By Ian Cox, Founder & CEO of Four Dragons — former ten-year ServiceNow employee.
When a publisher audit letter lands, most organizations discover their software asset management program was theater. There is a SAM Pro module, there are some reports, and there is a spreadsheet somebody maintains on the side that everyone secretly trusts more than the platform. None of that survives contact with a real audit. What protects you is a defensible effective license position — one you can produce on demand, reconcile to entitlements, and stand behind in a negotiation. Here is what actually gets you there, and what only looks like it does.
What doesn’t protect you
- Owning SAM Pro. The module is not the program. An unconfigured or half-normalized SAM Pro produces numbers you cannot defend, which is worse than no numbers at all.
- Raw discovery counts. “We found 4,200 installs” is not a license position. Without normalization and entitlement reconciliation, it is just inventory — and publishers know it.
- A spreadsheet the team trusts. If your real license position lives outside the platform, you do not have a program; you have one person’s knowledge and a single point of failure.
- Buying more licenses to be safe. Over-provisioning to avoid audit risk is the most expensive non-solution there is. You are paying to hide a data problem.
What actually protects you
A defensible position on ServiceNow is built, not bought, and it rests on the data underneath the module:
- Software normalization done properly. Raw inventory reconciled to a clean product catalog — publisher, product, edition, version — so a discovered install maps to the right entitlement instead of a guess.
- Entitlement reconciliation. Licenses, contracts, and true-up history loaded and matched against normalized consumption, so your effective license position reflects what you own versus what you use.
- A CMDB you can trust. SAM inherits the CMDB’s credibility. If the underlying CI data is duplicated or incomplete, the license position built on it is too. Audit defense and CMDB health are the same project wearing different hats.
- A governance cadence. Normalization content and reconciliation kept current on a schedule, so the position is defensible the day the letter arrives — not three panicked months later.
The negotiation is won before the audit starts
By the time you are responding to an auditor, your leverage is already set. An organization that can produce a clean, reconciled ELP on request negotiates from a position of knowledge — you know your exposure, you know your true-up, you know where you are actually out of compliance and where the publisher is fishing. An organization scrambling to assemble the position under a deadline concedes, because uncertainty is the auditor’s best weapon. The work that protects you is the unglamorous data work you do before anyone asks.
The reframe worth keeping
Underneath most audit exposure is a skills gap, not technical debt. The tooling to run a defensible SAM program ships in the platform; what is usually missing is the platform-native discipline — normalization, reconciliation, governance — to make it produce numbers you can stand behind. A specialist closes that gap and hands the cadence back to your team, so the next audit is a report you run, not a fire you fight.
If a true-up or an audit is on your horizon, the question is not “do we have SAM Pro.” It is “can we produce a defensible license position today, from the platform, without the spreadsheet.” If the answer is no, that gap is the work.
Four Dragons is a boutique ServiceNow consultancy led by a former ten-year ServiceNow employee, delivering CMDB/CSDM, ITOM, ITAM/SAM, SPM, and Agentic AI outcomes — AI-automated, human-supervised. fourdragons.com
About the author
Ian Cox is the Founder and CEO of Four Dragons, a boutique ServiceNow consultancy specializing in CMDB/CSDM, ITOM, ITAM/SAM, SPM, SecOps, and agentic AI. He spent ten years at ServiceNow before founding the firm and works from Napa, California. Four Dragons fixes the underlying data and closes the skills gap rather than adding features.