A Leadership Guide01 / 21
A Leadership Guide
Master your digital enterprise
Most platforms hand you another dashboard. AssetZentri unifies every asset — hardware to LLMs — into one authoritative record, then reads it through six governance lenses and acts on what it finds. This guide is organised around the problems each domain solves, the value it returns, and the five operating principles it runs on.
Every domain reads from the same authoritative asset record — so a fix in one is evidence in another. The core strength is asset management and the governance layers built on it.
One registry for hardware, software, peripherals, cloud & AI — lifecycle, custody, SAM reconciliation and a live fleet map.
Approve, budget & bill the providers, models, agents & keys you consume — with token budgets that enforce themselves.
Discover every SaaS app, track subscriptions & contracts, allocate to the GL, and recover 15–25% of wasted licences.
Reviews, just-in-time access, SoD, privilege drift & a one-click kill switch — full IGA, no separate suite.
Continuous, evidence-backed compliance across frameworks incl. India DPDP, SEBI, RBI & IRDAI, with cross-mapping.
Vendor registry, contract repository, and AI that reads the fine print — scoring T&C risk 0–100 with renewal briefs.
The engine ZentriPulse reads across all six domains and turns findings into action — detect → propose → approve → execute → log. Beyond the six lenses sit Sustainability & ESG, an asset-linked Tickets desk, and multi-tenant MSP controls.
Every feature in this guide is an expression of these five tenets. They are what make the value statements that follow true — not slogans, but the way the platform is built.
Priority-based dedup merges 15+ sources into a single authoritative asset. All six domains read the same atom, so work done once counts everywhere.
1,760 assets · 2,339 device-software links · 0 parallel spreadsheetsFive-channel discovery — agent, IdP, network, email/OAuth, browser — surfaces the shadow estate SSO alone misses, including shadow AI.
2,325 apps cataloged · 598 SaaS · 2,306 pending the SSO never reportedZentriPulse doesn't just flag. It proposes the fix and, on your approval, executes it in a sandbox and logs it. A system of action, not another alert.
detect → propose → approve → execute → logEvery change is HMAC-signed and immutable; SAM runs nightly; ToS acceptance and AI calls land on an append-only ledger; evidence maps across frameworks.
cross-framework mapping · auto-evidence · nightly reconciliation runsIndia-first frameworks alongside the global ones; per-tenant self-hosted LLM keeps data in-boundary; shared benchmarks are k-anonymous by design.
SEBI · RBI · IRDAI · DPDP · in-boundary LLM · k-anonymity k≥10Assets are scattered across Intune, Azure AD, JumpCloud, OpenAudit and spreadsheets that disagree. AssetZentri makes one authoritative record per asset — hardware to LLMs — then proves your licence position and surfaces the spend to reclaim.
Intune says one thing, Azure AD another, the spreadsheet a third — nobody can give the board one number they trust.
Priority-based dedup merges 15+ sources into one record per asset, the most authoritative source winning per field — the estate becomes 1,760 assets with 0 conflicts.
Unified Registry · Discovery & SyncYou pay for software nobody runs and can't prove your licence position — an audit finds shelfware and under-licensing at once.
SAM Reconciliation runs nightly (1,400+ items/run), true-ups entitlements to real installs, and quantifies 1,536 under-licensed items and $116,950 of risk — plus the 15–25% to reclaim.
SAM Reconciliation EngineYou know a title is installed but not what's inside it — which CVEs it carries, whether it's past end-of-life, when it renews.
Software Intelligence normalises 2,325 products, matches SBOM, CVE and EOL, and tracks renewals to the day — “3 expiring within 30 days”, with -37d overdue badges.
Software Intelligence · Software-Device MappingFigures are from a representative reference tenant shown in-product — replace with your own before publishing.
LLM keys get spun up with no owner or risk class, AI spend runs unbounded, and autonomous agents act with permissions nobody records. AssetZentri governs the AI you consume as tracked assets — with budgets that enforce themselves.
Teams provision providers, models and keys with no inventory, owner or risk class — nobody can say what AI touches your data.
Registers every provider, model, agent and key. Models carry a risk classification and data-access policy; keys get a full lifecycle — provision → rotate → expire → revoke.
