AssetZentri — How Governance Posture Is Built, Lens by Lens

The five principles — the tags you'll see

Not slogans. The physics every lens obeys.

P1One record15+ sources dedup into one authoritative asset; work done once counts everywhere.

P2See the hiddenFive-channel discovery surfaces the shadow estate — including shadow AI.

P3Record → actionZentriPulse proposes the fix, then on approval executes it and logs it.

P4Govern by constructionHMAC-signed logs, nightly SAM, append-only ledger, cross-framework mapping.

P5Sovereign by defaultIndia-first frameworks, in-boundary LLM, k-anonymous benchmarks.

Lens 01 · Asset ManagementCore · the denominator

First, build the record everything else reads.

Connect Intune, Azure AD, OpenAudit and the GL. Fifteen-plus feeds that disagree collapse into 1,760 assets, 0 conflicts. One device — WS-4471, a Design-team MacBook — surfaces as past end-of-life with 3 unused Adobe seats; the nightly SAM run quantifies $116,950 of licence risk across the estate.

P1Dedup. WS-4471's hardware is taken from the agent, its compliance state from Intune, its cost from the GL — one record, most-authoritative-source-wins.
P2Discover. Agent + network find devices no MDM enrolled; Software Intelligence normalises 2,325 titles and flags WS-4471 past EOL.
P4Reconcile. SAM runs nightly, true-ups entitlements against real installs, surfaces 1,536 under-licensed items.

On the record now 1,760 governed assets · WS-4471 flagged EOL · 3 Adobe seats idle · $116,950 licence risk quantified.

Lens 02 · AI & LLM GovernanceNew

Now the AI nobody tracked gets an owner and a cap.

The same Design team runs a creative agent on an OpenAI key nobody registered. AssetZentri pulls that key onto the same record as WS-4471 — and finds a second, ungoverned key in another team.

P1Register. The key gets an owner (Design), an environment tag (prod), the agent it powers and a budget — and sits beside the device on one record.
P3Cap. BudgetGuard checks every call before it fires — downgrade the model at 80%, freeze at the cap. The stray key is revoked.
P5Contain. The agent is pointed at the per-tenant self-hosted LLM, so brand assets and prompts never leave the boundary.

Added to the record 2 LLM keys governed · 1 shadow key revoked · spend capped per agent · calls on the append-only ledger.

Lens 03 · SaaS & Spend

The same record exposes the waste — and recovers it.

Five-channel discovery surfaces 598 SaaS apps and a 2,306-deep pending queue. Two of them are the same design tool, bought twice by two departments; 40% of Zoom seats sit idle; one contract auto-renews next week.

P2Find. Email, OAuth, browser and network channels catch the apps SSO never logged — each risk-scored to approve, ignore or reject.
P3Recover. ZentriPulse proposes consolidating the duplicate, reclaiming idle seats and the 3 Adobe seats from Lens 01; on approval, the saving is booked.
P4Allocate. $2.09M of spend mapped to the GL with budget-vs-actual; Renewal Briefs flag everything due within 30 days.

Added to the record 598 SaaS mapped · duplicate consolidated · 15–25% recoverable booked · spend GL-allocated.

Lens 04 · Identity & AccessCore

Who can touch it — enforced, and revoked in minutes.

The Design-team user behind WS-4471 still holds an admin grant from a project that ended — and a combination that breaks segregation of duties. Then they resign in Workday.

P2Detect. Privilege-drift flags the 90-day-stale admin; peer-group anomaly catches the toxic SoD pair no single log would.
P3Revoke. JIT replaces the standing rights; on the resignation, the playbook deprovisions across Slack, GitHub and AWS in minutes — kill switch on standby.
P1Tie. Every grant is bound to the person, the device and the app on the record, so nothing is left orphaned.

Added to the record stale admin removed · 0 SoD violations · leaver fully deprovisioned in minutes.

Lens 05 · Compliance & GRCCore

Everything so far just became audit evidence.

Nothing new is collected. WS-4471's encryption state, the access-review certification from Lens 04 and the licence true-up are already on the record — so they simply map to the frameworks.

