The software you didn't buy

Software asset management was built on a simple premise: you buy software, so you can count it, govern it, and control what it costs. Every discipline in SAM — licenses, renewals, access reviews, compliance — assumes a purchase somewhere upstream. A contract. An invoice. A vendor on the other end. And buying did more than make software visible — it vetted it: whatever you hadn’t bought, you hadn’t approved, and that absence was itself a fair signal it didn’t belong.

That premise is quietly breaking. The fastest-growing software in most companies today isn’t bought. It’s built — and increasingly, it’s built by people who aren’t engineers, with help from AI that writes the code for them.

The new builders#

Three things converged. Low-code and no-code platforms — Power Apps, Retool, and the like — let a finance analyst or an ops manager assemble a working app without writing much code. Vibe-coding — describing what you want to an AI and letting it generate the software — pushed that further, collapsing the cost of building an app to an afternoon and a prompt. And AI agents now carry out multi-step work on their own, wired together by the same non-engineers.

The scale is already large and growing fast. One security vendor pegs the average large enterprise at roughly 80,000 apps, agents, and automations built on low-code platforms — nearly two-thirds of them carrying a known vulnerability. Gartner expects the typical large enterprise to go from fewer than 15 AI agents today to more than 150,000 by 2028, and for 40% of enterprise apps to ship with task-specific agents by the end of 2026. Argue with the exact figures if you like; the direction isn’t in doubt. Your company is becoming a software producer, whether or not anyone decided that on purpose.

Why SAM can’t see it#

Here’s the problem. Every tool built to govern your software estate finds software (mostly) the same way — through the traces a purchase leaves. SaaS-management platforms discover apps by reading SSO logins, expense reports, and vendor contracts. That’s how they catch shadow IT: someone expensed a tool, or signed in through Okta.

An app your analyst vibe-codes in an afternoon leaves none of those traces. There’s no login event, because no one signs up. No invoice, because nothing was purchased. No contract, because there’s no vendor — the vendor is your own employee. The entire discovery mechanism SAM depends on is structurally blind to software that was built rather than bought. You can’t manage what you can’t see, and the tools can’t see this.

A slice of the estate with no invoice#

For a finance leader, this isn’t an IT curiosity. It’s a fast-growing part of the software estate that carries real cost, real risk, and no contract to audit.

The cost is hidden — compute and storage, the engineering time to maintain or later untangle these apps, and the remediation bill when one of them breaks or leaks. The risk is concrete: an app a non-engineer assembled with AI is far likelier to mishandle data or carry a security hole — recall that two-thirds figure. And the liability has a name finance will recognize: orphaned software. The analyst who vibe-coded the tool that now runs part of your month-end close leaves the company. What’s left behind is an undocumented, unowned, business-critical asset with no SLA, no support, and no one who fully understands it. SAM’s most mundane disciplines — who owns this, who can access it, when is it retired — are exactly the ones these apps were born without.

The discipline is being rebuilt — under another name#

The obvious question is whether the SAM and SaaS-management vendors are extending their tools to cover this. Mostly, they aren’t. The 2025 Gartner Magic Quadrant for SaaS-management platforms still scopes the category to purchased SaaS; the incumbents’ “shadow AI” features flag employees signing up for outside AI tools, not the apps employees build.

Instead, the discipline is being reinvented under a different name. A young category — call it agent governance, or AI TRiSM, or simply managing agent sprawl — is doing work SAM would recognize instantly: discover every internally-built app and agent, attach an owner, map its access and integrations, watch its behavior, and retire it on a lifecycle. New entrants are building exactly this; the big platforms are adding native governance for the apps built on them; and Gartner has now named the problem outright. It is, almost line for line, software asset management — for software you didn’t buy. The irony is that the vendors who own the words “software asset management” are largely not the ones extending the idea to where the software is actually growing.

What this means for finance#

You don’t need to predict which tool wins to act. The mandate is the same one SAM always carried; only the software changed. A few moves:

• Count it. Insist that “the software estate” includes what your people build, not just what they buy. An inventory that stops at purchased SaaS is now missing its fastest-growing part.
• Name an owner for every build. The cheapest insurance against orphaned software is a rule that nothing business-critical runs without a named, current owner.
• Tier the governance by risk. Don’t choke citizen innovation — most internal apps are harmless. Govern hard the ones that touch money, customer data, or compliance; leave the rest light. Uniform control fails both ways.
• Demand discovery that catches builds, not just logins. When you next evaluate a SAM or governance tool, the question is no longer only “how well does it manage our vendors” — it’s “can it even see the software we make ourselves.”

The companies that handle this well won’t be the ones that ban the building — that fight is already lost, and the productivity is real. They’ll be the ones that extend the boring, valuable disciplines of software asset management to a world where the company makes as much software as it buys. The premise changed. The job didn’t.