Ask your CMDB how many laptops the company owns. Then ask your discovery tool. Then ask finance. You will get three numbers — and the floor holds a fourth. IT asset management in most UAE enterprises is built on systems that describe what the organisation believes it has, refreshed by tools that can only see what is switched on and talking to the network. The gap between that belief and physical reality is CMDB drift, and it grows with every joiner, leaver, office move and quiet trip to the store room.
How a CMDB starts lying
- Discovery blindness. Agents, MDM and network scans cannot see powered-off devices, sealed spares, leaver laptops in drawers, kit in transit or anything that never had an agent installed — printers, lab instruments, OT-adjacent devices.
- Records that never die. Disposal, theft and loss rarely flow back into the database, so ghost configuration items accumulate — still consuming licences, support contracts and depreciation.
- Moves, adds and changes. Desk moves, floor reshuffles and office-to-office transfers outpace manual updates; the asset exists, just not where any system says it does.
- People processes leaking. Joiners get unrecorded kit from the cupboard; leavers hand devices to managers instead of IT; both events bypass the database entirely.
- UAE-specific churn. Free zone relocations and fit-outs — DIFC, ADGM, JAFZA, DMCC, DAFZA — move estates in bulk over a weekend, and high workforce rotation multiplies the leaver-device problem.
What the lie costs
Drift reads like a hygiene problem until you price it. The recurring lines we find in UAE engagements:
- Licences and seats on ghosts. Per-device software, security-tool seats and warranty or support contracts renewed against inflated device counts — money recovered the moment the count corrects the denominator.
- Depreciation on equipment that left the building. The fixed asset register keeps depreciating disposed or missing IT kit. Under the corporate tax regime, taxable income is computed from IFRS-based accounts and the FTA expects supporting records kept for seven years — a register that cannot be physically evidenced is a weak position in any tax or statutory audit, and our ghost asset studies show how routinely it happens.
- Free zone substance and audit exposure. Qualifying free zone persons maintain audited financial statements; IT assets are part of that picture, and auditors test existence (ISA 501 discipline) — exceptions cost partner hours and management letters.
- Security debt. Unknown devices are unpatched, unmonitored and unencrypted by definition — the exact exposure the UAE PDPL and free zone data protection regimes expect you to have engineered away. Our guide to ISO 27001 asset inventory requirements shows how certification auditors surface this in minutes.
- Insurance mispricing. Premiums set on stale schedules — paying to insure ghosts, or underinsured on the unrecorded.
The fix: put a physical baseline under the database
No platform migration repairs drift, because the platform only knows what it is told. The repair is methodological, borrowed from what finance has done with fixed assets for decades:
- Wall-to-wall physical count. Every floor, rack, comms room and store cupboard — captured with serial, model, location, custodian and photos. This is the core of our IT asset inventory & audit service in the UAE.
- Tag everything while you are there. Barcode, QR or RFID — on-metal tags for racks and enclosures — so identity survives moves. With RFID asset tracking, the next count takes hours instead of weeks, which is what makes a real cycle-count cadence affordable.
- Three-way reconciliation. Floor vs discovery vs CMDB/fixed asset register, in both directions. Exceptions are classified — ghost, unrecorded, moved, duplicated, mis-assigned — and evidenced, the same discipline as fixed asset verification.
- Correct the systems, then govern the flows. A load-ready file corrects the CMDB and the register; joiner-mover-leaver, procurement and disposal processes are wired to keep them corrected, with a count cadence that proves it.
The ROI question, answered honestly
A physical count pays for itself in the unglamorous lines: harvested licences and seats, cancelled support on hardware that does not exist, depreciation and insurance corrected, audit sampling that closes in days, and a breach-response clock that starts from a known estate. One caveat from 30 years and 4,500+ projects of doing this: the count is the start, not the cure. Without tagging, owners and a verification cadence, drift resumes the Monday after handover — which is why our engagements end with the operating routine, not just the spreadsheet. And to be precise about roles: CPCON holds no ISO or SOC certifications and issues none — we deliver the physically verified asset data that your platforms, your auditors and your certifications run on. See how a banking leader improved IT asset visibility with exactly this approach.
Frequently asked questions
Why does a CMDB drift from reality even with discovery tools running?
Discovery only sees what is powered on, connected and instrumented at scan time. Devices in store rooms, leaver laptops in drawers, spares, kit in transit between offices, decommissioned-but-still-racked servers and anything without an agent never report in — while retired records linger because nobody closes them. Moves, adds and changes outpace the manual updates, and the database quietly diverges from the floor.
How do we measure how wrong our CMDB is?
With a two-direction sample or a full count: pick records and find the physical asset (record-to-floor), pick physical assets and find the record (floor-to-record). The exception rate across both directions is your accuracy number. A wall-to-wall physical inventory turns that sample into a definitive baseline and produces the corrected load file at the same time.
What does CMDB drift cost in practice?
Real money, not just untidiness: support and maintenance contracts renewed on hardware that no longer exists, software licences and security-tool seats counted on ghost devices, insurance premiums set on inflated asset schedules, depreciation running on disposed equipment in the fixed asset register, audit hours burned re-testing records, and incident response slowed because nobody trusts the asset data.
How does the UAE corporate tax regime touch the CMDB?
Indirectly but firmly. Taxable income is computed from IFRS-based accounts, so the IT lines of the fixed asset register — cost, depreciation, disposals, IFRS 16 right-of-use equipment — must reflect assets that physically exist, with records the FTA expects retained for seven years. When the CMDB, the register and the floor disagree, the tax computation inherits whichever version is wrong.
Are free zone moves really a special risk for IT assets?
Yes. Relocations and fit-outs between onshore offices and zones such as DIFC, ADGM, JAFZA, DMCC and DAFZA are where IT estates lose track of themselves: kit moves in bulk, custodianship changes overnight and store rooms absorb the overflow. Counting immediately before or after a move — and tagging everything in the process — is the cheapest accuracy you will ever buy.
Does CPCON replace our ITAM or CMDB platform?
No. We are platform-agnostic and vendor-independent: we count what physically exists, reconcile it against your ServiceNow, ManageEngine, Lansweeper or ERP data, and hand back a load-ready corrected file plus the exception evidence. Your platform stays; it just stops lying. And we make no ISO or SOC certification claims of our own — we deliver the verified data your platforms and auditors run on.