CMDB isn’t dead – it’s the foundation of AI‑ready, regulator‑proof IT


When a critical service fails

It is 9:42am on a Monday morning. A critical digital service at your company is unavailable. Within minutes, senior IT and business leaders are on a bridge call asking the same questions they always ask during a major incident: What changed? What is impacted? Who is responsible for this? 

In many organisations, the answers are still based on assumptions. Teams piece together spreadsheets, diagrams, and personal knowledge to infer dependencies. Impact assessments are debated rather than known, and recovery takes longer than it should. 

What erodes the confidence of employees and management is not the outage itself, but the lack of shared, reliable truth while it unfolds. When impact, ownership, and severity are unclear, leaders see disagreement instead of control, delays instead of progress, and speculation instead of facts. Time stretches because decisions are deferred, and messages to management shift tone, from cautious to alarming, without a clear rationale. In that vacuum, executives are left guessing whether this is a minor disruption or a systemic failure, and uncertainty is what undermines confidence at precisely the moment leadership needs clarity. 

What changes when a CMDB can be trusted 

In organisations with a reliable Configuration Management Database (CMDB), the response looks very different. The CMDB is accurate, continuously maintained, and trusted as a single source of truth for services, dependencies, ownership, and change history, reflecting the current operating reality of IT. 

Teams can immediately see which business services are affected, which applications and platforms support them, and what recent changes may have triggered the incident. Ownership is clear. Decisions are faster and evidence based, and leadership receives signals grounded in facts rather than assumptions. The difference is not tooling sophistication, but having a shared, trusted understanding of how the digital estate actually works. 

Figure 1: CMDB and a common data model; source: ServiceNow CMDB – Product Architecture 
Why CMDB matters more in 2026 than ever before 

This distinction has become critical in 2026 for three reasons: regulation, cloud transformation, and artificial intelligence. 

Together, these forces are reshaping how organisations operate technology. Regulatory frameworks increasingly require demonstrable operational control. Cloud-first strategies are creating highly dynamic and distributed technology estates. At the same time, AI-driven automation depends on accurate and trusted data. All three trends point to the same conclusion: organisations need an accurate view of their services, dependencies, ownership, and operational responsibilities. 

Regulatory pressure: from policy to proof 

On the regulatory side, the Digital Operational Resilience Act (DORA) has moved expectations from highlevel policy statements to operational proof. Financial institutions are required to identify and maintain inventories of ICT assets, map configurations and interdependencies, and update that information after major changes. 

Regulators increasingly expect organisations to demonstrate, not merely assert, that they understand what runs their critical services and how failures propagate. A CMDB that captures assets, relationships, ownership, and criticality is no longer optional; it is one of the most practical ways to evidence operational control and resilience. 

Supporting cloud hosting and operational governance 

Cloud adoption does not eliminate the need for operational governance; it changes where governance must be applied. 

In cloud environments, infrastructure can be created, modified, and removed within minutes. Teams may deploy hundreds of services across multiple environments and regions, often using automated pipelines. While this increases agility, it also increases the risk of unclear ownership, unmanaged dependencies, inconsistent controls, and resilience gaps. 

A well-governed CMDB helps address these challenges by linking cloud-hosted resources to accountable owners, business services, support models, and operational controls. This enables organisations to understand which cloud resources support critical business functions, assess the impact of outages or planned changes, and demonstrate compliance with resilience and regulatory requirements. 

For product teams and service owners, the CMDB can also provide practical value by driving support routing, operational ownership, governance workflows, access management, and cloud control policies. When CMDB data directly enables day-to-day operational processes, maintaining accurate information becomes part of normal delivery activities rather than an administrative burden.  

The relationship between CMDB and change management has also evolved

Historically, CMDB initiatives were often tightly coupled with traditional change-management processes. In modern cloud and DevOps environments, however, change management increasingly becomes automated and policy driven. Controls are embedded directly into delivery pipelines through testing, security scanning, approval gates, deployment policies, and operational guardrails. 

The CMDB remains essential, but its role is different. It is not the place where change management is executed. Instead, it provides the reference model that enables impact analysis, dependency understanding, risk assessment, operational decision-making, and auditability. In this way, the CMDB supports modern delivery practices without slowing them down. 

The CMDB also plays an important role during cloud migration programmes. By providing visibility of application dependencies, ownership, and business criticality, it helps organisations identify migration candidates, assess migration risk, and avoid moving services without understanding the systems that support them. As organisations progressively retire legacy infrastructure and expand their cloud footprint, the CMDB provides continuity of view across both environments. 

AI adoption: automation amplifies reality 

At the same time, organisations are accelerating AI adoption across IT operations. AIOps platforms, intelligent change analysis, automated incident routing, and selfhealing workflows all depend on accurate, shared data. 

AI does not compensate for weak foundations. If configuration data is incomplete, outdated, or lacks business context, automation will confidently make the wrong decisions; faster. In practice, AI amplifies either control or chaos. Without a trustworthy CMDB, organisations risk scaling operational failures instead of efficiency. 

Why so many CMDB initiatives failed 

This resurgence of CMDB importance often meets scepticism. After all, CMDB has existed for more than twenty years, and industry analysts such as Gartner and practitioners cited by Atlassian and Forbes have repeatedly observed that a clear majority of CMDB initiatives, often estimated at well over half, failed to deliver sustained business value. 

