When Trust Replaces Oversight: A Lesson in IT Asset Management
Most organizations assume their IT asset management processes are working…
until an unexpected signal reveals otherwise.
In this instance, a government-issued smartphone surfaced for sale on eBay, listed as “for parts.”
When a buyer powered on the device, the lock screen displayed a phone number for the agency’s IT help desk. The buyer called the number, initiating an internal investigation.
That investigation uncovered a $150,000 internal theft scheme tied to unauthorized device purchases.
More importantly, it exposed how gaps in asset management controls and role oversight can persist unnoticed when trust replaces verification.
What Is IT Asset Management?
IT Asset Management (ITAM) is the structured practice of tracking, maintaining, and optimizing all IT assets across their lifecycle — from procurement to disposal. It ensures that an organization has complete visibility and control over its hardware assets, software assets, digital assets, and virtual assets, as well as the systems and processes used to manage them. Examples of IT assets include laptops, IT servers, mobile devices, operating systems, network technologies, software licenses, and cloud-based applications.
Real-world ITAM involves using an asset management system or IT asset management software to conduct asset discovery, monitor usage, and align with IT lifecycle and service management strategies. This helps reduce asset risk, control costs, maintain compliance during a software audit, and improve return on investment by optimizing asset utilization across the organization.
What Happened With the 250 Stolen Government Phones?
A Role With Broad Authority
The investigation found that a single systems administrator held both procurement authority and unrestricted technical access.
Over an extended period, this individual ordered a large number of mobile devices using valid purchasing mechanisms.
Because the transactions followed standard processes on the surface, they did not immediately raise concerns.
The devices were then diverted and resold, exploiting gaps in approval workflows and enforcement of asset management controls.
How the Scheme Was Discovered
The activity came to light when one device was sold without being fully decommissioned.
Its configuration retained identifying information associated with the organization’s IT service management process, including contact details for support.
This unintentional traceability enabled investigators to connect the asset back to internal systems.
The incident highlighted the importance of asset discovery and data hygiene throughout the IT asset lifecycle.
Ironically, a routine lifecycle management practice, meant to support end users, provided the key link that exposed the issue.
Why This Was Not Just an Individual Failure
The Limits of “Bad Actor” Explanations
It is tempting to frame incidents like this as the result of a single rogue employee.
While individual accountability matters, that framing can obscure broader structural weaknesses.
Focusing exclusively on intent overlooks how role design, process gaps, and lack of enforced oversight can enable misuse to persist undetected.
In this case, the absence of segregation of duties and inconsistent enforcement of service management processes created conditions where inappropriate activity could occur without triggering review.
When Trust Substitutes for Oversight
Employees in long-standing roles often accumulate responsibilities incrementally.
Over time, this can blur boundaries between purchasing authority, system access, and operational oversight.
Even when asset management systems exist, their effectiveness depends on consistent enforcement and clearly assigned ownership.
Oversight failures are often less visible than technical vulnerabilities, yet they can be just as consequential.
The Structural Issue: Role Design and Segregation of Duties
Why Combining Procurement and Access Increases Risk
Roles that combine authority over both purchasing and system administration create opportunities for misuse that may not be immediately obvious.
In fast-moving IT environments, such combinations are sometimes justified for efficiency, but they reduce independent checks within the asset lifecycle.
When IT asset management tools do not enforce role separation, or when alerts are not actively monitored, misuse of hardware assets, network equipment, or servers can go unnoticed.
How Small Gaps Become Expensive Over Time
In this case, no system flagged the growing volume of purchases or the unusual pattern of asset movement.
These gaps in inventory tracking and asset registration allowed the issue to develop gradually rather than appearing as a single anomalous event.
Such blind spots are often treated as administrative oversights, but they represent structural weaknesses.
When left unaddressed, they can increase the total cost of ownership of IT assets and expose organizations to financial and reputational harm.
Why This Pattern Extends Beyond Government
This pattern extends beyond government because similar risks exist in private organizations and because insider risk is often structural, not intentional.
Similar Risks Exist in Private Organizations
The dynamics revealed in this incident are not unique to public-sector environments.
Many private organizations allow IT teams to manage procurement, asset discovery, vendor relationships, and software audits with limited separation of responsibilities.
While this approach may simplify operations in the short term, it can result in informal IT portfolio management, where physical assets, virtual assets, and software licenses lack consistent oversight.
Insider Risk Is Often Structural, Not Intentional
In many cases, insider risk does not originate from deliberate wrongdoing but from how work is structured.
When roles lack clear boundaries and controls rely on assumptions rather than verification, vulnerabilities emerge regardless of intent.
This is why even well-designed IT asset disposition strategies depend on clearly defined responsibilities and enforceable controls across the asset lifecycle.
What Organizations Can Learn About IT Asset Management
When it comes to IT asset management, organizations can learn to design roles with constraints, not just trust and they can treat internal controls as a process and talent issue.
Design Roles With Constraints, Not Just Trust
Reducing risk requires ensuring that no single role has unchecked authority over both asset acquisition and system access.
This involves thoughtful job design, documented accountability, and the use of IT asset management systems to support—not replace—segregation of duties.
Trust remains important, but controls should be designed to identify errors or misuse early, before they scale.
Treat Internal Controls as a Process and Talent Issue
Effective internal controls depend as much on role clarity and ownership as on technology.
Asset lifecycle stages—from acquisition to disposition—require defined responsibility and consistent enforcement.
Organizations that view internal controls solely as a tooling problem often miss the underlying issue: systems are only as effective as the processes and people responsible for operating them.
Effective IT Asset Management Starts With Role Design
This incident was not uncovered through a scheduled audit or automated alert.
It came to light because an overlooked system functioned as designed, providing a point of traceability that connected a physical asset back to internal processes.
Strong IT asset management requires more than tools and policies. It depends on deliberate role design, active oversight, and clear accountability across the asset lifecycle.
When trust gradually replaces verification, risk accumulates quietly. Sustainable asset governance is less about preventing bad behavior—and more about building structures that make quiet failure difficult to sustain.
Looking to hire top-tier Tech, Digital Marketing, or Creative Talent? We can help.
Every year, Mondo helps to fill thousands of open positions nationwide.
More Reading…
- How AI Access to Company Data Is Creating New AI Security Challenges
- Why Endpoint Security Is Expanding Beyond Signatures Toward Context
- What Is Vibe Coding? How AI Coding Agents Are Reshaping Modern Software Development
- How to Put Storytelling on a Resume and Prove It in 2026
- 9 Digital Marketing Trends to Drive Qualified Visibility in 2026
- Your Brand Reputation Is Being Built by People You Haven’t Hired Yet
- Ways AI Is Redefining Leadership and Management
- Hiring “Quiet” Talent: Why the Best Hires Aren’t Always the Loudest
- Why “Storytelling” Is Showing Up Everywhere in 2026 Job Descriptions
- The Overlooked Skill: Hiring For Active Listening Skills
