trend, a few category moves, three reads, one thing to do before the end of the week. That's the Compass, weekly.
This week: the asset you can't find is no longer just a line item you wrote off — it's a regulatory question you have to answer. A wave of compliance rules is finalizing in May, the memory crisis we've tracked for six weeks got another bad data point, and the ITAM category is quietly consolidating around fewer tools. Let's get into it.
The trend: a ghost asset is now a compliance event, not a write-off
For years, the "ghost asset" — a device on your books that's actually missing, broken, or sitting unused in a drawer — was treated as a budgeting nuisance. You found it at audit time, sighed, and adjusted the spreadsheet. The framing this week is sharper: up to 25% of IT budgets are estimated to be tied up in ghost assets, and a single lost laptop carries a fully-loaded cost near $50,000 once you add breach exposure, legal review, replacement, and lost productivity.
That second number is the one that changed the conversation. A missing device almost certainly held regulated data — customer records, health information, credentials, cached email. Under the compliance regimes finalizing right now, you don't get to quietly write it off. You have an affirmative obligation to investigate whether its disappearance was a reportable breach. "We're not sure where it is" is not an audit answer; it's the start of an incident report.
// What this means for your register
The gap between "device count in the spreadsheet" and "devices we can actually account for" is now a liability you can be asked to quantify. If your inventory says 142 laptops and you can physically or remotely confirm 128, those 14 unconfirmed machines aren't a rounding error — each one is a potential breach investigation. The fix isn't more spreadsheet columns; it's a register where every asset has a last-confirmed date, an assigned owner, and a status that someone is accountable for keeping current. The teams that sleep well during an audit are the ones who can say "last seen, by whom, on what date" for every line.
We've been building toward this point for weeks. The CIS Controls v8.1 update made the asset inventory a security baseline; the NIS2 and DORA coverage made it a compliance baseline. This week closes the loop: the ghost asset is where those two pressures meet a real, datable cost.
In the ITAM category this week
A few moves worth noting:
| Vendor / Source | What moved | Why it matters |
|---|---|---|
| HIPAA Security Rule | The HIPAA Security Rule final rule is expected this month, with compliance timelines likely running 180 days to a year. The draft makes a written technology asset inventory and a network map explicit, mandatory requirements rather than implied ones. | If you handle health data — or sell to anyone who does — an accurate asset inventory stops being best practice and becomes a documented control an auditor will ask to see. Late 2026 / early 2027 is the realistic compliance window. Start now. |
| NYDFS | New York's financial regulator now expects written policies governing how the asset inventory is created and maintained — tracking ownership, location, classification, support-expiration date, and recovery time objective for each asset. | Note the specific fields: support-expiration date and RTO. A list of serial numbers won't satisfy this. The register has to carry lifecycle and risk metadata, which is exactly the data a spreadsheet rots fastest. |
| IDC | DRAM contract prices are set to climb another 58–63% in Q2, and NAND 70–75%, on top of Q1's record jumps. Some vendors are now selling pre-built PCs without RAM installed. | The hardware-pricing story we've tracked since April isn't slowing — it's compounding. If you have an H2 refresh, the window to buy ahead of the next reset is closing. Pair this with last week's refresh planning. |
| Category trend | ITSM.tools' 2026 ITAM outlook calls the end of multi-tool sprawl: teams are consolidating onto a single primary platform rather than stitching together a discovery tool, a license tool, and three spreadsheets. | Good news for lean teams. The "one tool that does the 80% you actually need" approach is now the recommended direction, not the budget compromise. Fewer integrations to break, one source of truth. |
| assetcompass | Shipped a stale-asset report that flags every device with no check-in, status change, or audit confirmation in the last 90 days — your ghost-asset shortlist, generated automatically and exportable for audit. | The whole point of this week's issue: you can't reconcile what you can't see. The stale-asset report turns "we should audit sometime" into a finite, dated list you can work through in an afternoon. |
The ghost asset math, worked out
It's worth putting real numbers on this, because "25% of the IT budget" sounds like a consultant's round number until you scale it to your team. Take a 75-person company with a $300,000 annual IT budget. If even 15% of that is tied up in ghost assets — unused software seats, devices nobody can locate, cloud resources still billing — that's $45,000 a year, every year, funding nothing.
The hardware slice is the most visible. Lost and unrecovered laptops from departed employees are the classic example: the device walks out the door at offboarding, the asset record never gets closed, and the warranty, the license seats attached to it, and the depreciation schedule all keep running. The SaaS-seat reclamation we keep recommending is the same problem wearing different clothes — a license assigned to a ghost is a license you're paying for twice.