LLM Providers · AI Models · API KeysAI spend is unbounded and unattributed — the first time you notice is the bill, with no idea which team caused it.
Token Budgets set quotas per team, project or agent; BudgetGuard auto-downgrades or freezes at the cap; Billing Sync imports real usage from OpenAI, Anthropic, AWS, Azure, Google.
Token Budgets · BudgetGuard · Billing SyncRegulated data can't be shipped to public APIs, and “trust us” isn't an audit answer for what the AI decided.
The AI Agents inventory tracks permissions, risk levels and lifecycle; a per-tenant self-hosted LLM keeps data in-boundary; every AI decision lands on an append-only ledger.
AI Agents · Per-tenant LLM · LedgerHalf your SaaS never touches SSO, seats sit unused, spend is invisible to finance, and contracts auto-renew before anyone checks. AssetZentri discovers the full SaaS estate and turns it into a managed, GL-aligned spend you can cut.
You can only govern what SSO sees — and most SaaS never gets there. Shadow apps grow invisibly until one is a problem.
Five-channel discovery surfaced 598 SaaS apps and a 2,306-deep pending queue (OpenAI, Atlassian, Ngrok…) — each risk-scored to approve, ignore or reject.
SaaS Discovery · Shadow ITDuplicate tools, unused seats and over-provisioned plans bleed budget — and finance can't see it by department.
Surfaces unused/duplicate apps and right-sizes them to recover 15–25% of spend; the Spend Dashboard tracks $2,089,250 with budget-vs-actual and GL allocation for finance.
Spend Dashboard · License Optimization · GL SyncA contract auto-renews next Tuesday on terms nobody re-read, and you've lost the leverage to renegotiate.
Renewal Briefs flag everything expiring in 30 days with the usage to renegotiate from, and subscription tracking catches tier changes automatically.
Renewal Briefs · Subscriptions · ContractsFigures are from a representative reference tenant shown in-product — replace with your own before publishing.
The same record that proves your licence position also prices it — what you spend, what is wasted, and what renews next. From WS-4471’s idle Adobe seats outward.
Illustrative reference-tenant figures — connect billing, GL and contracts to populate real numbers.
Standing admin rights accumulate, leavers keep access for days, and reviews are rebuilt from spreadsheets every cycle. AssetZentri delivers full identity governance from the same record — no separate IGA suite.
Standing admin rights pile up, toxic combinations go unnoticed, and privilege creep is invisible until an incident.
Enforces just-in-time access, SoD rules and privilege-drift detection (0 violations, 0 drift when clean), with peer-group anomaly detection on top.
JIT · SoD · Privilege Drift · Anomaly DetectionOffboarding leaves orphaned grants for days, and access-review certification is a spreadsheet chore every audit.
Playbook offboarding revokes in parallel — minutes not hours; access reviews certify in days not weeks with AI-assisted suggestions and auto-revocation.
Offboarding Automation · Access ReviewsWhen something goes wrong, you need to cut access everywhere at once — and most tools can't.
A one-click kill switch revokes across all connected IdPs, OAuth tokens and SaaS in parallel, with an impact preview — plus time-boxed break-glass access.
Kill Switch · Break-glassA Western, point-in-time baseline doesn't satisfy Indian regulators, and evidence collected for one framework is wasted on the next. AssetZentri monitors controls continuously and maps one evidence set across every framework you answer to.
Indian regulators expect sovereign, continuous controls — a borderless SOC 2 baseline doesn't cover SEBI, RBI, IRDAI or DPDP.
Continuous monitoring across 6 frameworks incl. SEBI, RBI, IRDAI and DPDP alongside the global standards — sovereign by default, not bolted on.
Frameworks · Compliance ScoreEvery audit is rebuilt from scratch in spreadsheets, and evidence gathered for one framework can't be reused for the next.
Auto-collected Evidence attaches to controls; Cross-Framework mapping lets you prove once and count everywhere; Findings track gaps to resolution.
Evidence · Findings · Cross-FrameworkYou can't prove a control wasn't tampered with, and there's no clean before/after trail of who changed what.
HMAC-signed, immutable Audit Logs capture every change with before/after values; Reports and Stakeholder Reports turn it into audit- and board-ready output.