P1Reuse. The device's encryption fact is the evidence for a control — not a re-collected artifact.
P4Map. One access certification counts for SOC 2 (CC6), ISO 27001 and SEBI at once; HMAC-signed logs prove nothing was tampered with.
P5Cover. 6 frameworks — incl. SEBI CSCRF, RBI, IRDAI, DPDP — monitored continuously; drift caught live, now 0.

Added to the record 6 frameworks green · evidence cross-mapped · control drift 0.

Lens 06 · Vendor & Contract

And the fine print behind it gets read.

The software flagged on WS-4471 comes from a vendor whose terms claim ownership of uploaded data. The breach feed then reports that same vendor was just compromised.

P2Score. The T&C scanner reads the fine print, scores the vendor 0–100, and flags it among 7 high-risk apps; the breach feed pings.
P1Link. The vendor is tied to its product on WS-4471, its contract and its spend — risk connected to what you actually run.
P3Act. ZentriPulse proposes renegotiate-or-replace before the renewal date; on approval, a task opens with the usage to negotiate from.

Added to the record vendor scored & flagged · breach surfaced · renewal leverage created.

Example · the money viewLicence cost · savings · renewal

Where the money is — and what to reclaim.

The same record that proves your licence position also prices it. From WS-4471’s idle Adobe seats outward, AssetZentri totals what you spend, what is wasted, and what renews next — so finance acts before the auto-renewal, not after.

Cost & savings dashboard

$2.09M

Annual SaaS & licence spend under management

$418K

Recoverable this year — ≈20% of spend

$206K

Already reclaimed year-to-date

$116,950

Under-licensing exposure surfaced by SAM

1,536

Under-licensed items pending true-up

612

Idle seats available to reclaim

Top reclaim opportunities — seats used vs paid

Adobe Creative Cloud140 / 220 seats used

$48,000 idle

Zoom360 / 600 seats used

$36,000 idle

Microsoft 365 E5980 / 1,050 seats used

$21,000 idle

Atlassian220 / 300 seats used

$14,400 idle

Where the $418K comes from

Reclaim idle seats

$132,000

Consolidate duplicate tools

$86,000

Renegotiate at renewal

$78,000

Right-size over-provisioned plans

$74,000

Harvest licences from leavers

$48,000

Renewal radar — next 90 days

12 days

Zoom600 seats · $90,000 / yr

Right-size → 380

27 days

Adobe Creative Cloud220 seats · $132,000 / yr

Reclaim 80 first

41 days

Figma95 seats · $28,500 / yr

Consolidate · let lapse

63 days

Atlassian300 seats · $54,000 / yr

Review tier

84 days

Microsoft 365 E51,050 seats · $441,000 / yr

Renegotiate EA

On the recordevery figure ties to the asset and identity it belongs to — so a reclaim updates the SaaS & Spend posture, books the saving to the GL, and Renewal Briefs make sure no contract auto-renews unreviewed.

Figures are illustrative reference-tenant values — connect your billing, GL and contracts to populate real numbers.

Example · Cross-framework mappingProve once, count everywhere

One control, every framework — collected once.

Lens 05 didn't gather new evidence; it reused what the other lenses already produced. Here is that mapping made concrete — single items from our thread, each satisfying several frameworks at once. This is precisely why the posture jumped +13 at compliance with no new fieldwork.

Evidence already on the record	SOC 2	ISO 27001:2022	SEBI CSCRF	DPDP / RBI
Disk encryption on WS-4471from the agent · Lens 01	CC6.1information protection	A.8.24use of cryptography	Data-protection standard	Reasonable security safeguards
Access-review certificationfrom Identity · Lens 04	CC6.2 · CC6.3access provisioning & review	A.5.15 · A.5.18access control & rights	Identity & access management	Access-limitation safeguard
HMAC-signed audit loggovern by construction	CC7.2 · CC8.1monitoring & change	A.8.15 · A.8.16logging & monitoring	SOC / audit logging	Breach evidence & accountability
Vendor T&C score + breach feedfrom Vendor · Lens 06	CC9.2third-party risk	A.5.19–A.5.22supplier relationships	Supply-chain risk · SBOM	Data-processor obligations
AI token ledgerfrom AI & LLM · Lens 02	CC7.2monitoring	A.8.16 + ISO 42001	Technology-risk governance	Purpose & accountability

One certification. Five frameworks. Zero re-collection.