// Where ghosts come from
Ghost assets almost never appear from a single dramatic failure. They accumulate at the seams of your process: an offboarding where the laptop was never collected, a device sent to repair and never logged back in, an "ordered" asset that arrived but was never received in the system, a transfer between teams that updated the person but not the location. Each one is a 30-second omission that becomes a $50,000 question 18 months later. The defense isn't heroic audits — it's closing the loop at every status change, every time, so the register never drifts far enough to need a heroic audit.
Three reads worth your time this week
Pieces that crossed our desk this week and earned a bookmark:
- OnPoint — "The Ghost Asset Crisis: A Guide to IT Asset Management in 2026." The source for this week's headline statistic. The useful part isn't the scary number — it's the taxonomy of how ghosts form and a practical sequence for reconciling them. If you read one thing this week, read this; it pairs directly with the field test below.
- IAPP — "The Flawed IT Asset Management Paradigm." A privacy-side take on why the standard ITAM model breaks down when a device goes missing. The argument: most inventories track assets as property, not as data containers, so they have no good answer when the question shifts from "what did we lose?" to "what data did we lose with it?" Worth reading even if you're not a privacy professional — it reframes what an asset record is for.
- InvGate — "9 ITAM Trends for 2026 (And How to Act on Them)." A solid, vendor-written-but-honest survey of where the discipline is heading. The "act on them" framing keeps it from being a trend listicle — each item has a concrete next step. The governance and consolidation themes line up with the ITSM.tools outlook in the table above, so read the two together for a clearer picture of the category direction.
The quiet good news: tooling is consolidating in your favor
Buried in this week's category coverage is something genuinely encouraging for small teams. For years, the implicit advice was that "real" ITAM meant a stack: a discovery agent, a separate license manager, a CMDB, a procurement tool, and the spreadsheets that glued them together. That stack assumed you had someone whose job was maintaining the stack.
The 2026 guidance is the opposite. The recommended direction is a single primary platform that covers the 80% of ITAM that actually drives decisions — what you own, who has it, what it cost, when it's out of warranty, what condition it's in — with integrations kept deliberately minimal. Fewer moving parts means fewer places for the register to drift, which is the entire ghost-asset problem in one sentence. If you've been feeling under-tooled because you don't run a five-product stack, the category just told you that you were right not to.
Field test: the ghost asset hunt
If this week's issue has you wondering how many ghosts are on your own books, here's a 45-minute exercise to find out. You don't need a perfect answer — you need a dated, defensible one.
- Pull a last-confirmed date for every asset. When was each device last seen — a check-in, a status change, an audit scan, a support ticket? Anything older than 90 days with no activity goes on the suspect list. If your inventory has no concept of "last confirmed," that's finding number one.
- Cross-check against your people list. Pull current headcount from HR or your directory. Every asset assigned to someone who no longer works there is a ghost until proven otherwise. Offboarding is where the most expensive ghosts are born.
- Reconcile the "in repair" and "ordered" buckets. Any device that's been "in repair" for more than 60 days, or "ordered" for more than 30, is almost certainly mis-stated. These limbo statuses are where assets quietly vanish from reality while staying visible in the system.
- Classify each suspect by data sensitivity. For every unconfirmed device, ask: what data did it hold? A loaner kiosk is a budget problem. A laptop with cached customer or health records is a potential breach investigation. Triage the hunt by that distinction — chase the data-bearing ghosts first.
- Close the loop and date it. For each suspect, resolve it to one of three states: confirmed (someone physically or remotely verified it), recovered (it's back and the record is corrected), or written off (formally retired, with a note on the data-disposition decision). The deliverable isn't zero ghosts — it's a register where every line has a status someone stands behind, and a date.
Housekeeping
Three weeks ago this column was about shadow AI spend; two weeks ago, security baselines; last week, hardware pricing and disposal. They keep converging on one object: a current, trustworthy asset register. Shadow AI is a gap in it. The compliance frameworks are demands on it. The refresh budget is a query against it. The ghost asset is what happens when it drifts. It's the same artifact answering to four different bosses.
The ITAM market reflects that gravity — projected at $5.04B in 2026, up from $4.66B in 2025, and on track for $6.78B by 2030. The growth isn't coming from enterprises buying their fifth tool. It's coming from small and mid-market teams who've been told, by regulators and auditors and their own budgets, that the spreadsheet era is over. The ghost assets are just the most expensive way to learn it.
The Compass goes out weekly. If this was useful and you want next week's in your inbox, the easiest way to subscribe right now is to start a free trial — we'll add you automatically. No pitch deck, no sales call.
30-day trial · No credit card · Limited founding spots