Audit Logs · Reports · Governance MapContracts auto-renew on terms no one read, vendor exposure is invisible until a breach, and agreements are scattered across inboxes. This domain scores the fine print, watches for breaches, and keeps every contract in one place.
No one reads the terms of service, so you don't know which vendor owns your data or can change terms unilaterally.
The T&C Risk Scanner reads the fine print and scores each vendor 0–100 across data ownership, sharing, termination and liability — flagging 7 high-risk apps in this estate.
T&C Risk Scanner · Policy ComparisonContracts live in inboxes, renew silently, and you've no view of total vendor exposure or recent breaches.
A contract repository with version history, Renewal Briefs that prevent costly auto-renewals, and breach-feed monitoring that tells you the moment a vendor is compromised.
Contract Repository · Renewal Briefs · Breach FeedYou negotiate blind — no consolidated view of who you buy from or how much each relationship costs.
A vendor registry ties each vendor to its products, relationship status and spend analysis — leverage for the next negotiation, all from the same record.
Vendor Registry · Vendor SpendFigures are from a representative reference tenant shown in-product — replace with your own before publishing.
The record that governs IT also defends your ESG numbers — Scope 3 carbon, certified disposal and disclosure packs that reconcile, with no second dataset.
Scope 3 IT carbon is estimated on spreadsheets with no provenance — it won't survive assurance.
Carbon Accounting computes stacked Scope 3 CO₂e by asset class (use-phase, waste, SaaS) — every number carries its source, confidence and pinned assumption-set version.
Carbon AccountingRetired hardware walks out carrying data and disposal liability, with no certificate trail.
E-Waste & Disposal logs each disposal with a wipe certificate and recycling rate; the Disposal Marketplace matches assets to certified partners and auto-attaches the certificate (e.g. C3-2026-123).
E-Waste & Disposal · Disposal MarketplaceCSRD, GRI, SEC, TCFD and an insurer's risk file each seem to need their own dataset — and the numbers never agree.
Framework Reports generate CSRD/ESRS, GRI, SEC, TCFD, ISO 14001 from one canonical dataset; Insurance Export ships a per-asset risk dataset; Market Intel shares only k-anonymous aggregates (k≥10).
Framework Reports · Insurance Export · Market IntelRather than explain the lenses in the abstract, we follow one connected thread through all six. Each does something concrete and different — and a single composite governance posture score is never rebuilt, only accumulated.
Our thread: WS-4471 — a Design-team MacBook, its Adobe seats, an OpenAI key, the user behind it, and the software vendor.
Build the record — 1,760 assets, 0 conflicts. WS-4471 flagged EOL; $116,950 licence risk quantified.
The ungoverned OpenAI key gets an owner and a cap; the shadow key is revoked.
Duplicate tool consolidated, idle seats reclaimed; $2.09M of spend GL-mapped.
Stale admin removed, leaver deprovisioned in minutes; 0 SoD violations.
Everything so far becomes evidence — 6 frameworks green, 0 drift.
Vendor T&C scored & flagged, breach surfaced; renewal leverage created.
Read the score climb left to right: each lens adds a concrete, different thing to the same record. Then ZentriPulse resolves what no single lens can see.
See the lenses in action — the live, interactive walkthroughCompliance didn’t gather new evidence — it reused what the other lenses already produced. Single items from our thread, each satisfying several frameworks at once. This is precisely why the posture jumped +13 at compliance with no new fieldwork.
| Evidence already on the record | SOC 2 | ISO 27001:2022 | SEBI CSCRF | DPDP / RBI |
|---|---|---|---|---|
| Disk encryption on WS-4471from the agent · Lens 01 | CC6.1information protection | A.8.24use of cryptography | Data-protection standard | Reasonable security safeguards |
| Access-review certificationfrom Identity · Lens 04 | CC6.2 · CC6.3access provisioning & review | A.5.15 · A.5.18access control & rights | Identity & access management | Access-limitation safeguard |
| HMAC-signed audit loggovern by construction | CC7.2 · CC8.1monitoring & change | A.8.15 · A.8.16logging & monitoring | SOC / audit logging | Breach evidence & accountability |
| Vendor T&C score + breach feedfrom Vendor · Lens 06 | CC9.2third-party risk | A.5.19–A.5.22supplier relationships | Supply-chain risk · SBOM | Data-processor obligations |
| AI token ledgerfrom AI & LLM · Lens 02 | CC7.2monitoring | A.8.16 + ISO 42001 | Technology-risk governance | Purpose & accountability |
One certification. Five frameworks. Zero re-collection.