Mappings are illustrative. SOC 2 (TSC) and ISO 27001:2022 Annex A references are indicative; SEBI CSCRF, RBI and DPDP are shown by control area. Validate exact clause mapping with your auditor before relying on it.

Example · Sovereign by defaultThe India story

Run the same thread as a Mumbai fintech.

Change one thing: the tenant is now a SEBI-regulated fintech in Mumbai. Nothing about the record changes — what changes is which mandates it must answer, and where the data is allowed to live. A Western baseline answers SOC 2; it does not answer SEBI, RBI, IRDAI or DPDP.

14 Nov 2025

DPDP Rules 2025 notified (Gazette G.S.R. 846(E)); the Data Protection Board of India is live. The 18-month compliance clock starts.

~Nov 2026

Consent Manager provisions take effect. A Jan 2026 MeitY consultation has proposed accelerating full compliance to ~12 months — not yet gazetted.

14 May 2027

Full substantive compliance. No grace period; penalties up to ₹250 crore per violation type; 72-hour breach notification.

In force now

SEBI CSCRF (issued Aug 2024, effective 2025), the RBI Cyber Security Framework and IRDAI guidelines for insurers already apply.

AI that never leaves India

The creative agent (Lens 02) and the T&C scanner (Lens 06) run on the per-tenant self-hosted LLM — customer data and contracts are analysed in-boundary. "Trust us, it's in Virginia" is not an audit answer in Mumbai.

Residency → geo-risk

WS-4471's location and each SaaS and vendor's residency feed a data-residency risk score — exactly what DPDP's safeguards and cross-border rules turn on.

SBOM & supply chain

SEBI CSCRF mandates SBOM and supply-chain risk. Software Intelligence (Lens 01) ingests SBOM/CVE/EOL and the breach feed (Lens 06) watches the supply chain — already on the record.

k-anonymous benchmarks

Shared SaaS-spend benchmarks are k-anonymous (k≥10), so a regulated fintech's posture is never re-identifiable in any aggregate.

Same record, four more frameworks. The Compliance dimension now carries SEBI CSCRF · RBI · IRDAI · DPDP beside SOC 2 and ISO — and, because of the mapping above, on the same evidence set you already collected.

AssetZentri supports the security, audit, asset-lifecycle and vendor-risk obligations of these regimes; it is not itself a DPDP Consent Manager. Regulatory dates are current as of mid-2026 — a 2026 MeitY consultation has proposed accelerating the DPDP deadline; reverify before publishing.

The capstone · the score closes out

Six lenses, one record — then ZentriPulse resolves it.

97/100

● AUDIT-READY · 0 DRIFT

Asset AI SaaS Identity Compliance Vendor

The last 3 points come from connecting the dots. WS-4471 is now visibly one record holding it all: an unused Adobe seat SaaS on a device past EOL Asset, running software from a vendor with a risky T&C and a fresh breach Vendor, last assigned to a user with an orphaned admin grant Identity. No single tool sees that line — only one record can P2. ZentriPulse ranks it and proposes one fix: decommission the device, reclaim the seat, revoke the grant, flag the vendor P3 · P1. You approve; caged agents execute behind an in-boundary LLM and a kill switch P3 · P5; every step lands on the append-only ledger, which is instantly evidence in Compliance P4 · P1 — and the posture closes at 97, zero drift.

Read the score column back down the page: 38 → 51 → 63 → 76 → 89 → 94 → 97. Each lens added a concrete, different thing to the same record, and the posture was never re-built — only accumulated. That is the difference between visibility, a dashboard per silo, and governance: one record, read every way, scored continuously, that acts on what it finds and proves it did.