The asset register lies.

The register starts wrong.

Asset registers are built from purchase orders, deployment tickets, and the procurement system. Every device on the spreadsheet was bought, received, and assigned. That is a perfectly reasonable description of what was ordered. It is a poor description of what is connected.

The two are not the same. Devices arrive without tickets. Contractors plug in equipment they brought with them. Vendors ship replacement parts under warranty that never get logged. A swapped codec under an RMA, a temporary hotspot during construction, the cheap unmanaged switch the AV crew installed behind the rack to extend connectivity. None of those touch procurement. All of them touch the network.

It drifts further every quarter.

Consider the cadence of the spreadsheet versus the cadence of the network. Most enterprise asset registers are reviewed quarterly. The network changes every day. Even in a frozen environment, the gap grows by definition: devices fail, get replaced, get moved, get repurposed. Every change is a small drift. The drift compounds.

By the time the next audit cycle starts, the spreadsheet that was authoritative on day one is fiction. The team running it knows. The auditor will figure it out fast.

Unmanaged switches multiply the problem.

Here is where the register goes from incomplete to misleading. A registered network drop hosts one registered device. The team treats that drop as resolved. Then someone plugs a 5-port unmanaged switch into the drop, and four more devices appear on the wire behind it.

None of the four are on the register. NAC does not see them as separate endpoints. The wire knows. The register does not. In a single CybrIQ deployment, one Catalyst 2960 port resolved to 65 distinct devices behind it. The asset spreadsheet listed one.

Vendor-managed devices are an accountability gap.

Modern conference rooms ship with codecs, signage players, smart cameras, and wireless presenters that are vendor-managed by design. The integrator owns the install. The vendor owns the device's firmware and lifecycle. The customer owns the network it sits on.

Nobody owns the question of whether the device on the wire today is the device that was installed last quarter. The integrator's records cover the install. The vendor's records cover the device. The customer's records cover the floor plan. None of them cover the wire.

What an auditor actually wants.

The auditor is not asking for the spreadsheet. The auditor is asking for evidence that the network you describe is the network you have. A list of devices is a starting point. A list of devices that is verifiably current is the artifact that satisfies the control.

HIPAA Security Rule §164.310, PCI 4.0 Requirement 12.5.1, SOC 2 Trust Services Criterion CC6.1, NIST CSF function ID.AM, and CMMC Level 2 control AC.L2-3.4.1 all ask the same underlying question. They each phrase it differently. They each accept different evidence shapes. They all reject "the spreadsheet says so."

The fix is structural, not operational.

The reason the spreadsheet keeps drifting is not that the security team is lazy or the asset team is sloppy. It is that the spreadsheet is the wrong data structure for the question being asked. A spreadsheet is updated by humans on a schedule. A network changes on its own, between updates, faster than humans can keep up.

The fix is to stop treating the register as the source of truth and start treating the wire as the source of truth. CybrIQ runs Device DNA™ continuously, derives each device's signature from its observable Layer 1 behavior, and keeps the inventory current as the network changes. The register does not have to be reconstructed before the audit. It is reconstructed every time a port is validated.

Further reading

• "Looks good" is not Layer 1 evidence. What an environmental dashboard tells you, what it does not, and why audits ask for the wire.
• Five reports, one truth. Mapping a single Layer 1 record to HIPAA, PCI, SOC 2, NIST CSF, and CMMC without rebuilding it five times.