Mappings are illustrative. SOC 2 (TSC) and ISO 27001:2022 Annex A references are indicative; SEBI CSCRF, RBI and DPDP are shown by control area. Validate exact clause mapping with your auditor before relying on it.
Change one thing: the tenant is now a SEBI-regulated fintech in Mumbai. Nothing about the record changes — what changes is which mandates it must answer, and where the data is allowed to live. A Western baseline answers SOC 2; it does not answer SEBI, RBI, IRDAI or DPDP.
DPDP Rules 2025 notified (Gazette G.S.R. 846(E)); the Data Protection Board of India is live. The 18-month compliance clock starts.
Consent Manager provisions take effect. A Jan 2026 MeitY consultation has proposed accelerating full compliance to ~12 months — not yet gazetted.
Full substantive compliance. No grace period; penalties up to ₹250 crore per violation type; 72-hour breach notification.
SEBI CSCRF (Aug 2024, effective 2025), the RBI Cyber Security Framework and IRDAI guidelines for insurers already apply.
The creative agent (Lens 02) and the T&C scanner (Lens 06) run on the per-tenant self-hosted LLM — customer data and contracts are analysed in-boundary. “Trust us, it’s in Virginia” is not an audit answer in Mumbai.
WS-4471’s location and each SaaS and vendor’s residency feed a data-residency risk score — exactly what DPDP’s safeguards and cross-border rules turn on.
SEBI CSCRF mandates SBOM and supply-chain risk. Software Intelligence (Lens 01) ingests SBOM/CVE/EOL and the breach feed (Lens 06) watches the supply chain — already on the record.
Shared SaaS-spend benchmarks are k-anonymous (k≥10), so a regulated fintech’s posture is never re-identifiable in any aggregate.
Same record, four more frameworks — the Compliance dimension now carries SEBI CSCRF · RBI · IRDAI · DPDP beside SOC 2 and ISO, on the same evidence set you already collected.
AssetZentri supports the security, audit, asset-lifecycle and vendor-risk obligations of these regimes; it is not itself a DPDP Consent Manager. Regulatory dates are current as of mid-2026 — a 2026 MeitY consultation has proposed accelerating the DPDP deadline; reverify before publishing.
The last 3 points come from connecting the dots. WS-4471 is one record holding an unused Adobe seat on a device past end-of-life, running software from a vendor with a risky T&C and a fresh breach, last assigned to a user with an orphaned admin grant. No single tool sees that line — only one record can. ZentriPulse ranks it and proposes one fix: decommission the device, reclaim the seat, revoke the grant, flag the vendor — you approve, caged agents execute behind an in-boundary LLM and a kill switch, and every step lands on the append-only ledger as instant evidence.
Legacy tools stop at the alert. Because ZentriPulse reads one complete record across all six domains, it ranks the risks and savings that matter — then closes the loop, with you in control at every step.
A signal no single tool sees — an unused licence on a device with a risky T&C and an orphaned grant.
Ranks it by cost and risk and drafts the remediation — reclaim, revoke, rotate, renegotiate.
Nothing acts alone. You approve, defer or dismiss — human-in-the-loop by design.
On approval, caged agents carry it out behind in-boundary LLMs and a kill switch.
Every action recorded immutably — instant evidence for the next audit.
An asset-linked service desk — tickets auto-collect system info (hostname, serial, OS, model) and tie to the device, so every issue already knows its context.
Row-level tenant isolation, automated provisioning and per-tenant config let MSPs serve every client from one console — no per-client tool stack.
mTLS device identity, field-level encryption, 5-tier RBAC and TOTP MFA — the platform is built to the controls it audits you against.
Evidence collects itself, drift trends to zero, and every framework — SOC 2, ISO 27001, SEBI CSCRF, RBI, IRDAI and DPDP — stays green between audits. The audit becomes an export, not a scramble — and the cost of non-compliance trends to zero.
The fastest way to understand AssetZentri is to connect the tools you already run, watch the registry build itself, and see ZentriPulse rank what to fix first.