(Sources: Gartner, as cited in Tideline Insights, Break the CMDB Failure Cycle With a Service Asset and Configuration Management Program; Atlassian, 7 Practical Ways to Avoid CMDB Failure, December 2020; Forbes (SungardAS BrandVoice), Why 85% of Companies Fail at Creating a CMDB, October 2014.) 

The reason was not that the concept itself was flawed, but that execution focused on deploying tools rather than establishing governance, ownership, and integration into daytoday operations. Typical failure patterns include unclear accountability, overambitious scope, manual and unsustainable maintenance, poor data quality, and weak integration into incident and change workflows. 

Executives recognise the symptoms immediately: changes feel inherently risky, incidents take too long to resolve, automation initiatives stall, and no one can confidently explain what actually supports a given business service. 

What works today: the minimum viable CMDB 

What works today is a different approach: a minimum viable CMDB. Rather than attempting to model every component of the technology estate, organisations focus first on business-critical services and the applications, platforms, and infrastructure that support them.  

Each configuration item has a clear owner, a lifecycle state, and an agreed criticality level. 

Modern CMDBs no longer rely primarily on manual updates or periodic discovery scans. Instead, they are continuously updated through automated integrations with cloud platforms, infrastructure-as-code repositories, CI/CD pipelines, container platforms, and deployment tooling. 

The role of governance therefore shifts. Rather than maintaining technical inventory records manually, organisations focus on preserving the business context that technology platforms cannot determine themselves: ownership, service relationships, criticality, lifecycle status, resilience requirements, and accountability. 

In this model, the CMDB becomes a trusted system of record that complements engineering tooling rather than competing with it. 

Tangible outcomes, not promises 

When done well, the outcomes are tangible not only for leadership, auditors, and regulators, but also for product owners, engineering teams, platform teams, and operations staff who rely on the data every day. 

Operations teams gain faster impact analysis and incident triage, allowing incidents to be resolved faster because impact is known, not debated. Changes become safer because hidden dependencies are visible. Security and compliance teams gain stronger traceability and evidence. Leadership gains a clearer picture of critical services, resilience exposure, operational risk, and cloud dependencies. Accountability is clearer, and automation finally delivers value—not through promises, but through realistic gains enabled by better visibility and trust in the underlying data. 

Figure 2: Iterative implementation approach 


*2025 figures are based on data available up to Q3 and therefore understate the full-year investment flows.Source: EIOPA  

A manageable change with high return 

The core message is simple and timely: Today, a CMDB isn’t an IT inventory. It is the operational source of truth that makes digital transformation governable and makes AI safe to deploy at scale. 

Importantly, getting there does not require a large, risky transformation. A modern CMDB is built incrementally, through a minimum viable approach that can be broken down into small, manageable work packages and improved step by step. Rather than disrupting operations, organisations evolve their CMDB sequentially, focusing first on what matters most and expanding only as value is proven. 

Cost is often the second concern, but here the economics are equally clear. While a CMDB initiative requires disciplined investment, its returns tend to be disproportionately high because it directly reduces incident duration, change related outages, audit remediation effort, and manual work. 

For leaders unsure where to start, a focused CMDB health check and maturity scorecard, anchored on three concrete use cases (incident impact analysis, change risk assessment, and resilience reporting), is often enough to expose gaps, prioritise actions, and build momentum. In practice, this creates a virtuous cycle: limited upfront investment, visible operational gains, and growing confidence to scale what works. 

The strategic choice ahead 

In a world of accelerating change, tightening regulation, and expanding AI adoption, organisations that fix their CMDB foundations will scale with confidence. Those that do not will simply scale risk. 

In cloud-native, AI-enabled organisations, the question is no longer whether a CMDB is needed. The question is whether it can be trusted.


Frequently Asked Questions:
  1. What is a CMDB and why is it important?

A Configuration Management Database (CMDB) is a central source of information about an organisation’s IT assets, services, dependencies, and ownership. When maintained correctly, it helps organisations improve incident response, understand operational risks, support regulatory compliance, and enable automation initiatives such as AIOps and AI-driven operations. 

  1. How does a CMDB support DORA compliance?

A CMDB helps organisations maintain accurate inventories of ICT assets, document dependencies between systems, identify owners of critical services, and demonstrate operational control. These capabilities support several key requirements of the Digital Operational Resilience Act (DORA), particularly around resilience, governance, and evidence of operational oversight. 

  1. Why is a trusted CMDB essential for AI and cloud operations?

AI-powered operations and cloud environments rely on accurate, up-to-date data. A trusted CMDB provides the visibility and business context needed for impact analysis, automated decision-making, incident management, and governance. Without reliable configuration data, organisations risk automating errors rather than improving efficiency. 


Helena Mund, Manager in IT Strategy Advisory, PwC Luxembourg

AI, cloud, and regulation are not replacing the need for a CMDB. They are proving why it must be trusted, alive, and embedded in daily operations. In a world where automation scales every decision, the quality of your CMDB determines whether you scale control or uncertainty.

Successful digital transformation starts with knowing what you have, how it is connected, and who owns it. That is exactly what a trusted CMDB provides.

Balázs Zseli, Manager in IT Strategy Advisory, PwC Luxembourg

Did this blog add value for you?

Let us know with a quick rating!

Average rating 5 / 5. Vote count: 4

No votes so far! Be the first to rate this post.

We’re sorry this blog didn’t meet your expectations.

Let us know how we can improve.

Back to Top