Operations | Monitoring | ITSM | DevOps | Cloud

Traditional data protection followed a straightforward principle: Data stored in is protected by the laws of country A; data stored in country B is protected by the laws of country B. But in today’s global economy, where your data physically resides no longer determines which governments can demand access to it. Cloud infrastructure brought new jurisdictional complexity.

Three months ago, a CIO told me her organization had “already deployed agents.” Her endpoint team assumed she meant the telemetry clients on every managed laptop. Her service desk thought she meant AI chatbots. Meanwhile, her security architect heard “autonomous decision-making.” They were all right and all talking past each other. This is the agent confusion problem.

In everyday life, ignoring what you cannot see may feel harmless. In IT, it creates a false sense of security and a costly illusion. Although many organizations use some form of asset discovery, 2026 security research from Ivanti reveals that more than 1 in 3 IT professionals (38%) report having insufficient data about devices accessing their networks, and 45% say they lack adequate information about shadow IT. This lack of visibility leaves critical assets at risk of going undetected and unmanaged.

Endpoint visibility has always been foundational to IT and security. You can’t secure, patch or support what you can’t see. But as environments have become more distributed and complex, what visibility means has evolved. It’s no longer enough to know that a device exists — IT teams and organizations as a whole need to understand its health, its risk posture and its impact on both security and user experience.

"We see 10,000 critical vulnerabilities!" "We patched everything last week!" This conversation happens in enterprise IT departments every single day. Security teams present dashboards filled with red alerts. IT teams show deployment reports at 98% success. Both teams are looking at real data. Both are absolutely correct. And both are totally blind to what's actually happening across the endpoint environment. This isn't a people problem — your teams aren't incompetent.

Proof of condition — it’s been around for decades and serves to verify the integrity of everything from material goods to heavy equipment and myriad assets in between. A paper process from the beginning, it has been accompanied by photographs, rubber stamps, and signatures along the way. Still, hard to believe that a quarter way through the 21st century, with ubiquitous mobile device options, so many of these processes continue to reside on clipboards.

Endpoint management is one of the most critical — and most contested — areas of enterprise governance. Every organization depends on endpoints, yet many still struggle to answer a fundamental question: who actually owns these devices? In many environments, IT and security teams are both confident they’re doing the right thing, yet still talk past each other. Security looks at a scanner and sees 10,000 critical vulnerabilities; IT looks at a patch report and sees everything deployed.

Application control is one of those security topics where many people carry old assumptions. Traditional allowlisting feels safe but quickly becomes a maintenance burden. Blocklisting feels reactive and incomplete. And while tools like Microsoft AppLocker led many to believe that strict allowlisting is the gold standard, modern attacks have proven otherwise. Attackers increasingly rely on legitimate, signed tools — used in the wrong context — to bypass list-based controls entirely.

In my time at Ivanti, I've witnessed firsthand how AI acts as a force multiplier across enterprise organizations. When deployed strategically, AI accelerates decision-making and operational execution at scale in a way that teams simply can't sustain manually. However, without clear and enforceable AI guardrails, implementing AI opens organizations up to serious new risks.

Most CEOs can recite their quarterly benchmarks and revenue down to the decimal point, but ask them about their organization's cyber risk exposure, and the answers become more vague. It's not that today’s CEOs don’t care about security — cybersecurity ranks among the top concerns for boards and executive teams. The problem runs deeper: a fundamental breakdown in how security risks are explained to business leaders that overlooks the impacts on their business outcomes.